Monthly Archives: October 2015

CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits



The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.


It has now made its way to Exploit Kit

Angler EK :
2015-10-29
CVE id confirmed by by Anton Ivanov ( Kaspersky )

Angler EK successfully exploiting Flash 19.0.0.207
2015-10-29
Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36
Another sample : bea824974f958ac4efc58484a88a9c18
One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545e

Not replayable fiddler sent to VT

Out of topic sample loaded by bedep :
5a60925ea3cc52c264b837e6f2ee915e Necurs
a9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)

2016-03-12
Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and Eset

Angler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through Edge
Fiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zip

Nuclear Pack:
2015-10-30
Nuclear Pack which has been playing with landing URI pattern lately has integrated it
CVE-2015-7645 in Nuclear Pack on 2015-10-30
Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4

Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)
Fiddler sent to VT

Magnitude:
2015-11-10
Magnitude trying to exploit CVE-2015-7645
2015-11-10
Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo Hirvonen
No payload but the actor behind that thread would like to see you Cryptowalled. Update might come.

Spartan :
2015-11-12
Without surprise as Spartan is the work of the coder of Nuclear Pack.
Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as well

Spartan pushing Pony and Alphacrypt via CVE-2015-7645
2015-11-12

Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8  (another one: 66f34cd7ef06a78df552d18c729ae53c )
(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6  NB earlier today drops were Pony and Alphacrypt ) 
Fiddler sent to VT

Neutrino:
Most probably appeared 2015-10-16
Necurs being dropped by Neutrino via CVE-2015-7645
2015-11-17
Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff
(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )
Fiddler sent to VT  (You might want to read the detailed analysis by Trustave)

Read More :
Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie Silvanovich
New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicro
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicro

Post Publication Reading :
Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave

Security Weekly #438 – 10 Year Anniversary Part 2

Bug Bounty and Responsible Disclosure

We bring back Samy Kamkar "Samy's My Hero," and bring on special guests Casey Ellis from BugCrowd and Katie Moussouris from HackerOne. We talk about the tough ethical questions and the future of bug bounties in 5 years.

Interview with Ron Gula

We interview Ron Gula, one of the first interviews conducted on Security Weekly. Ron is a leading cybersecurity thinker, innovator, and visionary in the information security industry.

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Security Weekly #439 – Making The Most Of Threat Intelligence

Special Segment: Making The Most Of Threat Intelligence

This week, Paul and Mike discuss the current state of threat intelligence. In this segment, Paul and Mike dive deep in using threat intelligence properly.

Security News: Chip and Pin Hacked

This week in the news we learn about how chip and pin was hacked in France and are you fooled by fake online reviews? For a full list of stories including links, visit the wiki http://wiki.securityweekly.com/wiki/index.php/Episode439#Stories_of_the_Week_-_7:00PM-8:00PM.

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Hack Naked TV – October 23, 2015

Today Beau talks about MITM NTP, chip and pin vulnerabilities. and encrypting all the things by default.

For a full list of stories discussed today, visit our wiki: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_23_2015

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Hack Naked TV – October 20, 2015

Today Aaron talks about the E-Trade breach, China still hacking the US, CyberInsurance, and More.

Visit the wiki for a full list of stories: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_20_2015

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Security Weekly #438 – 10 Year Anniversary Part 3

Interview wth Peiter "Mudge" Zakto

Peiter C. Zatko, better known as Mudge, is a network security expert, open source programmer, writer, and a hacker. Peiter talks about his start in information security, rather him starting information security. Peiter talks about his early involvment in BGP and how to take down the internet.

Mobile Security and Privacy

We get Simple Nomad and David Schwartzberg to join us for a panel discussion on Mobile Security and Privacy. David Schwartzberg is a Sr. Security Engineer at MobileIron and Simple has been doing hacker and security-related things for over 30 years, wearing black, white, and gray hats at various points.

Hacker Jeopardy

Hacker Jeopardy includes popular topics such as famous hackers and decimal to binary conversions. Test your knowledge now!

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Security Weekly #438 – 10 Year Anniversary Part 1

Interview with Mikko Hypponen

To kick off our ten-year anniversary we interview Mikko Hypponen of F-Secure. We talk about the first virus discovered, reviewing printed viruses, and more.

Visit our wiki for list of important links including the one that got him banned from Twitter: http://wiki.securityweekly.com/wiki/index.php/Episode438#Guest_Interview:_Mikko_Hypp.C3.B6nen_10:05_AM

 

L0pht Heavy Industries Panel

L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. We learn about the history of the L0pht and the future.

 

 

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

A DoubleClick https open redirect used in some malvertising chain



In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.

The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox)  FoxIT in june,  Malwarebytes in September,  or Trendmicro 2 weeks ago.

As it's easier to have a name to share/talk  about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)

Earlier this year they were using https bit.ly,

2015-07-11 - bit.ly as https url shortener
tiny url

2015-07-11 - tiny url as https url shortener

or goo.gl url shortener



2015-06-12 - goo.gl as https url shorterner


 and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.eu

Two pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer
(how/why? same payload : Reactorbot  srvdexpress3 .com)
Different Legit part of the chain
2015-09-29
then 2 weeks ago mediacpm.com and wrontoldretter.eu )

https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).
Once discovered a way to Sig this is to flag the ssl certificate being used.

Those days they are using a DoubleClick https open redirect.

VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EK
GB - 2015-10-15

Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .com

Doubleclick has been informed about the issue.

Post Publication Readings :
The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - Proofpoint
Let’s Encrypt Now Being Abused By Malvertisers - 2016-01-06 - TrendMicro

Hack Naked TV – October 8, 2015

This week on Hack Naked TV, Aaron talks about breaches of LoopPay, Uber, and Dow-Jones.Visit our wiki for a complete list of articles and links covered in the show: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_13_2015Security Weekly Web Site: http://securityweekly.comHack Naked Gear: http://shop.securityweekly.comFollow us on Twitter: @securityweekly

Security Weekly #437 – Interview with Dafydd Stuttard

Interview with Dafydd Stuttard

This week, we interview Dafydd Stuttard the creator of Burp Suite and the author of the Web Application hacker's Handbook. We talk about the source of the name "Burp" and the future of webapp scanning.

 

Security News - Facebook Sex tapes and rooting the OnHub

This week in security news, we talk about Stagefright 2.0, how to root your very own Google OnHub, breaking SHA-1, and AWS WAF's.

For a full list of stories, vist our wiki: http://wiki.securityweekly.com/wiki/index.php/Episode437#Stories_of_the_Week_-_7:00PM-8:00PM

 

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

QOTD – Cyber Guardians

Cybersecurity professionals are the new guardians of big changes in the organization. Such professionals must practice business resiliency and adaptability, because they are now so integrated with digital business decisions that leaders cannot tell where business ends and cybersecurity begins. 
The digital explosion and the race to the edge have achieved what previous waves of technology evolution have failed to do — to integrate cybersecurity professionals and business leaders into effective teams for the protection and safety of the organization.
-- Christian Byrnes, Managing Vice President at Gartner

Src: Gartner Says Cybersecurity Professionals Are the New Guardians of Digital Change - Yahoo Finance

Security Weekly #436 – Password Cracking with Larry

Password Cracking With Larry

This week on Security Weekly, we are joined by none other than Larry Pesce. After his recent DerbyCon talk, Larry gives us some insight on his 600 dollar password cracking machine.

 

Security News

Today in the news, Kevin recaps the T-Mobile breach. Do we now let the fox watch the henhouse? Larry dives into a Nest (TM) of IoT (drink) devices. Paul tries to keep it together with a blog post on MS08-067.

For a full list of stories and links, visit the wiki: http://wiki.securityweekly.com/wiki/index.php/Episode436#Stories_of_the_Week_-_7:00PM-8:00PM

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly

Recruiter and SEO response templates

I’m normally sympathetic to technology recruiters, but some are just hopeless.  These, I have no sympathy for.  An the SEO spammers, no sympathy for any of them.  Every now and then, one is so obnoxious that I feel compelled to respond, and as a community service I’m sharing templates I use for responding to the worst of them.

For the recruiters:

[Dude/Dudette], I hate to be an ass, but really- digging up an ancient resume and throwing names at the wall to see if any stick- this is why recruiters like you and your ilk are loathed.  As someone who spends a lot of time trying to help folks develop and advance their technology and security careers this shit really pisses me off.

I'm not interested in moving at this time, but not being a fool I would entertain appropriate offers.  That means a minimum of [INSERT LARGE NUMBER HERE] plus options or equity, a maximum of [SMALL AMOUNT OF TIME HERE] hours per week dedicated to direct company work, support of my [LARGE NUMBER] of hours per week for community development and engagement, plus research time.  Oh, and support of my [TRAVEL, SPEAKING, DRINKING, ETC.] schedule.

The one I use for SEO is specific to Security BSides, but feel free to adapt as appropriate for your needs:

I'm sorry [SEO SCUMBAG'S NAME HERE], but we're a global community of technology and security experts, many of us have been in the field since pre-Web days... and none of us has ever heard of you or your firm.  We have a globally recognized and respected brand and have drawn several thousand participants to hundreds of events around the world without your help.

In fact, perhaps you would be interested in contracting with some of our technology, social media, and marketing experts to help build your brand- at competitive consulting rates, of course.  If not, please remove this, and every other Security BSides affiliated email from your lists.

Yes, I can be a bit of an ass, but it is occasionally justified.

Jack

Hack Naked TV – October 1, 2015

Today Aaron talks about BitPay, OPM, Volkswagen, and new TrueCrypt Flaws. For a full list of stories, visit the wiki: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_October_1_2015#Aaron.27s_Stories

Security Weekly Web Site: http://securityweekly.com

Hack Naked Gear: http://shop.securityweekly.com

Follow us on Twitter: @securityweekly