Talos has continued to observe ongoing attacks leveraging the use of JBoss exploits. Through our research efforts, we have identified an additional 600 or so compromised hosts which contain webshells due to adversaries compromising unpatched JBoss environments. In response to this, Talos has been working to notify victims of these compromised hosts so that appropriate remediation may take place.This blog post outlines the notification process and provides additional indicators which you can use to review your own JBoss environments, such as a list of the 500 most common webshells we have observed in the wild.
Why Did I Get Notified?
After identifying the IP address of the hosts with one or more webshells, we extracted the contact email addresses provided in the WHOIS record of the organizations identified as the owner. The notification email contains a link which you can use to view this information. We are sending notifications via email to all listed email addresses as we have found many organizations where the designated abuse contact email listed is no longer valid. By emailing all available contacts we maximize the chances of successful notification.
7-Zip is an open-source file archiving application which features optional AES-256 encryption, support for large files, and the ability to use “any compression, conversion or encryption method”. Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products.
This post is authored by Holger Unterbrink.
Patch Tuesday for May 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 16 bulletins addressing 33 vulnerabilities. Fourteen bulletins are rated critical, addressing vulnerabilities in Edge, Internet Explorer, Office, Graphic Components, VBScript, Windows Shell, and Adobe Flash Player. The remaining bulletins are rated important and address vulnerabilities in Internet Explorer, Office, Windows Kernel, Exchange, IIS, Media Center, Hyper-V, .NET, and several other Windows components.
Bulletins Rated Critical
Vulnerabilities in Microsoft bulletins MS16-051 through MS16-057 and MS16-064 are rated as critical in this month’s release.
MS16-051 and MS16-052 are this month’s Internet Explorer and Edge security bulletins respectively. One vulnerability is shared between IE and Edge, meaning that both Edge and IE are affected. The IE security bulletin addresses three memory corruption vulnerabilities marked as critical, one information disclosure vulnerability and one security feature bypass marked as important. The Edge one has four memory corruption vulnerabilities all marked as critical. For both Edge and IE, some vulnerabilities are potential remote code execution vulnerabilities. For Internet Explorer these critical vulnerabilities are: CVE-2016-0187, CVE-2016-0189 and CVE-2016-0192. For Microsoft Edge: CVE-2016-0186 , CVE-2016-0191 to 0193. IE CVEs flagged as important are CVE-2016-0188 and CVE-2016-0194.
Exploit kits have been a recurring threat that we’ve discussed here on this blog as a method of driving users to maliciousness. Users typically encounter exploit kit landing pages through compromised websites and malvertising. However, we’ve found a new email twist to the standard procedures associated with getting users into the exploit kit infection chain.
Usually when we see compromised websites serving exploit kit gates there are malicious iframes dropped on single pages or throughout the entire site. These iframes can either be links to an exploit kit landing page directly or to a gate. Using a gate allows the adversary to change the location of the landing page without having to change the compromised wordpress site. In the spam campaign that we detected and blocked, adversaries were instead linking users to “hidden” web pages (pages located within the site’s directory structure) on these sites instead of linking users to pages containing an iframe.
The threat landscape is ever changing and adversaries are always working to find more efficient ways to compromise users. One of the many ways that users are driven to malicious content is through malicious advertisements known as malvertising. Talos has been monitoring several large-scale malvertising campaigns, how the initial exploit occur, and the payloads that are downloaded as a result.
In a normal ad campaign, ad agencies buy ad space on publications and other trafficked websites, and the ad agency then tries to get those ads served to users that fit some criteria in the hopes that users click on the ads, which take the user to (for example) a product page. The aggregate of serving ads for a particular product is referred to as a ‘campaign.’ A malvertising campaign is similar. Ad space is purchased from an agency, users satisfying particular criteria are targeted. It may be that the content of the mal-ad itself can infect a user’s computer, or it may be that a user who clicks on the enticing mal-ad is taken somewhere which then infects the user’s computer. The initial infection will often download another payload.
We are pleased to announce the availability of the cryptolocker 4 white paper. Over the past year, Talos has devoted a significant amount of time to better understanding how ransomware operates, its relation to other malware, and its economic impact. This research has proven valuable for Talos and led the development of better detection methods within the products we support along with the disruption of adversarial operations. CryptoWall is one ransomware variant that has shown gradual evolution over the past year with CryptoWall 2 and Cryptowall 3. Despite global efforts to detect and disrupt the distribution of CryptoWall, adversaries have continued to innovate and evolve their craft, leading to the release of CryptoWall 4. In order to ensure we have the most effective detection possible, Talos reverse engineered CryptoWall 4 to better understand its execution, behavior, deltas from previous versions and share our research and findings with the community. The white paper is located here.