Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 55 CVEs. Five bulletins are rated “Critical” this month and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Journal, and Office. The other seven bulletins are rated “Important” and address vulnerabilities in the .NET Framework, Active Directory, Exchange, Hyper-V, Media Center, Skype for Business, and Task Management.
Malware is constantly evolving and changing. One way to identify malware is by analyzing the communication that the malware performs on the network. Using machine learning, these traffic patterns can be utilized to identify malicious software. Machine learning faces two obstacles: obtaining a sufficient training set of malicious and normal traffic and retraining the system as malware evolves. This post will analyze an approach that overcomes these obstacles by developing a detector that utilizes domains (easily obtained from domain black lists, security reports, and sandboxing analysis) to train the system which can then be used to analyze more detailed proxy logs using statistical and machine learning techniques.
The network traffic analysis relies on extracting communication patterns from HTTP proxy logs (flows) that are distinctive for malware. Behavioral techniques compute features from the proxy log fields and build a detector that generalizes to the particular malware family exhibiting the targeted behavior.
The statistical features calculated from flows of malware samples are used to train a classifier of malicious traffic. This way, the classifier generalizes the information present in the flows and features and learns to recognize a malware behavior. We use features describing URL structures (such as URL length, decomposition, or character distribution), number of bytes transferred from server to client and vice versa, user agent, HTTP status, MIME type, port, etc. In our experimental evaluation, we used 305 features in total for each flow.
Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen. While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, targeted phishing attacks are more convincing because the format of the message is personalized to the targeted user. This targeted attack was more difficult to detect because adversaries chose to leverage AutoIT, a well known freeware administration tool for automating system management in corporate environments. This notable characteristic made this attack worthy of further analysis.
Utilizing AutoIT within a payload is unique because it is a legitimate management tool. In this attack, AutoIT was utilized to install a Remote Access Trojan (RAT) and maintain persistence on the host in a manner that’s similar to normal administration activity. RATs allow adversaries to fully control compromised hosts remotely to conduct malicious operations, such as exfiltrating sensitive information. The use of AutoIT is potentially an extremely effective method of evading detection by traditional anti-virus technologies and remaining hidden on the system if it is used by the target to manage systems. The combination of a legitimate administration tool being used to install a back-door onto a target system is unique and is why this attack caught our attention.
Another characteristic of this attack that was notable is how adversaries went to great lengths to spoof a phishing message that would appear credible to the user. In this attack, an actual business was impersonated, using the logo and physical address of the business, in order to appear legitimate. The bait in this case is a Microsoft Word document containing a macro that downloads and executes a binary from hxxp://frontlinegulf[.]com/tmp/adobefile.exe.
MS15-093 address a memory corruption vulnerability in Internet Explorer versions 7, 8, 9, 10, and 11. This affects all currently supported versions of Windows, including Windows 10.
This advisory is rated critical. An attacker can craft a web page designed to exploit this vulnerability and lure a user into visiting it. The compromise will result in remote code execution at the permission level of the affected user. The use of proper user access controls can limit the severity of the compromise.
As with most out of band releases, it has been reported that this attack is being exploited in the wild. Users should patch immediately.
A Global Cybergovernance Framework: The Real Infrastructure Needed to Support a More Secure Internet
As part of a broader “Cybersecurity Call to Action” outlined in the Cisco 2015 Midyear Security Report, Cisco has called for the development of a cohesive, multi-stakeholder, global cybergovernance framework. Investing in the development of such a framework is essential to supporting innovation and economic growth in business on the global stage.
While there has been an increasing awareness that managing cyber risks is essential to the operation of any networked system, current mechanisms are not effective to protect businesses from cyberattacks. The lack of effective global cybergovernance can prevent collaboration in the security industry, which is needed to create adaptive technologies that can detect and prevent new threats.
Without question, the Internet is only becoming more essential to organizations around the globe. They rely on it not only for everyday operations, but also for supporting new business models that provide them competitive advantage and benefit consumers. Adversaries, meanwhile, are deploying tactics that can undermine the success of any business operating in the digital economy. The Cisco 2015 Midyear Security Report makes clear that threat actors are only becoming more adept at innovating rapidly and enhancing their capacity to compromise systems and evade detection. Read More »