A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer version 8.  The vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites, such as the recently compromised Department of Labor website, which was subsequently used in a water hole attack. Malicious payloads delivered from this compromise were confirmed by Microsoft to exploit the new vulnerability, designated CVE-2013-1347.

The vulnerability itself lies in the way that Internet Explorer accesses an object that has been deleted or not properly allocated. This vulnerability has now been listed by Metasploit, which means it is available publicly, and we anticipate that we'll soon see this Internet Explorer vulnerability used in broader attacks.

More information about the vulnerability can be found in Microsoft Advisory 2847140.

How Does Websense Protect You?

Websense customers are protected with ACE™, our Advanced Classification Engine.

ACE is able to protect from all known samples (at a URL level and with real-time analytics).  We have also examined the sample code from Metasploit and added protection for that and any subsequent variations.

If we correlate this attack to the 7 Stages of Advanced Threats (as explained in our whitepaper), we currently have protection for:

• Stage 2 (Lure) - the website involved in the water hole attack
• Stage 3 (Redirect) - the websites that take the user to the delivery of the exploit code
• Stage 4 (Exploit Kit) - we have real-time detection of the exploit code
• Stage 6 (Call Home) - we offer protection from the websites used as a Command & Control
• Should the malware author's attack be sucessful, our customer's would be protected from Stage 7 (Data Theft) through the use of our data loss prevention tools.

As a member of the Microsoft Active Protection Program (MAPP), we are also working with Microsoft to monitor this situation.

[Update]

Thursday, May 9, 2013:

Microsoft have released a  "Fix it" solution for CVE-2013-1347), however keep in mind that a Fix it solution isn't going to be as strong as a full patch solution.

This blog describes briefly what WebShells are, and how attackers can use WebShells to gain powerful shell level/system level access to a server. WebShells have been used in attacks for quite a long time now, but with changes in attack trends, cyber criminals are getting more sophisticated with deployment techniques and methods to circumvent detection. With the help of our Websense® ThreatSeeker® Intelligence Cloud, we came across a few examples in which attackers have used different techniques.  These are elaborated on further in this blog.

Many mass compromises are accomplished in an automated fashion: vulnerabilities are enumerated, and after one is found, exploits are automatically deployed. The takeover process usually involves downloading a remote administration tool for the compromised website. One common tool deployed by attackers once they compromise a website is a WebShell.

The above diagram shows an attack where the attacker finds a vulnerability in a hosted web application and manages to upload a malicious application backdoor in one of the server supported languages.  This gives him control over the entire web server. 

What is a WebShell?

A WebShell is a script/code (written in scripting languages such as PHP, Perl, or Python) that runs on the system and can remotely administer a machine. Although WebShells are used as a Remote Administration Tool for many legitimate reasons, they can still be abused by malware authors to compromise websites.  Once the attacker gets a web server to execute the script, he gains shell-level access to the host operating system running with the same privileges as the web server. To avoid detection by firewalls or antivirus technologies, the attacker usually employs evasion techniques such as code obfuscation and encryption. To thwart this aspect of the WebShell's propagation, a full content inspection approach can reveal, and intercept, a wide variety of common obfuscation techniques and even decrypt the script to expose its real intent. Let's look at an example.

In the following example, we see a custom WebShell called "oRb". The actual WebShell body is obfuscated to avoid detection, using a preg_replace function with the "e" modifier.  Hex encoding has been used to conceal eval(gzinflate(base64_decode( . 

The URL that serves the WebShell further tries to confuse or mislead security tools by declaring in the header that the content type is an image file, as you can see below:

With its real-time scanning capability, Websense ACE™ (our Advanced Classification Engine) detects the obfuscation methods and techniques discussed above.

Let's now look at a second example to see the type of functionality that WebShells encompass. In this case we see a non-obfuscated version of "RC Shell v2.0",  which is similar to our previous example in that it also tries to hide as an image:

A working WebShell

Once the WebShell script is run, it provides a web interface for remote operations on the server, including, but not limited to:

• Server Information
• File manager (access to file system)
• Access to execute commands
• SQL manager
• PHP code execution
• Bruteforce FTP, MySQL, PgSQL
• Search files, search text in files
• Malicious content upload
• Mass code injection 

This animated image shows how it would look when run (click the image to open; the animation loops):

Websense ThreatSeeker Intelligence Cloud processes approximately up to 5 billion web requests per day, and out of those requests, just yesterday we found 1400 unique examples of threats using WebShells in different countries. Here is an example of how one obfuscated WebShell is spread around the globe.

How does Websense protect against WebShells?

The animated graphic above shows how powerful the access can be for an attacker.

ACE will block access to this malicious WebShell script/page if your end users locate such a script.  In addition to preventing access to the malicious WebShell script/page, we monitor outbound content to prevent sensitive data from leaving an organization via shell commands even if the abused channel is SSL-encrypted - which is a common advanced malware technique.  With the help of web telemetry we can generalize to the tune of 85,000,000+ compromised websites and thus learn from them, including what we have discussed here about WebShells.  Have a read of our Threat Report to find out more.

While the world recoils in shock at the horrifying events at Monday's Boston Marathon, cybercriminals are actively seeking to exploit people's thirst for information and eagerness to help those affected by the attacks.

The Websense ThreatSeeker® Network is currently detecting and blocking multiple email-borne campaigns that attempt to lure unsuspecting recipients to malicious websites in order to exploit their machines for criminal gains.

Let's follow this campaign through the 7 Stages of Advanced Threats (as explained in our whitepaper) to see how cyber-criminals attempt to dupe and compromise users and their machines. We'll also show that breaking any one link in the chain can protect potential victims.

Stage 1: Reconnaissance

This campaign, like many other topical or event-based campaigns, attempts to propagate as widely as possible, rather than being directed at specific individuals or organizations. Given this, those behind the nefarious campaign simply have to identify a news story with global appeal (in this case, Monday's events), and then propagate their lure to as many people as possible.

Stage 2: Lure

Preying on human curiosity, in particular after a significant event, the lure is designed to get as many victims onto the hook as possible. In the email campaigns being monitored by Websense® Security Labs™, the email subjects have been designed to suggest that the message contains information or news regarding the events:

• 2 Explosions at Boston Marathon
• Aftermath to explosion at Boston Marathon
• Boston Explosion Caught on Video
• BREAKING - Boston Marathon Explosion
• Explosion at the Boston Marathon
• Explosions at Boston Marathon
• Explosions at the Boston Marathon
• Runner captures. Marathon Explosion
• Video of Explosion at the Boston Marathon

The message body itself, in most cases, contains a single URL in the format http://<IP Address>/news.html or http://<IP Address>/boston.html with no further detail or information. At this point, the recipient is lured to click on the malicious link, which ushers them on to stage 3.

Stage 3: Redirect

Having clicked the link, the unwitting victim is presented with a page containing YouTube videos of the horrific events (intentionally obscured below) while an iframe redirects them to an exploit page.

Stage 4 - Exploit Kit

Based on an analysis of a sample set of the malicious URLs seen in this campaign so far, the RedKit Exploit Kit has been used to, in our case, exploit an Oracle Java 7 Security Manager Bypass vulnerability (CVE-2013-0422) in order to deliver a file onto our analysis machine.

Stage 5 - Dropper File

Rather than using a dropper file, which contains the malicious code within itself and often packed to prevent detection by antivirus signatures, this campaign uses a downloader belonging to the Win32/Waledac family which is used to download further malicious binaries. In this case, two bots named Win32/Kelihos and Troj/Zbot are downloaded and installed on the compromised machine in order to join it to the cyber-criminals' bot network.

Stage 6 - Call Home / Stage 7 - Data Theft

Once the compromised machine is under the control of the cyber-criminal, the bots call home, which allows remote commands to be issued and for data to be sent and received. Common abuses of a compromised machine include data collection and exfiltration, such as the theft of financial and personal information. Other abuses include the sending of unsolicited email or the unwilling participation in Distributed Denial of Service attacks.

Websense customers are protected by ACE™, our Advanced Classification Engine, against cyber threats of this nature.  In addition to blocking lures at stage 2 before they reach end-users, access to malicious destinations throughout stages 3 through 6 are denied which, combined with data loss controls to protect against stage 7, help to ensure that your data stays where it belongs and not in the hands of an attacker.

Our thoughts are with the victims and their families at this time. While these cyber abuses are minor by comparison, users can help protect themselves by sourcing the news directly from reputable news agencies. Should you want to donate (be that blood to local hospitals or money to assisting organizations), be sure to visit official websites rather than following links that appear in your mailbox.

Thursday, April 18, 2013:

The campaign quickly evolved to match the latest news from the Texas fertilizer plant explosion.

The emails are similar, but use texas.html instead of boston.html path.

Subjects lines include:

• Texas Plant Explosion
• Raw: Texas Explosion Injures Dozens
• Texas Explosion Injures Dozens
• CAUGHT ON CAMERA: Fertilizer Plant Explosion
• Waco Explosion HD
• Video footage of Texas explosion
• Plant Explosion Near Waco, Texas
• West Tx Explosion

The lure pages have updated titles, but the rest is similar:

Websense Security Labs will continue to monitor this campaign.

The Websense® ThreatSeeker® Network has detected that a DNS poisoning attack is happening in Kenya, with local big name websites in information technology targeted including Google, Bing, and LinkedIn. Although DNS records point to a page on behalf of the attackers that lets the browsing user know about the hack, it could easily be replaced with a malicious page at will.

Below is the snapshot in Websense ThreatSeeker Network.

This is another attack issued by the so called Bangladeshi Hacker Group, the hacker group that has defaced 700,000 websites in the past and recently targeted prominent sites in Malawi (February 2013). In the Kenya campaign, from zone-h.com (a website tracking defaced websites), we could cross reference and confirm that the following well-known websites have been affected.

Websense customers are protected by our Advanced Classification Engine with real-time detection intelligence.

As the world remembers former British Prime Minister Margaret Thatcher, cyber attackers are participating too, but in their own tricky ways. Websense® Security Labs™ and the Websense ThreatSeeker® Network have detected that attackers are sending malicious email spam with a topic referencing the death of Mrs. Thatcher. Actually, it is not new for an attacker to use a hot topic (like the death of Hugo Chavez) to spread malware. In this case, the lure email is very simple, with just a few words related to Mrs. Thatcher, but it pretends to be from your friends by using the "Re: Fwd:" notation. Internet-savvy customers will know that it looks suspicious and should not be tempted to click the link in the email.

When recipients click the malicious link, they are taken to a redirection page first, and then redirected to a Blackhole Exploit Kit landing page. The landing page detects the browser and plugin information in the client, and then serves the vulnerability file based on the plugin information. The final payload is a Cridex trojan, as seen in our ThreatScope™ report and in the VirusTotal report here.  Cridex is known in breaking CAPTCHA codes and you can see this trojan in action on our previous blog here.

Server-side polymorphic technology has been applied to evade traditional AV detection. 

It is not the first time we have seen the Blackhole malicious email campaign. It has evolved over time in combination with hot topics like the current crisis in Korea or major companies filing for bankruptcy. Please be careful about any email that contains 1 of  the following subjects:

Fwd: Dollar Bank bankruptcy

Re: Shedding light on 'dark matter'

Re: Why Washington is corrupt

Re: Kissinger: Thatcher's strong beliefs

Re: Tax havens busted

Fwd: Re: First Citizens Bank bankruptcy

Fwd: Re: Living large in Don Draper's New York

Fwd: Re: Kissinger: Thatcher's strong beliefs

Re: Fwd: California Bank & Trust bankruptcy

Fwd: Re: Bank of America bankruptcy

Fwd: Allowing knives on planes is 'insane'

Fwd: Re: War with N. Korea

Fwd: Air Canada goes 'Gangnam style'

Fwd: Re: NASA plans to catch an asteroid

Re: Fwd: Dollar Bank bankruptcy

Fwd: Why Washington is corrupt

Fwd: Blast kills 29 on bus in New-York

Fwd: Shedding light on 'dark matter'

Fwd: Re: Marikana massacre aftermath

Re: Fwd: Kissinger: Thatcher's strong beliefs

Fwd: Re: PNC Bank bankruptcy

Re: Fwd: Bank Of The West bankruptcy

Re: Fwd: M&I Bank bankruptcy

Re: Bank Of The West bankruptcy

Fwd: Bank Of The West bankruptcy

Re: Fwd: PNC Bank bankruptcy

Re: Bank of America bankruptcy

Re: Fwd: War with N. Korea

Re: California Bank & Trust bankruptcy

Re: Blast kills 29 on bus in New-York

Re: Fwd: Blast kills 29 on bus in New-York

Re: Sending out SOS for 'America's flagship'

Re: Fwd: Marikana massacre aftermath

Re: Living large in Don Draper's New York

Re: War with N. Korea

Fwd: Re: Death penalty 'harms Bali's reputation'

Re: Fwd: Death penalty 'harms Bali's reputation'

Re: PNC Bank bankruptcy

Re: NASA plans to catch an asteroid

Re: Northern Trust Bank bankruptcy

Fwd: Tax havens busted

Re: Fwd: Why Washington is corrupt

Re: Fwd: Tax havens busted

Fwd: M&I Bank bankruptcy

Re: Fwd: Fashion designer Lilly Pulitzer dies

Re: First Citizens Bank bankruptcy

Re: Fwd: Shedding light on 'dark matter'

Re: Fwd: Living large in Don Draper's New York

Re: Fwd: Northern Trust Bank bankruptcy

Fwd: Re: California Bank & Trust bankruptcy

Re: Air Canada goes 'Gangnam style'

Re: Fashion designer Lilly Pulitzer dies

Re: Dollar Bank bankruptcy

Fwd: Sending out SOS for 'America's flagship'

Websense technologies can protect customers in a multi-stage attack:

• Websense email security blocks the malicious email.
• Our Advanced Classification Engine (ACE™) detects the malicious content both in redirection and in the exploit page with real-time intelligence.
• Vunlerability files and the payload trojan are detected by Websense Gateway products.
• Websense technologies can identify malicious droppers both statically and behaviorally (via Websense ThreatScope).

Were you aware that Java is increasingly being viewed as a security risk? Of course you were — recent high-profile attacks have firmly established the trend, so we're not going to do yet another roundup here.

Instead, let's drill in and try to understand the core problem. With so many vulnerabilities, it's hard to keep browsers up to date with the latest patched versions — especially because Java is updated independently from the browser. How hard is it? We decided to check.

We recently added Java version detection to our Advanced Classification Engine (ACE™) and pumped it into the Websense ThreatSeeker® Network to get real-time telemetry about which versions of Java are actively being used across tens of millions of endpoints. Here's what we found (you may need to click on the graph to see all the detail):

Figure 1: Global distribution of Java Runtime Environment versions based on active browser usage

As you can see, Java versions are all over the map. At the time of this writing, the latest Java Runtime Environment is 1.7.17, but only about five percent of the overall mix are using it. Most versions are months and even years out of date. How does this translate into the attack space?  

Exploit kits are a very common tool for distribution of many Java-based threats. From the billions of daily web requests being classified through our network, here is the breakdown of the active browser requests that are exploitable and which exploit kits have incorporated attacks for them.

Java Vulnerability  Vulnerable Versions**  Vulnerable   Exploit Kits With Live Exploits

CVE-2013-1493            1.7.15, 1.6.41                  93.77%         Cool 

CVE-2013-0431            1.7.11, 1.6.38                  83.87%         Cool

CVE-2012-5076            1.7.07, 1.6.35                  74.06%         Cool, Gong Da, MiniDuke

CVE-2012-4681            1.7.06, 1.6.34                  71.54%         Blackhole 2.0, RedKit, CritXPack, Gong Da

CVE-2012-1723            1.7.04, 1.6.32                  67.72%         Blackhole 2.0, RedKit, CritXPack, Gong Da

CVE-2012-0507            1.7.02, 1.6.30                  59.51%         Cool, Blackhole 2.0, RedKit, CritXPack, Gong Da

** All prior JRE versions below those listed are also vulnerable

It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That's what the bad guys do — examine your security controls and find the easiest way to bypass them. Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers. Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities. And don't forget that if you're not on version 7 (which is 78.86% of you), Oracle won't be sending you any more updates even if new vulnerabilities are uncovered.

How do you stop the onslaught if the patches aren't keeping up? Given the complexity and dynamism of exploit kits and their updates, exploit signatures do not suffice. Our protection model against new Java exploits is to use our analytics and real-time telemetry to proactively intercept new instances at every step of their attack strategy. Most prominently, ACE covers the exploit kit/exploit phase with a fine-grained knowledge of the expressible threats from all of the major kits, including not just the vulnerabilities, but also the obfuscation techniques, redirection techniques, and re-packaging of their dropper files. Here are just a few other ways we interrupt the malware kill chain to make it harder for the bad guys to drive right through this sizable hole in current IT infrastructure:

• Real-time intelligence to block lures, phishing, and other forms of social engineering coming across web, email, and mobile platforms
• Real-time inbound intelligence to identify known or suspicious malware destinations and compromised sites 
• Real-time outbound intelligence to identify command and control communication, bot networks, dynamic DNS requests, and fingerprinted data headed to the wrong people or places
• Identifying malicious droppers both statically and behaviorally (via Websense ThreatScope™) 

It's clearly not just the zero-day attacks that should be getting all of the attention.

We returned from CeBIT, one of the largest and most influential technology conferences in the world, last week.

The lead theme at this year's conference was that of "Shareconomy", finding benefit in exchanging ideas and information.  As a security lab, we embrace the idea of the Shareconomy and have a tremendous amount of threat intelligence to contribute. 

Websense Security Labs were an active participant in the show throughout the week.  In case you missed it here is how we got involved:

Speakers Corner

We delivered a presentation introducing results from a recent independent security test which highlighted security effectiveness across the kill chain.  You can download the test report from our website.  The "7 Stages of Advanced Threats" are explained here.  

SpeakUp Live

Our usual interactive discussion session format went on the road at CeBIT as we opened up the topic of securing mobile devices in the workplace.

Audience participation (via a remote voting system) drove the conversation into areas of:

• How do I secure my data on employee-owned smartphones?
• Do I feel protected from the risks brought about by Bring Your Own Device (BYOD)?
• What do I perceive to be the biggest risks in regards to BYOD?

The majority of attendees at our CeBIT discussion (65%) felt that they were not adequately protected from the many risks associated with BYOD.  Specifically, 46% of attendees were equally concerned about the risks from malicious mobile applications and lost devices, and the issue of securing their private data from data theft.

We look forward to seeing you and collaborating at future security conferences around the globe.

Websense® Security Labs™ and The Websense ThreatSeeker® Network have detected that the government-related websites ict.org.il and herzliyaconference.org have been involved in a "waterhole" attack and are injected with malicious code that serves as an exploit for Internet Explorer vulnerability CVE-2012-4969. The first website describes itself as the “International Institute for Counter-Terrorism”. Both websites seem to be connected and governed by a leading Israeli academic institution called the IDC. 

The malicious code found on the websites is identical and was identified as CVE-2012-4969 - an Internet Explorer vulnerability that was verified as a zero-day at the time and was found to be exploited in the wild on September 2012. It was found by Eric Romang from Zataz.

From our initial checks, the websites still serve the malicious code on specific paths, and have been serving the malicious code from as early as the 23rd of January 2013. At the time of this writing, the malicious code on ict.org.il appears to be fully functional, but the malicious code on herzliyaconference.org doesn't seem to be functional (the main page that initiates the exploit seems to have been removed; although subsequent pages are still available, on their own they won't serve a successful exploit).

The attack seems to be very similar to the spear-phishing attacks we reported on with the "Rotary Domains" (Part 1 & 2) that served CVE-2012-4792 - that's the same zero-day that was found on cfr.org. The attack on IDC uses a Flash file to conduct a "heap spray" attack. The Flash file appears to have the misspelled string "heapspary".  According to Symantec, this string may be evidence that the "Elderwoord" group is behind this attack, because there's a similarity to the cfr.org attack, which held the same string "heapspary" in a Flash file as well. We're not completely convinced by this theory; this may indeed suggest a connection to the "Elderwoord" project, but may instead suggest the use of the same toolkit by different perpetrators. 

One of the most interesting techniques employed by this attack, which we described in detail in our previous "Rotary Domains" posts, is that the dropped malware is actually embedded as a XORed list of bytes on the page and assigned to a Javascript variable with a marker at the start of the stream.  After exploitation is successful, then on the client side the shellcode initiates a thorough search for a certain marker in memory called "KKONG".  When this marker is found, then the stream is extracted and de-XORed to form the actual malware binary, which is then run. This is an interesting technique that is also good for Sandbox evasion and reminds us of the "Drive by cache" techniques also found to be popular with spear-phishing attacks in the last two years. The difference in this method is that it's sort of a "Drive by marked memory object".

Websense Security Labs™ has contacted the IDC to report the compromise; as of this writing we had not heard back yet from the IDC.

The Israeli website for the “International Institute for Counter-Terrorism” and its mission statement is shown here:

Technical details

As described, the attacks on both websites are identical. The exploit chain starting point is in an HTML file on a dedicated directory.  We're not certain if this specific path was sent in spear-phishing emails, or if the main page of each of the websites referred to this path. If you have any more details on this, please do let us know.

Here are the exploit chains for ict.org.il and herzliyaconference.org:

hxxp://www.ict.org.il/js/1.html -> Flash file loader (AceInsight report)

hxxp://www.ict.org.il/js/logo4969.swf -> Flash heap-spray + exploit.html loader

hxxp://www.ict.org.il/js/exploit.html -> Dropped file cache + Exploit Loader

hxxp://www.ict.org.il/js/Protect.html -> Exploit CVE-2012-4969

hxxp://www.herzliyaconference. org/_modules/80.html -> Flash file loader (AceInsight report)

hxxp://herzliyaconference .org/_modules/logo4969.swf -> Flash heap-spray + exploit.html loader

hxxp://herzliyaconference. org/_modules/exploit.html -> Dropped file cache + Exploit Loader

hxxp://herzliyaconference. org/_modules/Protect.html -> Exploit CVE-2012-4969

Let's have a look at the specific exploit chain on ict.org.il.   The file 1.html is used just as a loader for the malicious file logo4969.swf.  Besides the loading of the malicious file, there are no malicious indicators on the page, but just the HTML Flash container/loader:

The loaded Flash file initiates a heap-spray attack, but it also acts as the caller to the Exploit Loader page exploit.html - it loads it through some Actionscript commands embedded in the Flash file, to evaluate some Javascript code to be executed on the page and load exploit.html, as seen in the next picture snippet from the file: 

exploit.html holds some Javascript code and an especially long variable. This variable starts with a marker "KKONG" that is later searched for by the shellcode that resides inside the loaded Flash file on the client side. The file is obfuscated with a simple XOR 0xBF. The page also loads the actual exploit page by calling an iframe to Protect.html:

Protect.html holds the exploit code to CVE-2012-4969. The exploit code is obfuscated with a simple obfuscation technique: 

After the exploit is triggered by Protect.html, the code will jump to the sprayed shellcode on the heap.  In return, the shellcode will scan the memory for the marker mentioned earlier: "KKONG". After the marker is found, the shellcode strips the stream following the marker and gets it de-XORed with the value 0XBF to form a valid executable file.  That file is then written to the Windows local machine's temporary folder and executed to infect the machine with a persistent backdoor.

The executed file dw20.exe (MD5:d2354e9ce69985c1f55dbad2837099b8) acts as a dropper and has the same name as the file dropped with Rotary domains attack. The threat stays persistent on the system by dropping another file to the Windows directory called startup.dll (MD5: 4e1e2b9cd6b5bca2b1b935ddc97f2d7a) that registers as an auto-started service called WindowsUpdata. Check out this complete report from ThreatScope™. The backdoor service is actually installed under a registry key called "RAT", which is not very discreet, to say the least, and the backdoor connects to a C2 that is recognized by our service as suspicious hxxp://interfacet.oicp.net:88. It appears that oicp.net is a web host that is located in China. Custom hosts on the site have been found to be involved in targeted attacks in the past (1 2); however, the specific host actually points to an IP address of 65.19.141.203 located in Fremont, California, United States. Looking closer at this IP address, we could see that it hosts a lot of mayhem, as well as many other hosts that are associated that use host names on *.oicp.net that we have already classified in a security category:

One of the most interesting parts is that the IP address to which the C2 points is hosted on an IP address range that belong to Hurricane Electric, a US-based internet service provider that got some headlines lately for being the first Internet Backbone to Connect to 2,000 IPv6 Networks. An Interesting article from 'The Droid Tech Guy' illustrates how, although web traffic in China is very restrictive and censored, its architecture is actually one of the most advanced.  According to the article, one of its advances is that it employs a security feature known as Source Address Validation Architecture (SAVA). To quote from the article: "This feature puts security checkpoints throughout the system and then builds up a database very systematically. This database will contain trusted computers and their IP addresses. This system will then authenticate who is sending what. This way, the possibility of sending malicious data becomes a lot more difficult, nearly impossible, like many say." 

This is a good point that makes us ponder - could it be that threats that originate from China are actually safer, from the attacker's perspective, if hosted outside of China? That may well be the case. 

In summary, we had a look at high profile government related website that got compromised in a 'waterhole' attack and employed some interesting technique. It looks as if targeted attacks have now been surfacing regularly and more frequently, with more attacks that are now exposed almost on a weekly basis. Those kinds of rapid discoveries may cause the players behind state-sponsored attacks or other miscreant groups to increase their level of sophistication. However, we believe that the sophistication of such attacks directly depends on the protection level employed by the target. If defense levels are mediocre or "just enough," then attackers will probably do just that much to get past them. The tough questions one should ask one's self in today's threat landscape is "what am I doing to not be the next victim?" and, even more importantly, "what am I going to do when I do become one?".  We believe that post-infection mitigation plans should be given the same emphasis as prevention and putting adequate protection in place.

Websense Protection

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine).  ACE protected against this threat in real-time and against the different stages of the attack progression, also known as the "kill chain". You can find in the next link more information about the 7 stages of advanced threats. Here is a recap how ACE protected against the different stages:

Lure stage: protection confirmed, the lure is the first stage of the attack and in this case it was those URLs that loaded a malicious flash file:

hxxp://www.ict.org.il/js/1.html -> Flash file loader (AceInsight report)

hxxp://www.herzliyaconference.org/_modules/80.html -> Flash file loader (AceInsight report)

Dropper stage: not applicable, the dropper is the stage where a file passes through the gateway and inspected in real-time, however, this is not applicable for this attack as the file was hidden and obfuscated in memory and reconstructed on the client side - this is a typical sandbox evasion technique. 

Calling home stage: protection confirmed, the calling home stage is the destination that the malware connects to after getting successfully installed on the victim's machine. In this attack the malware initiated connection to a destination that is already known to us hxxp://interfacet.oicp.net:88 (AceInsight report).

For participation in data analysis, special thanks to: Gianluca Giuliani

Following news of the death of Venezuelan President Hugo Chavez (as reported by the BBC) the Websense ThreatSeeker® Network has identified several malicious email campaigns that make reference to the President's death.  Malware authors are increasingly using breaking global news events as a means of propagating lures that lead to malware. 

Here is a screenshot typical of the emails we have seen in these campaigns:

We have tracked the following email subjects used in the campaign. As you can see, many of these lures try to increase a user's likelihood to click by adapting the current headlines with some fictional salacious content. 

• CIA murdered Venezuela's Hugo Chavez?
• CIA "DELETED" Venezuela's Hugo Chavez?
• CIA killed Venezuela's Hugo Chavez?

Upon opening the malicious email the recipient is presented with a link offering a video. Rather than displaying a video the website takes the user to page loaded with Better Business Bureau text references. 

Websense ACE proactively protected from day-0 (without update) in 2 ways: 1) Proactive detection of Blackhole Exploit Kit, for which this was an instance; 2) Proactive blocking of poor web reputation - the websites used in the campaign were already low enough to convict from day-0.  The payload websites that we have been tracking were registered little more than one week before the spam campaign was first seen.

Websense customers are protected by ACE, our Advanced Classification Engine. 

Lures and exploit kits are just one of many stages typical in an attack. Having protection from the early stages within the "7 Stages of an Attack" model reduces the risk of the success of an attack. If you break one link in the attack chain, you have mitigated your risk for this particular attack.

We've recently done a webinar on the "7 Stages of an Attack". Check out the archived discussion to learn how to disrupt the attack chain to prevent the download of malicious payloads and inhibit the successful execution of exploit scripts against vulnerability software. 

RSA USA 2013 wrapped up last week and it had all the usual hallmarks of a modern security conference: storm troopers, casinos, free giveaways every few minutes, hawkers with headsets (much like the county fair), models in superhero costumes, attendees vying to collect the most free goodies, and of course the indispensable straight-jacketed unicycle-riding pitchmen.  The buzzwords this year included "Big Data", "Mobile Security" and "Security Analytics", not that there was any clear consensus about what those terms exactly meant or whether the solutions being peddled bore any resemblance to them.  For those with experience attending past conferences, it was just par for the course.

Outside of the circus tent, the high-profile hacks of major companies and web properties figured prominently in most presentations.  This wasn't the usual FUD, either - even our conservative fellow researchers and technical presenters proclaimed that the bad guys had gained the upper hand, especially for the most sophisticated malware attacks from state-sponsored actors and financially-motivated cartels.  The technology put forth this year by the security industry in response was a little surprising, however.  Doubling down on the premise that "if the bad guys really want to get in, they will", the emerging technology trend implied that it's better to react quickly after you're compromised rather than be under silent attack for months or even years like so many of the 2012-2013 examples have indicated.   There were over 11 different vendors that had created a behavioral sandbox (much like our ThreatScope) to examine the behavior of malware already in the environment.  There were at least 7 vendors that had created workflow tools to allow practitioners to record and investigate security events after the breach.  A few security vendors were touting their new-and-improved capabilities at repair and remediation.  One even declared that we now live in a "post-protection world."  They all made for some fairly impressive demonstrations with all of those nifty post-breach attack details.

What was in short supply this year was an answer for why we were all there (in theory): "How do we stop the attacks?"  Where was the innovation around protection?   Protecting data from skilled attackers with newly crafted attacks designed to bypass existing security controls is indeed a hard enough task.  Now try adding in coverage for all the holes in emerging endpoints, mobility, and social web domains, and doing so inline, with low false positives and high performance.  Now try to figure out how to independently prove that all of this stuff works.  It's a mammoth undertaking, and the unanimous consensus was that existing measures are not getting the job done.  Why not focus on THAT problem?

There were exceptions to this trend.  In addition to our own Chris Astacio's standing-room-only talk on mass mobile attacks and Blackhole botnet dissection, Tomer Teller had some concrete insights into "Detecting the 1%" and Ed Skoutis presented CyberCity as a real-world model of how to pentest and ultimately protect infrastructure from physical attack.  There were other examples as well, but far too few.  

We've got to buck this trend and get back to basics - focus on stopping the attacks before they do harm or steal information.  True, we may never get it perfect, but we can certainly do a lot better.  It's all well and good to put lots of 20-20 hindsight and forensics around an attack, but we would all prefer the deafening silence of a prevented attack over a decidedly louder postmortem of a successful data breach in all its glorious new detail.