Martijn Lammerts
My own digital place with a little of everything

New Bizarro Sundown Exploit Kit Spreads Locky

4 November 2016

A new exploit kit has arrived which is spreading different versions of Locky ransomware. We spotted two cases of this new threat, which is based on the earlier Sundown exploit kit. Sundown rose to prominence (together with Rig) after the then-dominant Neutrino exploit kit was neutralized.

Called Bizarro Sundown, the first version was spotted on October 5 with a second sighting two weeks later, on October 19. Users in Taiwan and Korea made up more than half of the victims of this threat. Bizarro Sundown shares some features with its Sundown predecessor but added anti-analysis features. The October 19 attack also changed its URL format to closely resemble legitimate web advertisements. Both versions were used exclusively by the ShadowGate/WordsJS campaign.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New Bizarro Sundown Exploit Kit Spreads Locky

Continue reading...

Security Update Patches 13 Android Vulnerabilities Discovered by Trend Micro

1 November 2016

Mobile threats are trending upward, with vulnerability exploits gaining traction. The silver lining? More of these vulnerabilities are also disclosed, analyzed and detected. This helps better mitigate Android devices from zero-days and malware, enabling OEMs/vendors to more proactively respond to these threats. This is echoed by our continuous initiatives on Android vulnerability research: from June to August 2016, for instance, we’ve discovered and disclosed 13 vulnerabilities to Google. Their real-world impact ranges from battery drainage and unauthorized capture of photos, videos, and audio recordings, to system data leakage and remote control. This is on top of 16 other security flaws we’ve uncovered that were cited in Android/Google’s security bulletins from January to September this year.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Security Update Patches 13 Android Vulnerabilities Discovered by Trend Micro

Continue reading...

CVE-2016-3298: Microsoft Puts the Lid on Another IE Zero-day Used in AdGholas Campaign

31 October 2016

Microsoft’s Patch Tuesday for October fixed another previous zero-day vulnerability in Internet Explorer (IE) via MS16-118 and MS16-126: CVE-2016-3298. Before the lid was put on it, the security flaw was employed alongside CVE-2016-3351 by operators of the AdGholas malvertising campaign, analysis and disclosure of which were made with our collaboration with Proofpoint’s @kafeine last July 2016. The campaign was notable for the economies of scale and scope it achieved in its heyday until its operations were stymied. As shared by @kafeine, it was even integrated in Neutrino exploit kit’s malvertising chain as a malicious JavaScript.

Exploiting CVE-2016-3298 enables attackers to check for specific antivirus (AV) software installed in the system in order to avoid AV detection and threat research/analysis. This sounds innocuous, but determining if the system is unsecure eases—and even automates—the undertaking of sneaking malware into it.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

CVE-2016-3298: Microsoft Puts the Lid on Another IE Zero-day Used in AdGholas Campaign

Continue reading...

Masque Attack Abuses iOS’s Code Signing to Spoof Apps and Bypass Privacy Protection

31 October 2016

First reported in 2014, Masque Attack allowed hackers to replace a genuine app from the App Store with a malformed, enterprise-signed app that had the same Bundle Identifier (Bundle ID). Apple subsequently patched the vulnerabilities (CVE-2015-3772 and CVE-2015-3725), but while it closed a door, scammers seemed to have opened a window. Haima’s repackaged, adware-laden apps and its native helper application prove that App Store scammers are still at it.

This is in light of the significant amount of malicious and potentially unwanted iOS apps we found signed with enterprise certificates and had the same Bundle IDs as their official versions on the App Store. Delving into them, we found that Haima and other third-party app stores were pulling off their scams by abusing a feature in iOS’s code signing process to achieve data inheritance.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Masque Attack Abuses iOS’s Code Signing to Spoof Apps and Bypass Privacy Protection

Continue reading...

Control Flow Guard Improvements in Windows 10 Anniversary Update

28 October 2016

Control Flow Guard (CFG) is an exploit mitigation feature that Microsoft introduced in Windows 10 and Windows 8.1 Update 3 that makes it significantly harder for exploits to run code on systems running these operating systems. This year’s major Windows 10 update (called the Anniversary Update) introduced improvements to CFG. The Anniversary Update began its rollout to most users in August 2016, although it may not be finished deploying to all users until this coming November.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Control Flow Guard Improvements in Windows 10 Anniversary Update

Continue reading...

Patch Your Flash: Another Zero-Day Vulnerability Hits Adobe Flash

27 October 2016

Adobe has released an out-of-bound patch for Flash Player due to a zero-day vulnerability. According to Adobe's bulletin (APSB16-36), versions of Flash from 23.0.0.185 and earlier (released on October 11) are affected. (Adobe Flash Player for Linux uses a separate version numbering system; for that product versions 11.2.202.637 and earlier are vulnerable.) We urge all users who still have Flash installed to update to the version released today as soon as possible.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Patch Your Flash: Another Zero-Day Vulnerability Hits Adobe Flash

Continue reading...

BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List

27 October 2016

BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.

Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List

Continue reading...