Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : 0-day

Flash forward – Angler, here we come

Posted: 27 Jan 2015 02:40 AM | Tamas Rudnai


As mentioned in the post, “Happy Nucl(y)ear - Evolution of an Exploit Kit”, we were planning to discuss the Angler exploit kit in detail in an upcoming post. However, the exploitation of a critical Adobe Flash 0-day vulnerability (CVE-2015-0311, patched) via the Angler exploit kit has fast-tracked our efforts and in this blog, we present the strategy adopted by the exploit kit to evade detection of the 0-day by security scanners. 0-days are valuable commodities and the longer they remain undiscovered, the more value they appropriate for the attacker(s).

 

 

Just as defense-in-depth is used as a strategy in the protection scenario, layered obfuscation is its equivalent in the evasion scenario. The attacker is interested in adopting a defense-in-depth approach to protect his / her investment and get the most ROI from exploits. A parallel in the physical world is a medieval castle which was protected by multiple wall system, so even when the external wall had taken down by catapults the so called inner castle was still standing strong.

...

Read more > 

Filed under: , , , ,

no comments

Flash 0-day being distributed by Angler Exploit Kit

Posted: 22 Jan 2015 04:41 AM | ngriffin


Websense is aware of a new zero-day vulnerability in Adobe Flash Player, which has been seen exploited in-the-wild by the Angler Exploit Kit. The exploit, as reported by security researcher Kafeine , is known to affect the latest 16.0.0.287 version of Flash Player and has been seen dropping a trojan...

Read more > 

Filed under: , , , , , , ,

no comments

Cyber criminals expand use of CVE-2014-0322 before Patch Tuesday

Posted: 10 Mar 2014 01:54 PM | Elad Sharf


In advance of the Internet Explorer zero-day referenced by the CVE-2014-0322 patch that will commence on patch Tuesday the March 11, we thought it would be helpful to look at how this exploit was utilized in the lure stage, since this may unveil some of the tactics used by crimeware and targeted attack...

Read more > 

Filed under: , , , ,

no comments

Up to 37% of Enterprise Computers Vulnerable to Microsoft Office Zero-day CVE-2013-3906

Posted: 07 Nov 2013 12:45 AM | Ran Mosessco


A new vulnerability related to the parsing of TIFF images was found in the Microsoft Graphics component that affects Microsoft Windows, Microsoft Office, and Microsoft Lync. Microsoft published Security Advisory 2896666 explaining the details. Microsoft Fix it 51004 is available to alleviate the problem until an update is available.

...

Read more > 

Filed under: , ,

no comments

Zero-Day Attack for Internet Explorer (CVE-2013-3897) Goes High Profile

Posted: 09 Oct 2013 03:26 AM | Elad Sharf


Websense® Security Labs™ has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. The publication of the vulnerability details ( CVE-2013-3897 ) were shared...

Read more > 

Filed under: , , , , ,

no comments

Cybercriminals Behind CVE-2013-3893 Launched Attacks Earlier Than Previously Reported; More Widespread

Posted: 26 Sep 2013 11:59 AM | AlexWatson


Websense Security Labs™ Websense ThreatSeeker® Intelligence Cloud has discovered that attacks utilizing the most recent Internet Explorer 0-day (CVE-2013-3893) are more prevalent than previously thought.  In this write up we shall analyze the exploit code and perform analysis on the dropped malicious file.

 

Executive Summary

  • Websense protected our customers using real-time analytics that have been in place for nearly three years.
  • We have seen the CVE-2013-3893 exploit targeting Japanese firms in the financial industry, being hosted on a Taiwanese IP address.
  • Our ThreatSeeker Intelligence Cloud reported a potential victim organization in Taiwan attempting to communicate with the associated malicious command & control server.
  • Our telemetry indicates that the attack described above has a suitably high degree of segmentation between previous attacks as to indicate that possibly different team are using the same tool sets.
...

Read more > 

Filed under: , , , , , ,

no comments

Up To 70% of PCs Vulnerable to Zero-Day: CVE-2013-3893

Posted: 18 Sep 2013 06:35 AM | Artem Gololobov


Another new vulnerability found in Microsoft Internet Explorer affects Internet Explorer versions 8, and 9 and used in a wild by cybercriminals, also specific configurations of Internet Explorer 6, 7, 8, 9, 10 and 11 are also potentially vulnerable. The vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites.

...

Read more > 

Filed under: , , , , ,

no comments

New Java and Flash Research Shows a Dangerous Update Gap

Posted: 05 Sep 2013 05:51 PM | Matthew Mors


Today we're continuing our Java security research series by analyzing other plug-ins, browser extensions and rich internet applications that are commonly exploited. Our previous research indicated that the current state of Java affairs isn't pretty. At that time, ninety-three percent of enterprises...

Read more > 

Filed under: , , , , , , ,

no comments

Internet Explorer Zero-day Vulnerability (CVE-2013-1347) [Updated]

Posted: 07 May 2013 03:26 PM | Carl Leonard


A new vulnerability found in Microsoft Internet Explorer affects Internet Explorer version 8.  The vulnerability allows attackers to execute code on a machine by just having the user visit a malicious website. This can happen, for example, when the user is tricked into clicking a link in an email or via compromised legitimate websites such as the recently compromised Department of Labor website which was subsequently used in a water-hole attack. Malicious payloads delivered from this compromise were confirmed by Microsoft to exploit the new vulnerability, designated CVE-2013-1347.

 

...

Read more > 

Filed under: ,

no comments