Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

Ransomware - No Sign of Relief, Especially for Australians

Posted: 25 Feb 2015 07:50 AM | Carl Leonard | no comments

Websense® Security Labs™ researchers observed that ransomware was a plague in 2014 and this threat type shows no sign of relief in 2015. In this blog we profile the user experience for a Torrentlocker variant focusing on the Australian region. Ransomware is an umbrella name for a type of cybercrime in which the attackers restrict access to a computer until a ransom is paid to restore system access and function. Crypto Ransomware is a form of ransomware in which access to data is blocked by encrypting the data and withholding an encryption key until a ransom is paid to the cyber criminals. (Authors' note: We do not recommend that a ransom is paid to the cyber criminals). We have seen that Torrentlocker rotates through many themes/lures/targets and tends to be low volume and targeted. In the latter half of 2014 we observed fake Royal Mail lures (targeting UK end-users) and Australia Post lures, but then Torrentlocker moved on to Turkish-themed lures (Turk Telekom, TTNET) and then New South Wales Government lures, of which we see a repeat in our current case study. There have also been Czech Post lures, TESA Telecom (Brazilian-themed) lures, Italian lures and others too. The lure tend to be fake ‘eFax’ or ‘penalty’ download pages. The Websense ThreatSeeker Intelligence Cloud identified a campaign sent yesterday to Australian end users. This ransomware followed the 7 Stages of Advanced Threats model in a typical fashion. Australian-themed Ransomware Our case study, the Australian-themed ransomware, exhibits the typical process from lure to infection. Ransomware is most often distributed via email lures or compromised websites (specifically malvertising). Today's case study used an initial email lure with a topic of penalties induced by speed cameras. A typical subject is " Penalty id number - <random number> / Fixed by speed camera ". The lure email contains a URL (in this case a compromised wordpress host). The end user is sent through to a website that makes a call to action: In this case we see a Penalty Notice claiming to be from the New South Wales Office Of State Revenue. For the avoidance of doubt the OSR is a legitimate organization and their website is hosted at http://www.osr.nsw.gov.au/ . Social Engineering is needed to convince the end user to perform an action. Note the use of a legitimate-looking logo as well as a CAPTCHA entry form to add a degree of legitimacy on the fraudulent website, and to encourage a further click action. Hosts of the fraudalent website rotate, but include hxxp://nsw.gov.yourpenalty.com/ and hxxp://osr.nsw.mypenalty.org/ Similar variants on the theme will likely occur in the future. Once the end user has been duped into clicking through, they are presented with a warning notice: Decrypt instructions are provided via an HTML document installed on the user's machine. This points the user to yet another website where they are encouraged to perform a transaction...


Filed under: , ,

Pancake Day - Jamie Oliver site served recipes with a side of Malware

Posted: 18 Feb 2015 02:30 AM | Jose Barajas | 1 comment(s)

Websense® Security Labs™ researchers are aware of malicious activity recently present on the Jamie Oliver official website. Jamie Oliver is a UK-based celebrity chef with over 10 million visits per month, and is browsed to by users globally. As observed by Malwarebytes , his site (jamieoliver.com) has been compromised by a direct injection and known to have served malicious content. With an Alexa global ranking of 5280, and 519 in the UK, the site makes a prime target for malicious actors. This was especially true yesterday - Pancake Day - when foodies were seeking delicious recipes. This is an interesting compromise considering the use of a direct injection, as malicious actors have recently been favoring malicious advertisements for distribution. At this time, the Jamie Oliver website JavaScript file no longer hosts malicious code. Websense Labs has attempted to reach out to the Jamie Oliver team. This included communication channels listed in WHOIS data as well as via a social media mention on Twitter. While ultimately able to reach someone after some investigation, we were not immediately able to reach the web development team via WHOIS record information. [Update 18 Feb 2015] We have been able to contact Jamie Oliver's management company who confirmed they are aware of the threat and are currently performing their own investigations. Compromise Process Jamie Oliver Compromised Page The compromised page observed was hxxp://www.jamieoliver.com/recipes/. A quick Google search for Jamie Oliver reveals that it is the second returned result. This page hosts a call to a JS file which was either injected or modified by the malicious actors: Jamie Oliver hosted malicious JavaScript file The file disguised as a legitimate JS file, whether injected or modified, was observed hosting obfuscated redirection content. Researchers at Malwarebytes have analysed the content and found two layers of obfuscation which lead user to a second compromised site via an iFrame. Compromised WordPress site The second compromised site works as a location from which to pivot the user. It is of interest based on the fact that users not directed from the Jamie Oliver site, as well as those using VPN services, will not be served exploit content. The same goes for second time visitors. Exploit Content Delivery Once a user has met the checks in place, they are directed to exploit content such as the following example: hxxp://tgsquy.sisokuleraj[.]xyz/images/30913695361424116048.js. Target JS files are generated randomly and more than one hostname has been observed. Websense Labs has been following the use of this Top Level Domain (TLD) in malicious activity. Websense customers were protected at the time of compromise via our Reputation Category Set. Additional protection has now been added within ACE, our Advanced Classification Engine , at the different stages of the attack detailed below: Stage 3 (Redirect) – ACE has protection against the malicious redirection...


Angler Exploit Kit – Operating at the Cutting Edge

Posted: 05 Feb 2015 09:00 AM | AToro | no comments

As we promised in one of our previous blog posts about exploit kits ( Nuclear EK ), we are going to take a more in-depth look at Angler Exploit Kit. Angler EK is possibly the most sophisticated exploit kit currently used by cyberciminals. It has pioneered solutions that other exploit kits started using later, such as antivirus detection and encrypted dropper files. In addition, Angler tends to be the quickest to integrate the latest zero days, such as the Adobe Flash zero day ( CVE-2015-0311 ) from a few weeks ago, and it employs a notably unique obfuscation. Finally, Angler runs the dropped malware from memory, without ever having to write to the hard drive; this unique technique among exploit kits makes it extremely difficult for traditional antivirus technologies to detect it as they rely on scanning the file system. While Angler is the most advanced exploit kit in today's threat landscape, Websense customers are protected from this threat with ACE, our Advanced Classification Engine, at the following stages: Stage 2 (Lure) - ACE has detection for the compromised websites. Stage 3 (Redirect) - ACE has detection for the injected code that redirects the user to the exploit page. Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack. Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack Obfuscation Angler's landing page consists of four basic parts. Firstly, there is some visible English text, which is used to make the victim of the exploit kit believe they have browsed to a legitimate page. Secondly, it has various deobfuscation routines to deobfuscate the actual malicious scripts. These scripts are located within p class tags and they are encoded as base64. Decoding the base64 strings reveals the actual obfuscated exploit kit code. And finally, the landing page contains several encrypted strings, which contain various URLs leading to the various exploits (Flash, Silverlight, Internet Explorer) included in the kit. Samples from Angler landing page Deobfuscated Exploit Code Once the landing page is deobfuscated, the true nature of the code is revealed. Angler, just like Nuclear and various other exploit kits, uses a very basic second layer obfuscation to make detection by security products even more difficult. It also uses antivirus detection in addition to detecting various virtualization solutions (VMWare, VirtualBox, Parallels) as well as a web debugging proxy called Fiddler, which is widely used by security researchers. Implementing these measures makes it very difficult to observe and investigate this exploit kit in the wild, as most security researchers often rely heavily on these tools. Detecting various .sys and .dll files which belong to AV and virtualization software VMWare, VirtualBox, Parallels detection as well as Fiddler web debugging proxy The most unique feature of Angler is the use of these encrypted URL paths. It uses a simple transposition...


Filed under: ,

Another day, another zero-day – Internet Explorer's turn (CVE-2015-0072)

Posted: 05 Feb 2015 02:00 AM | Jose Barajas | no comments

Websense® Security Labs™ researchers are aware of a zero-day vulnerability affecting Internet Explorer that could allow a remote, unauthenticated attacker to bypass the Same-Origin Policy (SOP) to hijack the user’s session. The vulnerability is being called Universal Cross Site Scripting (XSS), as it allows the attacker to hijack the session using any third-party website, as long as the victim uses the Internet Explorer browser. The Same-Origin Policy (SOP) is a critical security measure used in web applications to ensure the confidentiality and integrity of information. Scripts running on different websites are not permitted to interact with each other, and cookies use SOP to ensure that the information for a given user's activity pertains to only one site. This mechanism allows for secure communication across multiple web properties and allows user sessions to be maintained without the need for re-authentication. Exposure The attacker could exploit the vulnerability by enticing the victim to visit a specially-crafted website. Successful execution via JavaScript of the proof of concept exploit code released on Jan 31, 2015 has been observed on Internet Explorer 11 running on both Windows 7 and Windows 8.1. Microsoft has not yet released a patch for the vulnerability, which has been assigned the identifier CVE-2015-0072. Impact Successful exploitation could allow an attacker to hijack the user’s session or gain access to sensitive information. The vulnerability could also be used in phishing attacks. Once the attacker has access to the user's cookies, all data normally restricted for use by the user would be available to the attacker and the attacker could impersonate the victim. The vulnerability can be easily exploited and is rated critical. Mitigation Websense customers are protected against attacks targeting the vulnerability (CVE-2015-0072) with ACE, our Advanced Classification Engine , which is used to prevent the malicious scripts from being downloaded to the victim’s machine. Websense researchers are not aware of active exploitation of this vulnerability at the time of publication of the blog, although, as mentioned earlier, proof of concept code is publicly available. Customers are encouraged to apply the patch from Microsoft as soon as it becomes available. You could also decide to use an alternative browser in place of the vulnerable versions of Internet Explorer. Websense Security Labs will continue to monitor the situation and provide updates as needed.


Filed under: , , , ,

New 'f0xy' malware is intelligent - employs cunning stealth & trickery

Posted: 30 Jan 2015 04:18 AM | ngriffin | 2 comment(s)

Websense Security Labs have discovered a new and emerging malware downloader that employs evasion techniques and downloads a cryptocurrency miner. The new malware, which we have named 'f0xy', is able to dynamically change its command-and-control (C&C), and download and execute arbitrary files. More interestingly, f0xy's evasion tactics include leveraging the popular Russian social networking site VKontakte, and employing Microsoft's Background Intelligent Transfer Service to download files. The behavior of f0xy backs up our 2015 security predictions that cybercriminals will continue to hide their C2 infrastructure within legitimate websites. We believe that this will be a growing trend in 2015, as malware authors realize that detecting malicious intent on legitimate websites can be difficult for security vendors. Websense customers are protected against this threat with ACE, our Advanced Classification Engine , at the different stages of the attack detailed below: Stage 5 (Dropper) – ACE has detection for malicious files used in this campaign, including detection of the malicious behavior utilized by f0xy. Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with the f0xy downloader. File Sandbox report for the f0xy downloader dropper file: http://csi.websense.com/ThreatScope/FileAnalysis?requestId=ddf3d016-d8ac-4220-969e-a42f002a0039 Hunting Down f0xy When we took a closer look at the malware, we saw only 5/57 detections by security vendors for the initial dropper file f522e0893ec97438c6184e13adc48219f08b67d8. Upon investigating the C&C infrastructure, further samples were found dating back to 13 January 2015. Analysis suggests that the malware author has been changing and improving the code for reliability and efficiency, and to arrive at a version that works on most operating systems. First versions of the malware will run only on Windows 6.0 (Vista) and above, while the newer versions will also run on Windows XP. We decided to name the malware 'f0xy' due to the strings found in the executables, and the registry key it creates for persistence. To date, we have not seen any evidence in our customer base of an attempt to infect a machine with f0xy. Websense Security Labs will continue to monitor the campaign, because we may see it targeting users in the near future. Stealth & Evasion Tactics Just as a real fox is known in many cultures for its cunning and trickery, so is the malware. There are three distinctive features that allow the malware to fly under the radar: The malware employs very little in the way of code and string obfuscation, in order to appear more legitimate and hide in plain sight. A request is made to the Russian social networking site VKontakte, where the address of the real C&C is hidden. Finally, the malware uses Microsoft's Background Intelligent Transfer service to outsource its network traffic, to avoid detection from security products...


CVE-2015-0235 - how to handle the "GHOST" vulnerability affecting Linux distributions

Posted: 28 Jan 2015 03:15 AM | Carl Leonard | no comments

Websense® Security Labs™ are aware that a vulnerability has been identified in the GNU C Library that can lead to remote code execution under certain circumstances. The GNU C Library ( glibc ) is a core component of GNU systems and those with the Linux kernel; thus it has potential for a very significant attack surface area. The vulnerability has been assigned CVE-2015-0235 and is being referred to as "GHOST". Overview The issue exists within the __nss_hostname_digits_dots() function, which is used by the gethostbyname() or gethostbyname2() functions. Exploitation of the vulnerability can lead to remote code execution (RCE). This provides an attacker the capability to run code of their choosing on the affected machine. glibc versions prior to 2.18 are affected. You should be aware that later versions of glibc may not have been included in the latest versions of many distributions. In fact, many Linux distribution vendors are now making patches available. There are certain conditions which reduce the impact of this bug. Details are provided below. How is it exploited? Although we have not seen web-based or email-based attacks, Qualys, the team who discovered the bug, do have evidence to show how an MTA (mail transfer agent) can be exploited by sending a specially crafted packet to trigger a buffer overflow and subsequent arbitrary code execution. How do you know if your instance is vulnerable? It is known that the following distributions are amongst those affected: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04. Code that tests for the vulnerability has been made available on the github forum. Of course, we extend a word of caution to use such code at your own risk. You can also check which version of glibc you are running by executing the command ldd --version at your command prompt. Mitigation Advice The difficulty of exploitation depends on the target system implementation. In a post to the OpenWall security forum Qualys do note that the vulnerable functions are no longer always called having been replaced by the getaddrinfo() function in IPV6 implementations, that pre-validation of the argument sent to the function removes the potential for exploitation and that glibc itself was patched in 2013. However, when these conditions do not apply the risk is deemed critical. Fortunately various product vendors are rolling out updates to patch their affected distributions. We strongly recommend that you check with your Linux distribution vendor to see if they have a patch available. If so, you should review how to apply this patch to your environment as soon as possible in order to mitigate potential risk, not least because the bug is deemed critical. Websense Security Labs will continue to investigate the implications of this vulnerability.


Filed under: , , ,

Flash forward – Angler, here we come

Posted: 27 Jan 2015 02:40 AM | Tamas Rudnai | no comments

As mentioned in the post, “Happy Nucl(y)ear - Evolution of an Exploit Kit”, we were planning to discuss the Angler exploit kit in detail in an upcoming post. However, the exploitation of a critical Adobe Flash 0-day vulnerability (CVE-2015-0311, patched) via the Angler exploit kit has fast-tracked our efforts and in this blog, we present the strategy adopted by the exploit kit to evade detection of the 0-day by security scanners. 0-days are valuable commodities and the longer they remain undiscovered, the more value they appropriate for the attacker(s).



Just as defense-in-depth is used as a strategy in the protection scenario, layered obfuscation is its equivalent in the evasion scenario. The attacker is interested in adopting a defense-in-depth approach to protect his / her investment and get the most ROI from exploits. A parallel in the physical world is a medieval castle which was protected by multiple wall system, so even when the external wall had taken down by catapults the so called inner castle was still standing strong.



Filed under: , , , ,

Flash 0-day being distributed by Angler Exploit Kit

Posted: 22 Jan 2015 04:41 AM | ngriffin | no comments

Websense is aware of a new zero-day vulnerability in Adobe Flash Player, which has been seen exploited in-the-wild by the Angler Exploit Kit. The exploit, as reported by security researcher Kafeine , is known to affect the latest version of Flash Player and has been seen dropping a trojan downloader called Bedep. Websense customers were already protected against this threat with ACE, our Advanced Classification Engine , at the different stages of the attack detailed below: Stage 3 (Redirect) – ACE has detection for the redirect to the exploit kit landing page. Stage 4 (Exploit Kit) – ACE has detection for the exploit kit landing pages, as well as the Flash Player exploit itself. Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with the Bedep trojan downloader. [ UPDATE ] 23 January 2015 Adobe released an update to Flash Player on 22 January 2015 although it does not patch the issue discussed in this blog. In a further announcement Adobe are hoping to patch CVE-2015-0311 (the vulnerability discussed in this blog and by Adobe here ) on 26 January 2015. Vulnerability The Adobe Flash Player samples that exploit this vulnerability have been shared with Websense, and protection for these malicious files are in place. Adobe have been made aware of this issue and are currently investigating . At the present time, it is not possible to disclose further information regarding specific details of this threat. Exposure Currently, it is known that Angler Exploit Kit is exploiting this Flash Player vulnerability. As we have mentioned previously, it is becoming a growing trend for exploit kits to drop Java, Internet Explorer, and PDF exploits in favor of the more successful Flash and Silverlight exploits. Utilizing vulnerabilities in these popular applications provides attackers with a large surface area of vulnerable clients. Due to the nature of exploit kits, Websense technology is able to target the threat at multiple stages and ensure that protection remains in place independent of the exploits used. Mitigation At the present time, Adobe have yet to release a patch for Adobe Flash Player. One persistent solution, for the time being, is to disable Flash Player in your browser until such time as a patch becomes available. Websense Security Labs will continue to investigate this issue as more information becomes available.


Filed under: , , , , , , ,

Happy Nucl(y)ear - Evolution of an Exploit Kit

Posted: 15 Jan 2015 05:50 AM | AToro | no comments

This blog post discusses how Nuclear Pack, one of the most popular exploit kits, has evolved, and highlights the constant, ongoing arms race between attackers and defenders. While Nuclear Pack is not the most sophisticated exploit kit--that dubious distinction going to Angler, which we will write about in an upcoming post--it is highly effective. It has been used in such high-impact campaigns as the AskMen compromise , and used by the APT group behind Operation Windigo. Nuclear Pack has a wide range of attacks in its repertoire, including Flash, Silverlight, PDF, and Internet Explorer exploits, and it is capable of dropping any malware. Furthermore, Nuclear Pack is constantly being improved by its creators to avoid detection and achieve higher infection rates. Exploit kits are a main source of compromises today; they are one of the primary vehicles for both 0-day and widely effective, known vulnerabilities, offering a free pass to drop active malicious content (such as the banking trojan, Zeus ) that embeds on the system giving cyberciminals a way into internal networks and ultimately leads to data exfiltration. Last year Websense has detected and blocked more than 66 million threats specifically with exploit kits, plus over 1 billion catches of later-stages, such as dropper file, C&C traffic (Call Home stage) that are commonly attributable to new exploit kit activity. In essence, exploit kits are complete, off-the-shelf solutions that cybercriminals can buy to compromise systems by exploiting various software vulnerabilities on the victim's system. In addition, these kits are equipped to defeat IDS and Anti-Virus solutions in order to avoid detection, the main technique they use to achieve this is through using code obfuscation, which is used to hide the true nature of the malicious code. Exploit kits constantly change and improve in order to keep up with various security solutions and the new version of NuclearPack is the next stage of exploit kit evolution. Telemetry Nuclear Pack affects virtually all industries, as it is very often used in high-volume compromises. In addition, the number of exploit attempts varies highly based on the traffic volume of the compromised website, as shown in the charts below. Affected Industries: Nuclear Pack trend activity over time: High Level Overview of Nuclear Pack infections Nuclear Pack follows the traditional kill chain and maps directly to the 7 Stages of Advanced Threats . Websense customers are protected from this threat with ACE, our Advanced Classification Engine, at the following stages: Stage 2 (Lure) - ACE has detection for the compromised websites. Stage 3 (Redirect) - ACE has detection for the injected code that redirects the user to the exploit page. Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack. Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack. The picture below shows all stages, from...


Filed under: , ,

Sony Pictures Entertainment Hack – Truly motion picture worthy

Posted: 22 Dec 2014 07:45 AM | ngriffin | no comments

Blackmail, secretive master-plan, sabotage, drama, politics, thriller, hostage, the list goes on - this is not the plot-line of an immersive Hollywood motion picture, but rather the highlights of the recent hack on Sony Pictures Entertainment (SPE). Although it is one of the most serious breaches that we have seen so far, we will see breaches of this magnitude in the days and months ahead as IT departments continue to grapple with the challenges of targeted attacks like these. While Sony deals with the hack by trying to sabotage downloads of its stolen data through putting out a large number of torrent file-sharing nodes with fake seeds, we at Websense Labs have been busy trying to protect our customers from such attacks. We initially released coverage on 2nd of December to protect customers from the malware used in the attack on SPE, and we will continue to monitor the situation and enhance our protection as required. Websense customers are protected against known Indicators Of Compromise with ACE, our Advanced Classification Engine , at the different stages of the attack detailed below: Stage 5 (Dropper) – ACE has detection for the malicious files delivered by this threat. Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with this threat. Executive Summary The initial malware used in this attack was a Server Message Block (SMB) worm that spread laterally throughout the network. The secondary malware included a backdoor as well as Master Boot Record (MBR) and hard-drive erasing tools. The malware actors held data for ransom, before proceeding to release it publicly. Their motives, however, remain unclear. Attribution for this attack is difficult, if not impossible, despite heavy links to North Korean actors . Infection vector From a technical perspective, the attack kill chain was typical of an infection scenario. The attack possibly started with a phishing email or a machine that got infected via other means, with some reports hinting that an insider was responsible. The infection was an SMB worm that brute-forced credentials in order to spread from one system to another, while constantly sending updates back to the hard-coded command and control servers. From there on, various tools including back doors, a proxy, a hard drive eraser tool, an MBR eraser, etc. went about doing their job of data exfiltration, wiping out hard drives, and erasing master boot records (MBRs). US-CERT has done a great job of putting together details of the specific files being dropped and executed at https://www.us-cert.gov/ncas/alerts/TA14-353A . Aims of the Malicious Actors It is clear that data is at the heart of the attack against Sony. Data was held ransom by the 'Guardians of Peace', the group that claimed responsibility for the hack. They blackmailed Sony, and a massive 200 GB of sensitive data has been made public by the group so far, with threats to release more data in the days to come. Exfiltration of such...

Read more >