Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

(August 2012) Posts

Oracle release Java 1.7.0_07 to fix CVE-2012-4681

Posted: 30 Aug 2012 07:26 PM | Patrik Runald | no comments


Oracle did what all of us were hoping they would do - release an out-of-band patch for the latest Java zero-day vulnerability. The new version of Java, 1.7.0_07 and 1.6.0_35, both fix the vulnerabilities mentioned in CVE-2012-4681 that we've blogged about here and here . We have tried the patch and...

Read more > 

New Java 0-day added to Blackhole Exploit Kit

Posted: 29 Aug 2012 12:44 AM | Patrik Runald | 2 comment(s)


Earlier today we blogged about a new Java zero-day vulnerability ( CVE-2012-4681 ) being used in a small number of attacks. That's about to change as exploit code for the Java vulnerability has been added to the most prevalent exploit kit out there; Blackhole . Here's a snippet of the updated...

Read more > 

Malicious Email Messages Posing as Antivirus Notifications

Posted: 28 Aug 2012 03:36 PM | Ran Mosessco | no comments


Websense® ThreatSeeker® Network intercepted a malicious email campaign posing as antivirus notifications that warn users that their accounts may be blocked. These fake messages state that the victim's email address has been sending infected email to the mail server, and that the situation...

Read more > 

New Java 0-day used in small number of attacks

Posted: 27 Aug 2012 10:57 PM | Patrik Runald | 1 comment(s)


Over the weekend, information started appearing that there was a new Java zero-day vulnerability ( CVE-2012-4681 ) being used in a small number of attacks. We have analyzed samples from the attack and can confirm that Websense customers using products that have our Advanced Classification Engine (ACE...

Read more > 

Benefits of your Blackberry ID in this attached malware

Posted: 22 Aug 2012 10:39 PM | Anonymous | no comments


Websense® ThreatSeeker® Network intercepted a malware campaign targeting Blackberry customers. These fake emails state that the recipient has successfully created a Blackberry ID. The messages then continue, "To enjoy the full benefits of your BlackBerry ID, please follow the instructions...

Read more > 

Shamoon/DistTrack affecting energy sector

Posted: 16 Aug 2012 09:42 PM | Patrik Runald | no comments


Today news broke that at least one organization in the energy sector was hit by malware named Shamoon or DistTrack. We’ve been looking at the related malware samples and can confirm that Websense products that have our Advanced Classification Engine (ACE) have had proactive detection in place since...

Read more > 

London Olympics Search Results Lead to Objectionable Sites

Posted: 10 Aug 2012 05:58 PM | Elisabeth Olsen | no comments


We’ve previously blogged about Olympic ticket scams , phishing , malware designed to propagate through social networking, and other Olympic security concerns . We also know that hackers take advantage of people searching for breaking news and trending topics about the Olympics through various SEO...

Read more > 

Nepalese government websites compromised to serve Zegost RAT

Posted: 08 Aug 2012 10:36 AM | Anonymous | no comments


 

The Websense® ThreatSeeker® Network has detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. The aim of this injection is to install, through successfully exploiting that Java weakness, a backdoor that is also dubbed "Zegost" on the systems of visitors to these websites.

 

This vulnerability (CVE-2012-0507) was also used in the Amnesty International UK website compromise and in the INSS website compromise that we reported a few months back. It's interesting to note that all those compromises had injected code that was taken from the Metasploit framework, served in clear form, and not obfuscated. Although the use of code from the Metasploit framework doesn't necessarily indicate a link between all the compromises, we found further common characteristics between the compromises of the Amnesty UK website and the Nepalese government website by analyzing the backdoor C&C points when we noticed that they connected to the same domain in China. 

 

...

Read more > 

Fake AT&T email Installs Malware

Posted: 02 Aug 2012 10:34 AM | Tamas Rudnai | 2 comment(s)


 

Websense® ThreatSeeker® Network detected a massive phishing campaign targeting AT&T customers. More than 200,000 fake emails are masquerading as billing information from the giant American communication services provider. Each message claims that there is a bill of a few hundreds US dollars.

 

...

Read more >