Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

What protection can be offered from sophisticated malware such as Regin?

Posted: 24 Nov 2014 04:59 AM | Carl Leonard | no comments


Websense® Security Labs™ researchers are continuing the analysis of a sophisticated malware attack which has been observed to conduct espionage against Russian, Saudi Arabian, and Irish targets, amongst others. Regin, as the malware family (or toolkit) has been named, is both modular and multi-stage, making the malware extremely customizable. Regin also uses advanced techniques to hide its activity, including custom encryption and the use of custom UDP and TCP protocols. At the time of writing we can confirm our knowledge of publically-available Indicators of Compromise used in both version 1 of Regin (pre-2011) and version 2 of Regin (2013 onwards) and we have committed those to ACE, our Advanced Classification Engine . Threat Modelling When such sophisticated attacks are broken down into their constituent parts, we look to our threat modelling system of the 7 Stages of Advanced Threats . This helps us to build a clearer picture of risk based on information known at any given time. 7 stages of Advanced Threats: For Regin we can arrive at the following mapping : Stage 1 (Reconnaissance): The authors of Regin are believed to be knowledgeable about the industry sectors targeted and have tailored the malware to suit. Further, due to the modular nature of the attack, components can be added to suit the approach required by the malware authors based on their reconnaissance discoveries. It would seem that the number of target organizations is currently low. Stage 2 (Lure): Uncertainty remains around the lures used by the Regin toolkit, but it is thought to involve compromised websites and a means to get those in front of the target. Most likely the lure would arrive via email, instant message communications, or drive-by attacks hosted on compromised websites. Stage 3 (Redirect): Due to the varying options around the lure stage it is uncertain whether the redirect stage is used by Regin. Not all malware families subscribe to the all of the prescribed 7 Stages. Stage 4 (Exploit Kit): Exploit code is often used to deliver payloads onto vulnerable machines. It is not always necessary for a vulnerability to be abused by malware, but it could be a possibility with the Regin toolkit considering its advanced nature. Stage 5 (Dropper): Once the dropper has been deployed, Regin offers a multi-stage download-and-decrypt process to deliver its system files onto the infected machine. Note that it has been reported that non-traditional file storage areas such as the registry are used by Regin during its configuration phase. The security community is still hunting for the illusive dropper file, although we do have knowledge of, and have committed to our protection engine, multiple device drivers used in the payload's download process. Stage 6 (Call Home): Regin's control communication is not just specific to the HTTP protocol. The use of UDP and TCP have also been observed. Further, custom encryption based on existing algorithms seek to hide the transmission...

Read more > 

Filed under: ,

Black Friday Themed Amazon Voucher Scam

Posted: 21 Nov 2014 03:15 AM | Xue Yang | no comments


The Websense ® ThreatSeeker ® Intelligence Cloud has detected Amazon voucher scams using Black Friday Gift Card themes as a lure. We have observed a surge of over 20,000 spam emails with the subject of "Amazon Black Friday Gift Card #XXXXXXXXX" since Thursday 20th November (where "X" signifies the use of random digits in the email subject). As Thanksgiving Day is just around the corner, the shopping season is also here, and it appears that cybercriminals are going to take full advantage of this chance to spread spam scams and increase their illegal revenues, utilizing well-known, and trusted, brands such as Amazon. Executive Summary When a user clicks on "Activate My Amazon.com Rewards", it will redirect them to a survey page which advertises a reward for filling out the survey. Users are encouraged to submit their personal information. The pages were designed to serve different language versions according to the victim's geographical location. Websense customers are protected from this threat by ACE, our Advanced Classification Engine , at the following stages of the attack: Stage 2 (Lure) - ACE has detection for the email lures & the URLs used in these lures. Stage 3 (Redirect) - ACE has detection for the redirect pattern that occurs if a user visits one of these URLs, and for the survey scam pages themselves. One email sample with this Amazon theme: The links in this email campaign have a common pattern: Chinese-based version: US-based version: After the victim completes the survey steps, it finally asks them to select a reward. However, you have to fill out personal information in order to do so. Obviously there is no free voucher at all, and the survey here blatantly engages in illegal methods to advertise and generate traffic to a web site that earns the cybercriminal money. Thus, this is the true nature of the scam. The aim of the lure is to generate revenue as part of a Cost Per Action (CPA) lead scam. This a technique that we have been tracking for some time, as our previous blogs show. Summary CPA style scams that leverage the reputation of popular companies like Amazon and use topical themes to fool their victims remain common amongst cybercriminals, providing a quick and easy way for them to generate revenue. While these campaigns are usually not malicious by nature they pose a significant risk to users who may give out personal information, making them a more viable target for future attacks.

Read more > 

Filed under: , ,

Official Website of Popular Science Compromised

Posted: 28 Oct 2014 06:25 PM | AToro | no comments


Websense® ThreatSeeker® Intelligence Cloud has detected that the official website of Popular Science has been compromised and is serving malicious code. Popular Science is a well-established monthly magazine with a readership of more than a million, focusing on making science and technology subjects accessible to the general reader. The site is injected with a malicious code that redirects users to websites serving exploit code, which subsequently drops malicious files on each victim's computer. Websense Security Labs™ has contacted the IT team of Popular Science with a notification regarding the compromise. The main page of Popular Science on October 28, 2014: Websense customers are protected from this threat by ACE, our Advanced Classification Engine , at the following stages of the seven stages an advanced threat goes through when attempting to steal your data: Stage 2 (Lure) - ACE has detection for the compromised websites. Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack. Analysis The website has been injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit. The same Exploit Kit has been used in the compromise of METRO’s website as well. The exploit kit launches various exploits against the victim which – if successful – will result in a malicious executable dropped on the user’s system. The injected iFrame: In most cases, malicious injections redirect the user to a TDS, which then further redirects to the exploit kit’s landing page. However, as it is often the case with the RIG Exploit Kit, the injected code sends the victim directly to the landing page. Obfuscated RIG Exploit Kit landing page: The exploit kit landing page is heavily obfuscated to make analysis and detection more difficult. Before launching any exploit, the RIG Exploit Kit uses CVE-2013-7331 XMLDOM ActiveX control vulnerability to list antivirus (AV) software on the target system. Checking for AV: This technique has been used by a number of exploit kits recently, most notably the Nuclear and Angler exploit kits. If the user doesn’t have any of the checked AVs installed, then the exploit kit proceeds to evaluate the installed plug-ins and their versions, in particular Flash, Silverlight, and Java. If a vulnerable plug-in is found, the appropriate exploit is launched. De-obfuscated script launching Java Exploit: High-Level Stats: Who is impacted by this injection? Websense telemetry indicates that this type of injection is widespread across the globe. Multiple industries are seen to be continuously affected by this threat. Affected countries: Affected industries: Conclusion As we mentioned in the past , compromising popular web pages is a popular technique used by cyber criminals to launch their attacks. It is important that users employ advanced security products that can protect them at various stages of the attacks.

Read more > 

Filed under: ,

Ebola Spreads - In Cyber Attacks Too

Posted: 23 Oct 2014 07:38 AM | uwang | no comments


The Ebola virus has been spreading in West Africa since first appearing in Guinea in December, 2013. Its rising rate of infection, high mortality rate, and challenging isolation and containment requirements have raised world-wide alarm. Against that backdrop, Websense® Security Labs has found two distinct malicious campaigns that take advantage of the Ebola issue, and it's probably safe to assume that the topic will continue to be abused in the future. DarkKomet RAT/Backdoor Campaign Beginning October 10, 2014, Websense® ThreatSeeker® Intelligence Cloud has detected thousands of malicious emails taking advantage of the Ebola topic. The subject line is: Subject: Ebola Safety Tips-By WHO At the beginning of the campaign, the messages contained a redirect URL that led victims to a download location for a RAR archive. The archive contained the DarkKomet RAT/Backdoor. DarkKomet is a Remote Administration Tool (RAT) that provides full access to remote clients. It is used by attackers to control the victim's computer and steal information. In more recent emails, the campaign evolved to include direct attachment of executables, and then to direct attachment of a RAR archive containing the executable. The sample below shows the RAR attachment variant. The malware in this campaign contacted a server located in Romania: 5.254.112.46:1604 ThreatScope has identified malware samples as malicious. Here are two file variants in the campaign: SHA1 : e2bdede8375da63998562f55a77d4b078d3b5646 ThreatScope Analysis Report : Link SHA1 : 91ff874eb5bde1bb6703e01d7603d3126ddd01fc ThreatScope Analysis Report : Link CVE-2014-4114 & CVE-2014-6352 - Windows OLE Remote Code Execution Vulnerabilities On October 14, 2014, iSIGHT discovered vulnerability CVE-2014-4114, used in the Sandworm campaign that targeted NATO, the European Union, and members of the Telecommunications and Energy sectors. CVE-2014-4114 can allow remote code execution if a user opens a specially crafted Microsoft Office file containing an OLE object. The vulnerability is in all supported releases of Microsoft Windows, excluding Windows Server 2003. Because the vulnerability does not involve memory corruption that can result in shellcode, and because it is in the category of 'design error', protection methods like DEP and ASLR are not effective. Example exploit code for CVE-2014-4114 has been spotted posted on the web. Criminal actors could potentially use it to build a vulnerable PowerPoint file to spread the malware. Also, shortly after the disclosure of CVE-2014-4114, a very similar vulnerability that also targets OLE objects, surfaced and is described as CVE-2014-6532. While CVE-2014-4114 has been patched by Microsoft, CVE-2014-6532 still awaits a patch . Websense® Security Labs has noticed that the Ebola topic has been abused in relation to CVE-2014-4114 . A sample from a third-party source, named " Ebola in American.pps ", was leveraging CVE-2014-4114 to download...

Read more > 

Filed under: , , , , ,

SSLv3 "POODLE" Vulnerability CVE-2014-3566

Posted: 15 Oct 2014 03:40 AM | ngriffin | no comments


CVE-2014-3566 Overview Websense® Security Labs are aware of a critical vulnerability that exists in SSLv3, dubbed as "POODLE" by the Google Security Team . The vulnerability has also been explained in a security advisory by OpenSSL and given the CVE number CVE-2014-3566 . Readers, take note! This is a major security risk, and you should take action immediately to mitigate this issue. Both Google and Mozilla are planning on removing all support for SSLv3 in their browsers in the coming months. Mozilla Firefox will discontinue support for SSLv3 on November 25 and Google Chrome will also stop supporting SSLv3 "in the coming months" . How is it exploited? SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. TLS (Transport Layer Security) has since superseded SSL, however support for the older SSL version 3.0 still exists in the majority of applications and can therefore lead to software (such as browsers) being forced into using a vulnerable SSLv3 connection. The vulnerability can be exploited by inducing a client's browser into making multiple browser requests over HTTPS with SSLv3, and inferring details about the encrypted contents that will allow an attacker to compromise the security of SSLv3. What is the risk? Websense Security Labs researchers view this as a critical vulnerability that is likely to be exploited in the wild, and can result in significant data theft. Research currently indicates that the vulnerability is only applicable to client-side software, and is most likely to affect web browsers. It is strongly recommended that you take the appropriate steps to secure any affected applications using SSLv3. What actions should you take? There are several ways of mitigating this vulnerability. Despite the issue being client-side, taking steps to secure server-side applications will prevent the issue from being exploited in the first place. It is recommended to follow as many of the steps below as possible, listed in order of priority as determined by Websense Security Labs researchers: End Users: Upgrade your internet browsers to their latest versions. End Users & Developers: Disable SSL 3.0 support in all client-based applications where possible. It is most likely that the issue will affect browsers; please consult your browser's documentation for information on how to disable SSLv3 support. All other software supporting SSLv3 should also be updated as soon as possible. Developers & System Administrators: Disable SSL 3.0 support in all server-based applications where possible, as this will prevent a vulnerable client from using SSLv3. Developers & System Administrators: If disabling SSL 3.0 immediately is unacceptable, use TLS_FALLBACK_SCSV in all TLS implementations and ensure both client and server implement the fallback mechanism. More detailed information on mitigating this vulnerability can be found on a Microsoft...

Read more > 

Filed under: , ,

Malware in the Wild Abusing "Shellshock" Vulnerability

Posted: 01 Oct 2014 03:08 AM | Carl Leonard | no comments


Since the Shellshock vulnerability became public knowledge , our ThreatSeeker® Intelligence Cloud has seen evidence of this vulnerability being exploited in the wild to drop malware. We shall illustrate one such example below: Backdoors and Bot Nets The observed malware found to be exploiting the Shellshock vulnerability has been dropped by various command and control (C&C) servers previously known to Websense Security Labs™. The malware has the following capabilities: A Linux backdoor, capable of DDoS attacks, brute force attacks on passwords, and receiving commands to execute from its C&C server. A Perl IRC bot, typically capable of DDoS attacks and spreading itself by looking for exploitable servers using various vulnerabilities, such as remote file inclusion exploits. The malware has been seen to be downloaded to a compromised machine by exploiting the Shellshock vulnerability and invoking commands such as "curl" or "wget," and then executing the malicious payload. To date, we have seen 4 variants of the Linux backdoor and several versions of the Perl-based IRC bot. Popularity Since Vulnerability Disclosure The following domains and IPs have been found to be used as command & control (C&C) points for this campaign (amongst others): 208[.]118[.]61[.]44 27[.]19[.]159[.]224 89[.]238[.]150[.]154 212[.]227[.]251[.]139 Figure 1 : chart showing increase in prevalence of C&C associated with the above malware, peaking around September 25, 2014. Infrastructure Re-Use We have seen C&C traffic to these IPs in the last 2 months, showing that they have been used for malicious and bot network campaigns prior to the Shellshock vulnerability disclosure. In fact, going back as far as 2012, we see that one such C&C was used in a Point-of-Sale malware campaign known as "vSkimmer." More recently, we have observed it serving up an IRC bot . The spike that we saw on September 25, 2014, ties in with the usage of these servers as command & control points for malware dropped in the exploitation of the Shellshock vulnerability. We have deduced that these are likely compromised servers, since we do see the infrastructure hosting legitimate websites. Cyber-criminals typically prefer compromised servers in order to piggyback on the reputation of those known hosts and to enhance their ability to remain anonymous. Websense customers are protected from the malware described above by ACE, our Advanced Classification Engine , at the following stages: Stage 5 (Dropper File) - ACE has detection for the malware files associated with this campaign. Stage 6 (Backchannel Traffic) - ACE has detection for the command & control communication, preventing the malware from functioning correctly. Additional Abuse of Shellshock Expected Since the intial disclosure of CVE-2014-6271 , we seen another 5 vulnerabilities identified in Bash. These have been assigned identifiers: CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE...

Read more > 

Filed under: ,

CVE-2014-6271 - Remote 'Shellshock' Vulnerability in Bash

Posted: 25 Sep 2014 09:30 AM | ngriffin | no comments


CVE-2014-6271 Overview A vulnerability present in Bash up to version 4.3 has been found by Stephane Chazelas. Bash is a shell program found in a range of Unix-based operating systems such as Linux and Mac OS X - a very large population of affected systems. The vulnerability ( CVE-2014-6271 ) allows for remote execution of arbitrary commands via crafted environment variables, which can be exploited in a number of ways including over HTTP. Websense® ThreatSeeker® Intelligence Cloud is actively monitoring the situation and will be updating ACE via the ThreatSeeker Network as exploitation attempts in the wild emerge. How is it exploited? Any system that allows remote access to the Bash program can be exploited. Perhaps the most dangerous mechanism for remotely calling Bash is via a crafted HTTP packet that invokes a bash shell with specially crafted environment variables on servers configured to open Bash shells as part of its normal operation. This would cause the remote server to execute remote commands encoded in the GET request. Proof-of-concept code for these techniques has been widely published - a blueprint for would-be attackers that will speed the rate of exploitation in the attack community. What is the risk? Websense Security Labs researchers view this as a critical vulnerability which could allow an attacker to gain complete control over a vulnerable server. It is strongly recommended to patch this vulnerability as soon as possible to avoid this. What actions should you take? Patches are starting to become available to mitigate this issue. However, please think carefully about taking immediate action: Make sure to obtain patches from reliable, official sources. Keep on top of any updates regarding patches, as sometimes the first patches do not fully fix the underlying issue (which we have already seen in initial reports on this vulnerability). Note that all versions up until, and including, 4.3 are vulnerable unless patched. Avoid remote access to Bash on affected systems. You can obtain the latest patch from the official GNU Bash website.

Read more > 

Filed under: ,

Ongoing Targeted Attacks Continue to Plague Healthcare

Posted: 12 Sep 2014 09:00 AM | AToro | no comments


Websense® ThreatSeeker® Intelligence Cloud has detected a phishing campaign that targets the Healthcare sector--especially hospitals--phishing for Outlook credentials. This campaign is part of an ongoing trend of campaigns phishing for credentials of users from the healthcare sector (for example, the CHS breach), along with a trend of phishing for corporate Outlook credentials. Gaining access to corporate Outlook credentials allows attackers to get a foothold in the victim's organization. This foothold allows them to search for other high-value targets, and then send internal, legitimate-seeming emails to extract additional information and get access to strategic infrastructure or data. It also allows attackers to leverage good reputation the compromised accounts might have to attack its contacts at other organizations. Healthcare organizations, and hospitals in particular, have a wealth of patient records that are very valuable to cyber criminals, as discussed here . Websense customers are protected from this threat by ACE, our Advanced Classification Engine , at the following stages: Stage 2 (Lure) - ACE has detection for the email lure. Stage 3 (Redirect) - ACE has detection for the link inside the email lure, and for the ultimate destination of the phishing site. The Lure Email The phishing email seen below, with the title "Your Mailbox account closure." is sent to users, enticing them to click on a link. The campaign is highly targeted. ThreatSeeker telemetry shows Websense Cloud Email Security blocked a few hundred of these messages, all targeting a US healthcare organizations, between 9/12/2014, 6:19:34 AM PDT and 9/12/2014, 7:13:10 AM PDT. Reviewing the email path, it appears that compromised accounts were used to send this campaign. This suggests that the actors behind the campaign try to spread laterally from one infected organization to another, taking advantage of the reputation of affected organizations. It is especially interesting since the compromised account is also a healthcare provider, which is likely to already have a good reputation in the victim's email protection systems. This helps to bypass any reputation-based defense. The Phishing Page If the user follows the link he or she are led to webauthlineoutlweb.url.ph where they are presented with a legitimate-looking Outlook login page, which is used to steal credentials. A high-level look on the top 5 threats hosted on subdomains of "URL.PH" suggest it is becoming more popular in the last few months. Looking into the threats served by websites with the "URL.PH" top-level domain (TLD), we can see a diverse set of threats including Zeus and Citadel, as well as other types: Websense® Security Labs™ will continue to monitor this campaign, and will update the blog as new information is gathered. Contributors: Abel Toro, Ran Mosessco, Elad Sharf

Read more > 

Filed under: ,

Kelihos Botnet Trying to Expand by Harnessing Russian National Sentiments

Posted: 22 Aug 2014 02:40 PM | Ran Mosessco | no comments


Websense® Security Labs™ has come across an interesting campaign, targeting Russian nationals, trying to lure them to download and run executables on their computers, under the guise of attacking Western government websites. This is presented as a crowd-sourcing effort to retaliate against the governments that imposed sanctions on Russia (following the conflict in Ukraine). In fact, the unfortunate victims' machines fall prey to the Kelihos spam botnet. Kelihos (a.k.a Hlux) is a long running trojan/bot/backdoor family, with different variants having capabilities, such as: Sending out spam email Sniffing sensitive information such as passwords for different protocols Stealing Bitcoin wallet contents Bitcoin mining Backdoor access to victims' computers Participating in DDoS (distributed denial of service) attacks Downloading additional malware Over the years, there have been several efforts to take down the botnet, but it seems the cyber criminals behind Kelihos are trying to revive and expand the botnet. Following topical events as a lure is a technique we have seen in the past to distribute Kelihos, such examples were two large campaigns in 2013, that leveraged the RedKit Exploit kit to drop Kelihos on victims' computers. That in turn, led to a series of stock "pump & dump" campaigns, for financial gains. Looking at Websense® ThreatSeeker® Intelligence Cloud telemetry of total hits to a specific type of webpages associated with Kelihos, we can see why the cyber criminals might be trying to expand: We saw that after a big spike around April 2014, there seems to be a decrease in recent months, with a gradual uptick in August 2014. It's possible this is the beginning of the expansion efforts. What's different about this case is that instead of appealing to the victims' sense of curiosity, the cyber criminals appeal to patriotic sentiments (see details in analysis below), blatantly saying that they will run malware on the intended targets' computers, but without disclosing the true nature of the malware. The variants we have analyzed so far in this campaign seem to have the spambot and sniffing functionality; no DDoS behavior has been observed during preliminary analysis. Even so, the damage for a business allowing their infrastructure to run such malware could be significant (blacklisting for example). Websense customers are protected from this threat by ACE, our Advanced Classification Engine , at the following stages out of the seven-stage process * : Stage 2 (Lure) - ACE has detection for the URLs in the email lures, and Websense email security products block the email lures. Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack. Stage 6 (Call Home) - Communication to the associated Command & Control (C2) servers is prevented. * Note that this campaign does not use stages 3 & 4, details below. Analysis The campaign started on August 20, 2014...

Read more > 

Filed under: , ,

4.5 Million Customer Data Records Stolen from US Hospitals

Posted: 19 Aug 2014 03:05 AM | Tamas Rudnai | no comments


4.5 million sensitive patient data records have been exfiltrated by a Chinese hacker group, according to a report made on Monday by the US Securities and Exchange Commission. The data includes names, addresses, phone numbers, and Social Security Numbers, which might be sufficient information to initiate financial fraud on the patients affected. Websense® Security Labs™ has tracked down an increasing number of malicious activities hitting hospitals during the last couple of months. The first spikes started as early as October 2013 and have been increasing ever since, leaving hospitals as primary targets for quite some time. The majority of the attacks are delivered by the infamous Heartbleed vulnerability (CVE-2014-0160), which targets unpatched OpenSSL libraries used by the vast majority of Web services and clients ( read more here ). In our reports we have also seen an increased number of Zeus Gameover malware infections and Command & Control server traffic. Zeus Gameover uses a Peer-to-Peer network to communicate with the Command and Control server ( read more here ). Special thanks to Michael Swafford and team for the data visualization.

Read more > 

Filed under: , , ,