Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

View all posts > 

Filtered by : Java

Cyber Criminals Ramp Up Use of Exploit Kits in Fake Skype, Evernote Themed Attacks

Posted: 19 Feb 2014 03:45 AM | Ran Mosessco


Data from Websense® ThreatSeeker® Intelligence Cloud indicates that o ver the last few weeks, cyber criminals leveraging the "Angler" and "Goon" Exploit Kits to deliver malware via email borne attacks, have ramped-up their efforts. These recent campaigns were themed around fake Skype voicemail notifications (Feb 19, 2014), and fake Evernote image notifications (Feb 7, 17-18, 2014). The emails try to lure the victim to click a link that will redirect through an intermediate site into pages that host the Angler Exploit Kit (later switched to "Goon" Exploit kit). The kits will exploit Java, Flash or Silverlight vulnerabilities and try to load an encrypted executable, to help evade detection. Although the attacks are large scale (Websense Cloud Email Security have detected and blocked a few hundreds of thousands of these messages per campaign burst), our telemetry shows a heavier focus on UK targets in the lure stage. These campaigns might be attributed to the "ru:8080" a.k.a "/news/" gang which have been prominent users of BlackHole Exploit Kit, then Magnitude Exploit Kit, as described in our previous blog . The related campaigns we have observed so far start with these lures: Fake Skype messages with subjects such as: You received a new message from Skype voicemail service Fake Evernote Messages With subjects such as: "Image has been sent" "Image has been sent <user@domain.tld>" They carry URLs such as: hxxp://itsrobinhoodd .com/1.html These have a simple JavaScript to redirect to the next stage The next stage is where the switch from Angler Exploit Kit to Goon Exploit Kit can be seen hxxp://merdekapalace .com/1.txt Redirected to the Angler Exploit Kit page, with the typical .ru:8080 hosts: hxxp://opheevipshoopsimemu .ru:8080/dp2w4dvhe2 Contains obfuscated code that checks for browser and plug-in versions, serves a corresponding exploit, then loads an executable encrypted using 64 bit Xor key encryption. On the other hand, an attack leading to Goon Exploit Kit shows a different code in the redirect stage: The same URL as before: hxxp://merdekapalace .com/1.txt hxxp://nedapardaz .com/theme/it/browser/_lzf_.php?source_pid=38896815737B1F0316DB020740&swap_src=7D&theme-lid=1 Loads Java or SilverLight exploits This ultimately downloads an encrypted executable disguised as an mp3, such as: hxxp:// nedapardaz .com/9536.mp3 A Visual Basic script (named papa.vbs) is downloaded into the browser's temporary file directory. When executed, the VB script decrypts the "mp3" file to an executable: The executable decrypted from the "mp3" file has the following details (the name and hash are likely different upon each attack) N0Y6.exe SHA1: 577156efc37ef50cefa72db31e7c94a7e6d415db Websense Threatscope behavioral analysis detects the executable as Malicious, see report here Checking in Virus Total to provide context about AV coverage for this malware, we...

Read more > 

Filed under: , , , , , ,

no comments

Eight Security Predictions for 2014

Posted: 14 Nov 2013 03:18 PM | Elisabeth Olsen


2013 was not an easy year in cybersecurity—and we expect 2014 attacks will be even more complex. In a new report out today, Websense Security Labs researchers collectively outlined eight predictions and recommendations for 2014. To read the full report, please visit www.websense.com/2014predictions . In addition, below is an infographic for quick reference. Here are the highlights: 1. Advanced malware volume will decrease. According to the real-time telemetry feeds in Websense ThreatSeeker® Intelligence Cloud, the quantity of new malware is beginning to decline. Unfortunately, this is bad news for organizations. Cybercriminals will rely less on high-volume advanced malware because over time it runs a higher risk of detection. They will instead use lower volume, more targeted attacks to secure a foothold, steal user credentials and move unilaterally throughout infiltrated networks. Although the volume of attacks will decrease, the risk is even greater. 2. A major data-destruction attack will happen. Historically, most attackers have used a network breach to steal information for profit. In 2014, organizations need to be concerned about nation-states and cybercriminals using a breach to destroy data. 3. Attackers will be more interested in cloud data than your network. Cybercriminals will focus their attacks more on data stored in the cloud vs. data stored on the network. This tactical shift follows the movement of critical business data to cloud-based solutions. Hackers will find that penetrating the data-rich cloud can be easier and more profitable than getting through the “castle walls” of an on-premises enterprise network. 4. Redkit, Neutrino, and other exploit kits will struggle for power in the wake of the Blackhole author arrest. We will see a fight for market leadership between a number of new entrants and existing exploit kits in 2014. We anticipate Redkit and the Neutrino exploit kit will secure a strong foothold in the coming year. 5. Java will remain highly exploitable and highly exploited—with expanded repercussions. Most end points will continue to run older versions of Java and therefore remain extremely exposed to exploitation. In 2014, cybercriminals will devote more time to finding new uses for tried-and-true attacks and crafting other aspects of advanced, multi-stage attacks. 6. Attackers will increasingly lure executives and compromise organizations via professional social networks. As social networking continues to appeal to the business community in 2014, attackers will increasingly use professional websites, such as LinkedIn, to research and lure executives. This highly targeted method will be used to gather intelligence and compromise networks. 7. Cybercriminals will target the weakest links in the “data-exchange chain.” Attackers will go after the weakest links in the information chain and target the consultants outside the network who have the most information. This includes consultants...

Read more > 

Filed under: , , , , , , ,

no comments

New Java and Flash Research Shows a Dangerous Update Gap

Posted: 05 Sep 2013 05:51 PM | Matthew Mors


Today we're continuing our Java security research series by analyzing other plug-ins, browser extensions and rich internet applications that are commonly exploited. Our previous research indicated that the current state of Java affairs isn't pretty. At that time, ninety-three percent of enterprises were vulnerable to known Java exploits. Nearly 50 percent of enterprise traffic used a Java version that was more than two years out of date. Through Websense ThreatSeeker Intelligence Cloud analysis we now discover: Only 19 percent of enterprise Windows-based computers ran the latest version of Java (7u25) between August 1-29, 2013. More than 40 percent of enterprise Java requests are from browsers still using outdated Java 6. As a result, more than 80 percent of Java requests are susceptible to two popular new Java exploits: CVE-2013-2473 and CVE-2013-2463. 83.86 percent of enterprise browsers have Java enabled. Nearly 40 percent of users are not running the most up-to-date versions of Flash. In fact, nearly 25 percent of Flash installations are more than six months old, close to 20 percent are outdated by a year and nearly 11 percent are two years old. Our in-depth analysis ran for one month, across multiple verticals and industries. We surveyed millions of real-world web requests for Java usage through our global Websense ThreatSeeker Intelligence Cloud. New Java Exploits and the Neutrino Exploit Kit New Java exploits CVE-2013-2473 and CVE-2013-2463 are already making a big impact by targeting computers running outdated versions of Java. It's clear the cybercriminals know there is a Java update problem for many organizations. For example, Websense ThreatSeeker Intelligence Cloud noticed an uptick in new hosts running the Neutrino exploit kit in the first and second weeks of August 2013. This could be attributed to Neutrino's addition of Java-based code execution exploits including CVE-2013-2463 , which is based on AWT/2D vulnerabilities and affects all Java 6 users (tip of the hat to F-Secure ). Typically associated with ransomware payloads, Neutrino is best known for its easy-to-use control panel and features that evade AV and IPS systems. Forty percent of Java 6 users are vulnerable to these new exploits and there are no software patches in sight. Effective exploit kit delivery mechanisms, such as Neutrino, and unpatched vulnerabilities targeting Java 6 create a significant challenge for organizations that have not updated to Java 7. On the positive side, our updated numbers show that enterprise IT is pushing out more Java updates. Earlier this year, 70 percent of Java requests came from Java 6 users. That figure has decreased to 40 percent. Check out this previous blog post on how Java plays a part within the Seven Stages of Advanced Attacks and our advice on Java remediation steps at this post . Don't Forget About Flash Remember, just a few years ago, Flash was a primary attack vector. As our research above indicates, nearly...

Read more > 

Filed under: , , , , , , ,

no comments

Majority of Users Still Vulnerable to Java Exploits

Posted: 03 Jun 2013 09:00 PM | Carl Leonard


Throughout the last 6 weeks, Websense® Security Labs™ has been collecting telemetry from our Websense ThreatSeeker® Intelligence Cloud to provide insight into usage of the most recent version of Java. Following our March 2013 study that looked at what versions of Java are being used, we saw that almost 93% of users are still not patched to the most recent version of Java. This leaves the majority of users still vulnerable to the dangers of exploit code already in use in the wild

...

Read more > 

Filed under: , , ,

no comments

How are Java attacks getting through?

Posted: 25 Mar 2013 09:01 PM | Charles Renert


Were you aware that Java is increasingly being viewed as a security risk? Of course you were — recent high-profile attacks have firmly established the trend, so we're not going to do yet another roundup here. Instead, let's drill in and try to understand the core problem. With so many vulnerabilities, it's hard to keep browsers up to date with the latest patched versions — especially because Java is updated independently from the browser. How hard is it? We decided to check. We recently added Java version detection to our Advanced Classification Engine ( ACE™ ) and pumped it into the Websense ThreatSeeker® Intelligence Cloud to get real-time telemetry about which versions of Java are actively being used across tens of millions of endpoints. Here's what we found (you may need to click on the graph to see all the detail): Figure 1: Global distribution of Java Runtime Environment versions based on active browser usage As you can see, Java versions are all over the map. At the time of this writing, the latest Java Runtime Environment is 1.7.17, but only about five percent of the overall mix are using it. Most versions are months and even years out of date. How does this translate into the attack space? Exploit kits are a very common tool for distribution of many Java-based threats. From the billions of daily web requests being classified through our network, here is the breakdown of the active browser requests that are exploitable and which exploit kits have incorporated attacks for them. Java Vulnerability Vulnerable Versions** Vulnerable Exploit Kits With Live Exploits CVE-2013-1493 1.7.15, 1.6.41 93.77% Cool CVE-2013-0431 1.7.11, 1.6.38 83.87% Cool CVE-2012-5076 1.7.07, 1.6.35 74.06% Cool, Gong Da, MiniDuke CVE-2012-4681 1.7.06, 1.6.34 71.54% Blackhole 2.0, RedKit, CritXPack, Gong Da CVE-2012-1723 1.7.04, 1.6.32 67.72% Blackhole 2.0, RedKit, CritXPack, Gong Da CVE-2012-0507 1.7.02, 1.6.30 59.51% Cool, Blackhole 2.0, RedKit, CritXPack, Gong Da ** All prior JRE versions below those listed are also vulnerable It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That's what the bad guys do — examine your security controls and find the easiest way to bypass them. Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers. Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities . And don't forget that if you're not on version 7 (which is 78.86% of you), Oracle won't be sending you any more updates even if new vulnerabilities are uncovered. How do you stop...

Read more > 

Filed under: , , , , , , , ,

no comments

Forex Website Targeted: Did Cybercrooks Find the Weakest Link in Online Money Management Services?

Posted: 28 Nov 2012 02:29 AM | Gianluca Giuliani


 

The Websense® ThreatSeeker® Network has detected that a FOREX trading website was injected with a malicious Java applet, which could install malware on the affected systems of the site's users. FOREX is the foreign exchange market where international currencies are traded, and nowadays, it's used by millions of people around the world.

 

The targeted website is a popular FOREX website called "Trading Forex," located at hxxp://tradingforex.com. One of the questions that is raised when encountering such a compromise is whether some cybercriminal shift their focus from mainstream online money management systems of banks and stock exchanges to "easier wins" with online systems and services that are likely to be less mature from a security perspective. Another interesting fact is that the dropped backdoor at Trading Forex is written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and operational on the victim's computer.

 

Websense customers are protected from these and other threats by  ACE, our Advanced Classification Engine.

 

 

 

...

Read more > 

Filed under: , ,

no comments

Fake ‘Amazon order’ email exploits recent Java vulnerability CVE 2012-4681

Posted: 02 Sep 2012 09:44 PM | Xue Yang


Following our recent blog posts regarding the propagation of Java vulnerability CVE-2012-4681 (New Java 0-day used in small number of attacks) and its subsequent inclusion in the infamous Blackhole Exploit Kit (New Java 0-day added to Blackhole Exploit Kit),  the Websense® ThreatSeeker® Network has detected a new malicious email campaign purporting to be an order verification email from Amazon directing victims to a page containing the recent Java exploit.

...

Read more > 

Filed under: , , ,

1 comment(s)

Nepalese government websites compromised to serve Zegost RAT

Posted: 08 Aug 2012 10:36 AM | Gianluca Giuliani


 

The Websense® ThreatSeeker® Network has detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. The aim of this injection is to install, through successfully exploiting that Java weakness, a backdoor that is also dubbed "Zegost" on the systems of visitors to these websites.

 

This vulnerability (CVE-2012-0507) was also used in the Amnesty International UK website compromise and in the INSS website compromise that we reported a few months back. It's interesting to note that all those compromises had injected code that was taken from the Metasploit framework, served in clear form, and not obfuscated. Although the use of code from the Metasploit framework doesn't necessarily indicate a link between all the compromises, we found further common characteristics between the compromises of the Amnesty UK website and the Nepalese government website by analyzing the backdoor C&C points when we noticed that they connected to the same domain in China. 

 

...

Read more > 

Filed under: , , , , ,

no comments

Dissecting Cleartrip.com website compromise: Malicious ad tactics uncovered

Posted: 29 Jun 2012 12:01 PM | Elad Sharf


The Websense ® ThreatSeeker ® Network discovered on June 27, 2012, that one of the most popular travel websites in India, cleartrip.com, was compromised and served malicious code. The website was informed of this breach and no longer serves malicious code. In this blog, we'd like to share our insights about this attack and focus on the tactics that we observed being used. We managed to spot this attack iteration before it became fully active, before malicious files were uploaded to the exploit kits that cleartrip.com was redirected to, and before all the malicious redirection nodes that cleartrip.com led to were active. The tactics that the cyber criminals used show what goes into making a legitimate website's infection less obvious and more difficult for security products to detect. These tactics included the following: Targeting a website's local ad system and masquerading as legitimate ads Manually intervening on a compromised website and preparing multiple domains to ensure redundancy Obfuscating available malicious toolkit redirectors to circumvent detection Using advanced traffic direction system components and masquerading as a legitimate website to remain covert Using exploit kits that serve Java-based exploits only The next image summarizes the infection redirection chain leading to the exploit website as it started from cleartrip: In this section, we'll take a closer look at the tactics we listed above: Tactic 1: Targeting the local ad system and masquerading as part of the legitimate ad chain The attackers seemed to focus on cleartrip.com's local ad system. Having that specific component compromised allowed them to serve malicious code through ads maintained by the website itself. The ad system on cleartrip is a third-party component plugin developed by Openx . Targeting third-party plugins is a very common tactic used to compromise legitimate websites. In this instance, it looks like the attackers gained control of the website's ad system since malicious code was restricted and served from that area only. Other cases of abuse of Openx components through exploitation and serving malicious content are documented throughout the Web. "Malvertizing" is another form of loading malicious code with advertisements. This is when third-party advertisers have their ads or their infrastructure compromised and then having their ads injected and loaded with malicious code. However, in the cleartrip attack, the local ads were served by cleartrip.com itself and not by a third party. By gaining unauthorized access to the Openx advertising component on the website, the attackers succeeded in sabotaging and injecting ads with malicious code. Malicious code loaded by ads is harder to detect because loaded ads usually reside at deeper path levels of the website and the malicious code blends well with the rest of the ad content. In contrast, most compromises we see in the labs tend to have injected code on the main page...

Read more > 

Filed under: , , , , ,

10 comment(s)

The Amnesty International UK website was compromised to serve Gh0st RAT [Update]

Posted: 11 May 2012 01:29 AM | Gianluca Giuliani


Between May 8 and 9, 2012, the Websense® ThreatSeeker® Network detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in2010, we reported another injection of an Amnesty International website, this time the Hong Kong site.

...

Read more > 

Filed under: , , , ,

no comments