News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
News
Jan
22
Flash 0-day being distributed by Angler Exploit Kit
Posted by ngriffin on 22 January 2015 10:11 AM

Websense is aware of a new zero-day vulnerability in Adobe Flash Player, which has been seen exploited in-the-wild by the Angler Exploit Kit. The exploit, as reported by security researcher Kafeine, is known to affect the latest 16.0.0.287 version of Flash Player and has been seen dropping a trojan downloader called Bedep.

 

Websense customers were already protected against this threat with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:


  • Stage 3 (Redirect) – ACE has detection for the redirect to the exploit kit landing page.
  • Stage 4 (Exploit Kit) – ACE has detection for the exploit kit landing pages, as well as the Flash Player exploit itself.
  • Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with the Bedep trojan downloader.

 

[UPDATE] 23 January 2015

Adobe released an update to Flash Player on 22 January 2015 although it does not patch the issue discussed in this blog.

In a further announcement Adobe are hoping to patch CVE-2015-0311 (the vulnerability discussed in this blog and by Adobe here) on 26 January 2015.

 

Vulnerability

 

The Adobe Flash Player samples that exploit this vulnerability have been shared with Websense, and protection for these malicious files are in place. Adobe have been made aware of this issue and are currently investigating. At the present time, it is not possible to disclose further information regarding specific details of this threat.

 

Exposure

 

Currently, it is known that Angler Exploit Kit is exploiting this Flash Player vulnerability. As we have mentioned previously, it is becoming a growing trend for exploit kits to drop Java, Internet Explorer, and PDF exploits in favor of the more successful Flash and Silverlight exploits.  Utilizing vulnerabilities in these popular applications provides attackers with a large surface area of vulnerable clients. Due to the nature of exploit kits, Websense technology is able to target the threat at multiple stages and ensure that protection remains in place independent of the exploits used.

 

Mitigation

 

At the present time, Adobe have yet to release a patch for Adobe Flash Player.  One persistent solution, for the time being, is to disable Flash Player in your browser until such time as a patch becomes available.

 

Websense Security Labs will continue to investigate this issue as more information becomes available.


Read more »



Mar
25
Fiesta Exploits Kit Targeting High Alexa-Ranked Site
Posted by Sindyan on 25 March 2014 09:37 PM

Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, have identified a new malicious attack targeting hxxp://www.mapsofworld.com/, a high Alexa-ranked site in the top 10,000 most visited sites. The site has been compromised and injected with malicious code.

 

The infection utilizes an iframe redirection method that redirects users to suspicious Dynamic DNS URLs hosted on different providers:

 

 

The iframe redirects users to a malicious website hosting the Fiesta exploit kit. During the first few hours of the attack, we have noticed several different URLs being used by the attackers.

 

 

Once the user visits the site, a popup window displays and asks the user to click to get more information from Java support. 

 

 

The iframe leads the user to a redirection loop on the same Dynamic DNS subdomain and eventually ends up with the exploit kit automatically installing a malicious file onto the computer without the user's knowledge.

 

 

 

This injection was hard to spot as the injected code seems to fluctuate. One minute it’s there; the next minute, it’s not. This is where Websense Advanced Classification Engine (ACE) plays a great role in blocking the threat in real time as the threat appears. Unlike other solutions using static defenses that mirror what you have, ACE in the Cloud provides unique real-time defense assessments for security, data, and content analysis. Webpage content, active scripts, exploit code, obfuscated commands, and web redirects are analyzed in real time along with malicious files, PDFs, and executables. ACE combines seven security defense assessment areas that work together in a predictive composite scoring defense against advanced threats and targeted attacks as they emerge.

 

Websense Security Labs has observed a number of other high Alexa-ranked sites being targeted in the past few days:

hxxp://www.mapsofindia.com/

hxxp://www.ffonts.net/

hxxp://submityoursite.com/

hxxp://mappery.com/

hxxp://www.siteinspector.com/

hxxp://dgreetings.com/

hxxp://charge.com/

 

 

Top countries affected are the U.S., India, and the United Kingdom.

 

Websense customers are protected from these and other threats by the Websense Advanced Classification Engine.


Read more »