Friday, May 27, 2016

Missing 2015 MS Office Patch targeted by APT actors

Computers running vulnerable versions of Microsoft Office (missing MS15-099) are actively targeted by multiple advanced threat actors. Although this zero-day attack was patched in September 2015, advanced attackers continue to exploiting this vulnerability, suggesting widespread patching failures.

Kaspersky Labs compiled a list that included: Platinum, APT16, EvilPost, and SPIVY.

Code-name Researcher Discovery date Activity area MS15-099 exploitation Reference
Platinum Microsoft August 2015 (zero-day discovery) India, Malaysia, Indonesia, China Resume for technical position PLATINUM: Targeted attacks in South and Southeast Asia, Windows Defender Advanced Threat Hunting Team
EvilPost FireEye / Kaspersky November 2015 Japan Japanese national defense topics The EPS Awakens, Threat Research Blog
APT16 FireEye December 2015 Taiwan, China Taiwanese opposition party (Democratic Progressive Party) document The EPS Awakens - Part 2, Threat Research Blog
SPIVY Palo Alto Networks March 2016 Hong Kong Hong Kong pro-democracy documents New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists
Danti Kaspersky March 2016 India, Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal, and Philippines forged Indian government communication targeting Indian embassies in Hungary, Denmark, Colombia and Ministry of Foreign Affairs CVE-2015-2545: overview of current threats, Danti attacks

Read more »
No comments:

Thursday, May 26, 2016

CEO dismissed after successful phishing email


Australian aerospace firm FACC announced yesterday the immediate dismissal of CEO Walter Stephan.
“In the supervisory board meeting, held on May 24, 2016, Mr. Walter Stephan (CEO) was revoked by the supervisory board as chairman of the management board of FACC AG with immediate effect for important reason. The supervisory board came to the conclusion, that Mr. Walter Stephan has severely violated his duties, in particular in relation to the "Fake President Incident". Reuters confirms this is a reference to a successful phishing email. “The hoax email asked an employee to transfer money to an account for a fake acquisition project - a kind of scam known as a "fake president incident".”

Read more »
No comments:

Tuesday, May 24, 2016

Swiss defense contractor RUAG: APT breach findings

A Swiss defense contractor agreed to share details of a very advanced persistent threat actor found operating within their systems.  The unabridged version of the report contain a great amount of information, including functional analysis of tools used withing the campaign.

The attackers infiltrated the environment, established covert internal communication, staged hidden information stores, and coordinated hierarchical data exfiltration.

The Reporting and Analysis Center for Information Assurance (MELANI) provides both a summary and detailed version of findings.

RAUG Compromise

Locating the target

“Vulnerable web servers on the Internet” were used as both watering holes and first-stage command-and-control.  Sometimes disguised as Google analytics JavaScript, browsers are redirected to a secondary infection site where victim IP addresses can be compared to the list of intended targets.  

Infection happens in two stages. First "a system is infected by a reconnaissance malware." If the system is sufficiently interesting, "stage 2 malware is added, and ultimately persistence is gained." 

Read more »
No comments:

Monday, May 23, 2016

Content management systems (CMS) insecurity

Content management systems continue lowering the bar for webmasters. According to a recent Secunia report, "over a third of the websites online are powered by four key platforms: WordPress, Joomla!, Drupal, and Magento."

Unfortunately, this "introduces a large influx of unskilled webmasters and service providers responsible for the deployment and administrations of these sites."  Common disregard for system maintenance.

"As the technical aptitude required to have a website drops," the webmaster is increasingly the weakest link.  Sites running atop the top 4 CMS platform investigated by Securi were overwhelmingly out-of-date.
"There is a sharp drop off in the knowledge required to have a website, which is breeding the wrong mindset with website owners." The report concludes, "One thing we know from this report is that vulnerable software is a big problem, contributing to a large number of compromises. The blanket guidance to stay current and update is falling on deaf ears."

Source: Securi Website Hacked Report 2016 - Q1

1 comment:
Subscribe to: Posts (Atom)