Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

Adobe tagged in these posts

Flash forward – Angler, here we come

Posted: 27 Jan 2015 02:40 AM | Tamas Rudnai | no comments


As mentioned in the post, “Happy Nucl(y)ear - Evolution of an Exploit Kit”, we were planning to discuss the Angler exploit kit in detail in an upcoming post. However, the exploitation of a critical Adobe Flash 0-day vulnerability (CVE-2015-0311, patched) via the Angler exploit kit has fast-tracked our efforts and in this blog, we present the strategy adopted by the exploit kit to evade detection of the 0-day by security scanners. 0-days are valuable commodities and the longer they remain undiscovered, the more value they appropriate for the attacker(s).

 

 

Just as defense-in-depth is used as a strategy in the protection scenario, layered obfuscation is its equivalent in the evasion scenario. The attacker is interested in adopting a defense-in-depth approach to protect his / her investment and get the most ROI from exploits. A parallel in the physical world is a medieval castle which was protected by multiple wall system, so even when the external wall had taken down by catapults the so called inner castle was still standing strong.

...

Read more > 

Filed under: , , , ,

Flash 0-day being distributed by Angler Exploit Kit

Posted: 22 Jan 2015 04:41 AM | ngriffin | no comments


Websense is aware of a new zero-day vulnerability in Adobe Flash Player, which has been seen exploited in-the-wild by the Angler Exploit Kit. The exploit, as reported by security researcher Kafeine , is known to affect the latest 16.0.0.287 version of Flash Player and has been seen dropping a trojan downloader called Bedep. Websense customers were already protected against this threat with ACE, our Advanced Classification Engine , at the different stages of the attack detailed below: Stage 3 (Redirect) – ACE has detection for the redirect to the exploit kit landing page. Stage 4 (Exploit Kit) – ACE has detection for the exploit kit landing pages, as well as the Flash Player exploit itself. Stage 6 (Call Home) – ACE detects the communication to the C&C points associated with the Bedep trojan downloader. [ UPDATE ] 23 January 2015 Adobe released an update to Flash Player on 22 January 2015 although it does not patch the issue discussed in this blog. In a further announcement Adobe are hoping to patch CVE-2015-0311 (the vulnerability discussed in this blog and by Adobe here ) on 26 January 2015. Vulnerability The Adobe Flash Player samples that exploit this vulnerability have been shared with Websense, and protection for these malicious files are in place. Adobe have been made aware of this issue and are currently investigating . At the present time, it is not possible to disclose further information regarding specific details of this threat. Exposure Currently, it is known that Angler Exploit Kit is exploiting this Flash Player vulnerability. As we have mentioned previously, it is becoming a growing trend for exploit kits to drop Java, Internet Explorer, and PDF exploits in favor of the more successful Flash and Silverlight exploits. Utilizing vulnerabilities in these popular applications provides attackers with a large surface area of vulnerable clients. Due to the nature of exploit kits, Websense technology is able to target the threat at multiple stages and ensure that protection remains in place independent of the exploits used. Mitigation At the present time, Adobe have yet to release a patch for Adobe Flash Player. One persistent solution, for the time being, is to disable Flash Player in your browser until such time as a patch becomes available. Websense Security Labs will continue to investigate this issue as more information becomes available.

Read more > 

Filed under: , , , , , , ,

PHP.net compromised, serving up obfuscated content

Posted: 25 Oct 2013 08:51 AM | Anonymous | no comments


The Websense® ThreatSeeker® Intelligence Cloud has alerted us regarding content deployed on the web developer's web site hxxp://php.net/. Internet users may know that Google Safe Browsing has also alerted users to a possible infection or compromise of php.net, a site currently ranked 220 on the Alexa ranking system. A member of Google's staff has posted on a number of forums (examples here and here ) to confirm that this is, in fact, a true positive, as confirmed by our telemetry. Members of the same forums quickly compared versions of the script, identifying the following code as appended to at least 4 .js scripts within the hxxp://php.net/ domain: The following screen shot shows the decoded obfuscation: When we look at the resulting JavaScript, we can identify a URL in the .uk TLD space: The iFrame source was hosted on a VPS owned by hxxp://webfusion.co.uk/, which should be applauded for swiftly taking the site down, soon after this compromise came to light. Before the takedown, the URL returned one of two types of content: a basic plugin detection script, or the simple string "not ready", as shown below: The code was served just once per IP and was dependent upon correct Referer and UA strings. The ultimate goal of this injection was to redirect users to the Magnitude Exploit Kit (MEK), which attempts to exploit Adobe and Java platforms, among others, in order to serve up generic Ransomware. Websense customers were, as always, protected against this type of attack by ACE™, our Advanced Classification Engine . Of the 7 Stages of Advanced Threats, Websense offered protection at the following stages: Redirection stage Exploit Kits stage Command and Control URLs Update (at the time of this blog posting): The malicious code has been removed from hxxp://php.net/.

Read more > 

Filed under: , , , ,

Adobe Reader and Acrobat Vulnerability (CVE-2011-2462)

Posted: 07 Dec 2011 07:39 PM | Chris Astacio | no comments


Yesterday, Adobe released a Security Advisory warning about a vulnerability in Adobe Reader and Acrobat. Adobe rated this vulnerability "critical," because it may allow an attacker to execute code remotely and take control of an affected system. Adobe is currently working on a fix and planning to roll that fix out next week for the 9.x versions of its software for Windows. Because Adobe Reader X and Adobe Acrobat X have a sandboxing mechanism called Protected View , these versions will not allow code to be executed remotely. So for these newer X versions of the affected software, Adobe will issue a fix in its next quarterly update, currently scheduled for January 10, 2012. Adobe lists Protected View as a way to safeguard your system against this threat. Please be sure to use the X version of Adobe software and verify that Protected View is enabled. The Mitigations section of the Adobe Security Advisory explains how to do this for the X versions. Websense Security Labs™ is aware of reports that this vulnerability has been used in the wild. We have updated our Advanced Classification Engine , ACE, to help protect against and look for any other possible attacks in the wild.

Read more > 

Filed under: ,

Microsoft patches 15 important vulnerabilities

Posted: 15 Sep 2011 02:45 PM | Tamas Rudnai | no comments


This month, Microsoft issued 5 security bulletins covering 15 vulnerabilities in Excel and Windows. These updates are considered important rather than critical, as by the time of the patch there was no malicious code exploiting the vulnerabilities in the wild. Adobe also released a security bulletin patching 13 vulnerabilities in Acrobat Reader. Websense® Security Labs highly recommends applying the updates in order to avoid cyber criminals who may use these security holes for their malicious activities.

...

Read more > 

Filed under: , , , ,

CVE-2011-2110 for Adobe Flash Player being exploited in the wild

Posted: 17 Jun 2011 08:30 PM | Patrik Runald | no comments


Earlier this week Adobe released security updates for several of their products and now the CVE-2011-2110 vulnerability in Flash Player is actively being used in drive-by and spear-phishing attacks. Websense customers are protected from this scam by ACE, our Advanced Classification Engine . The vulnerability is triggered when a website is viewed in a browser that has the Adobe Flash Player plugin installed by a simple command that loads a malicious SWF file, as can be seen in this sample code as seen by the Websense ThreatSeeker® Network: Technical details We are still analyzing the vulnerability and how the exploit works but here's what we know. The exploit samples we've seen so far use heap information leakage, so that it doesn't have to spray the heap. Once the vulnerability is triggered, the transfer of execution from legitimate code to malicious code takes place when the stack pointer is replaced with EAX. Once the stack has been compromised, it carries out the ROP portion of the attack to allocate an executable memory page for the second stage of the shellcode. Once the shellcode has executed, it will try to download an encrypted binary file that's decrypted by an embedded ActionScript. The decrypted file is saved in the %TEMP% folder on the computer and then executed. Here's a VirusTotal link to one binary we saw used by one of the exploit files, but each exploit downloads a different file from a different server. We also found an interesting debug string in one of the SWF files we looked at, which is a greeting to Rising, a Chinese antivirus company. Below is a list of URLs where we've seen the exploit being hosted. As always, it's crucial that you install the latest version of Adobe Flash Player as soon as possible if you haven't done so already. The vulnerable versions are any version older than 10.3.181.26. If you're unsure which version of Adobe Flash Player you have installed, you can find out by going to this link hosted at Adobe . Our friends over at Shadowserver has posted some information about this vulnerability on their blog . (Technical analysis done by Victor Chin)

Read more > 

Filed under: , ,

One more Adobe 0-day vulnerability using Office files

Posted: 11 Apr 2011 04:44 PM | Patrik Runald | no comments


Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsoft Office file. The vulnerability allows an attacker to execute malicious code on a computer and has been spotted in limited targeted attacks. Websense customers are protected against the known samples that use this vulnerability. Adobe says in their security advisory that Adobe Acrobat Reader X and its new Sandbox feature prevent the attack from exploiting the system when using PDF files. However, since the vulnerability exists in Flash, a machine can be exploited in other formats and applications that support flash, such as Web pages and Office documents. The vulnerability has only been seen used in very limited targeted attacks. Here is a VirusTotal report (1/43) of one reported attack file. Adobe hasn't announced when they will release a patched version of Adobe Flash and Adobe Reader/Acrobat but they did say that they won't fix this until June 14 in Adobe Reader X, as the Sandbox feature prevents the attack.

Read more > 

Filed under: ,

New 0-day Vulnerability in Adobe Flash Player (CVE-2011-0609)

Posted: 15 Mar 2011 07:35 AM | Elad Sharf | no comments


Websense® Security Labs™ has received reports of a new zero-day exploit that targets Adobe Flash Player (CVE-2011-0609). The vulnerability can potentially allow an attacker to execute malicious code on a targeted machine and has been spotted in a limited number of targeted attacks. The targeted attacks employed an Excel file with an embedded vulnerable Flash file (.swf) with the aim of executing unsolicited malicious code on the targeted machines. The security advisory released by Adobe marks the vulnerability as "critical" and it affects all the latest versions of Adobe Flash Player. The vulnerability also exists in Adobe Acrobat Reader and Adobe Acrobat Reader X as the vulnerable DLL file " authplay.d ll" is also shipped with those versions. However, Adobe Acrobat X can mitigate this kind of vulnerability from executing, thanks to its sandbox functionality - so in that respect, it's highly recommended to upgrade to that version if possible. Adobe plans to patch this vulnerability with an update to Flash Player that will be available for all platforms on the 21st of March. Currently, we're not seeing any wide-spread attacks in the wild that utilize this vulnerability, much of that is because the exploit details aren't publicly disclosed, but we're monitoring the situation and will keep you updated as related events unfold.

Read more > 

Filed under: , ,

New 0-day Vulnerability in Adobe Acrobat Reader

Posted: 08 Nov 2010 01:16 PM | Tamas Rudnai | 1 comment(s)


A new, potentially critical vulnerability in Adobe Acrobat Reader has come to our attention at Websense Security Labs. Quick analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability. Websense Security Labs is monitoring the situation, and we will update this blog post as we discover more. It is possible that malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. The vulnerability could be used for remote code execution, but we are still investigating these claims. Websense customers are protected by our ACE real-time analytics. Adobe has published advice on how to avoid this vulnerability by blacklisting the vulnerable function call. The issue was unknown to Adobe PSIRT Team when Websense Security Labs informed them about it. Respecting their wish, we only disclosed the issue after their announcement. In the meantime, VUPEN also disclosed the issue. In our test, Adobe Acrobat Reader crashed when the proof of concept document was loaded. We will update this blog post with any interesting developments. Update 09-Nov-2010: The vulnerability is now registered as CVE-2010-4091 on mitre.org. Also Adobe mentions the issue in the security advisory as APSA10-05 . There is still no proof if this vulnerability was exploited in the wild.

Read more > 

Filed under: , , , ,

Adobe Flash Player & Adobe Reader and Acrobat 0-day (CVE-2010-3654)

Posted: 28 Oct 2010 05:18 PM | Elad Sharf | no comments


Websense® Security Labs™ has received reports of a new zero-day exploit that targets the Adobe Flash Player. Our customers are protected from this latest vulnerability by ACE , our Advanced Classification Engine. The vulnerability can be delivered directly via a SWF file (Flash) or via a PDF file with an embedded Flash file object. An attack using the vulnerability with a PDF file has been spotted in the wild by Contiago Malware Dump ( blog ). Today Adobe issued a security advisory confirming the flaw and rating the vulnerability critical : It has been a very busy past few months with respect to vulnerabilities in Adobe products. The upcoming Adobe Acrobat Reader version, dubbed Adobe Acrobat X, promises tightened security features , so hopefully the exploitation through Adobe's Reader will diminish. Adobe announced that they will release a patched version of Flash on November 9 and a fixed version of Adobe Reader the week of November 15. We are keeping an eye on developments and will update further as events unfold.

Read more > 

Filed under: ,