Angler EK evades EMET; Malvertising - DoubleClick Ad Fraud; Password re-use...
FYI...
Angler EK now evades EMET on Win7 ...
- https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html
June 06, 2016 - "We recently encountered some exploits from Angler Exploit Kit (EK) that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7. Angler EK uses complex multi-layered code obfuscation and leverages multiple exploits...
Conclusion: The level of sophistication in exploits kit has increased significantly throughout the years. Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode.
Remediation guidance: Although there are no quick solutions for the DEP, EAF, and EAF+ evasion techniques, organizations can mitigate this threat through a robust vulnerability management program for end user systems, which includes the installation of security updates for third party software. Applications such as Adobe Flash, web browsers, and Oracle Java should be patched routinely, prioritizing critical patches, or removed if possible. Because the web browser plays an important role in the infection process, disabling browser plugins for Flash or Silverlight may also reduce the browser attack surface."
- http://arstechnica.com/security/201...ransomware-now-able-to-bypass-microsoft-emet/
Jun 6, 2016 - "... there's nothing stopping Angler from using the EMET evasions to install other malicious applications..."
___
Malvertising - DoubleClick Ad Fraud
- https://blog.malwarebytes.org/cyber...ising-campaign-leads-to-doubleclick-ad-fraud/
June 6, 2016 - "Malvertising isn’t only used to infect users via drive-by downloads or to deceitfully push fake-software-updates. A campaign currently going on via the -TrafficHolder- adult ad platform leverages the promise of raunchy videos to lure people into ad fraud. The trick is simple and yet effective. While browsing, users are automatically redirected to what appears to be YouTube for adult content. The page looks completely normal, except for the fact that it is a giant image slapped across an actual ‘normal’ WordPress website. To the naked eye the large JPEG or GIF looks legit, and curious visitors may me tempted to push the Play button to watch the saucy movie. Rather than playing any content, this click is used to launch a real and paid advert via Google’s DoubleClick. This technique referred to as ‘clickjacking’ is very popular and can take different forms while the end goal remains to generate legitimate-looking clicks on adverts:
> https://blog.malwarebytes.org/wp-content/uploads/2016/06/Flow__.png
The crooks are using hundreds of what appear to be -bogus- (insurance, loans and other scams) WordPress sites to carry out this fraudulent scheme. A simple layer is added on top of the page to give this optical illusion. JavaScript code is able to track mouse movements and knows if the user has actually clicked on the advert... The fake adult image (which covers the whole page) is dynamically generated on the fly and a new one is retrieved randomly from a remote server (5.39.99.215)... that image will disappear after a few seconds of inactivity to reveal the actual underlying WordPress site. The majority of the sites we found were highly suspicious and most likely used for hosting various other spammy content. When users click to play the -bogus- video, their action triggers the ad fraud component of this scam by abusing Google’s DoubleClick... In this particular malvertising instance, users are not put at risk with malicious code, they are simply being duped so that the crooks behind this can generate ad money for each click. However, we have also observed redirections to exploit kits via the same ad platform (TrafficHolder) so you should be extra vigilant and use a proactive line of defence such as exploit protection to avoid getting infected. We have reported this ad fraud to Google and will keep monitoring the situation as one can expect those rogue actors to come up with a different plan to monetize low quality traffic."
5.39.99.215: https://www.virustotal.com/en/ip-address/5.39.99.215/information/
___
Password Re-user? Get Ready to Get Busy
- http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/
June 6, 2016 - "In the wake of megabreaches at some of the Internet’s most-recognized destinations, don’t be surprised if you receive password-reset-requests from numerous companies that didn’t experience a breach:
Some big name companies — including Facebook and Netflix — are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix .com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half -billion- usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services:
>> http://krebsonsecurity.com/wp-content/uploads/2016/06/netflixnotice-580x1031.png
... Netflix is taking this step because it knows from experience that -cybercriminals-will- be using the credentials leaked from Tumblr, MySpace and LinkedIn to see if they work on a variety of third-party sites (including Netflix)... Facebook* also has been known to mine-data-leaked in major external password breaches for any signs that users are re-using their passwords at the hacked entity."
* http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/
:fear::fear:
FYI...
Angler EK now evades EMET on Win7 ...
- https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html
June 06, 2016 - "We recently encountered some exploits from Angler Exploit Kit (EK) that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7. Angler EK uses complex multi-layered code obfuscation and leverages multiple exploits...
Conclusion: The level of sophistication in exploits kit has increased significantly throughout the years. Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode.
Remediation guidance: Although there are no quick solutions for the DEP, EAF, and EAF+ evasion techniques, organizations can mitigate this threat through a robust vulnerability management program for end user systems, which includes the installation of security updates for third party software. Applications such as Adobe Flash, web browsers, and Oracle Java should be patched routinely, prioritizing critical patches, or removed if possible. Because the web browser plays an important role in the infection process, disabling browser plugins for Flash or Silverlight may also reduce the browser attack surface."
- http://arstechnica.com/security/201...ransomware-now-able-to-bypass-microsoft-emet/
Jun 6, 2016 - "... there's nothing stopping Angler from using the EMET evasions to install other malicious applications..."
___
Malvertising - DoubleClick Ad Fraud
- https://blog.malwarebytes.org/cyber...ising-campaign-leads-to-doubleclick-ad-fraud/
June 6, 2016 - "Malvertising isn’t only used to infect users via drive-by downloads or to deceitfully push fake-software-updates. A campaign currently going on via the -TrafficHolder- adult ad platform leverages the promise of raunchy videos to lure people into ad fraud. The trick is simple and yet effective. While browsing, users are automatically redirected to what appears to be YouTube for adult content. The page looks completely normal, except for the fact that it is a giant image slapped across an actual ‘normal’ WordPress website. To the naked eye the large JPEG or GIF looks legit, and curious visitors may me tempted to push the Play button to watch the saucy movie. Rather than playing any content, this click is used to launch a real and paid advert via Google’s DoubleClick. This technique referred to as ‘clickjacking’ is very popular and can take different forms while the end goal remains to generate legitimate-looking clicks on adverts:
> https://blog.malwarebytes.org/wp-content/uploads/2016/06/Flow__.png
The crooks are using hundreds of what appear to be -bogus- (insurance, loans and other scams) WordPress sites to carry out this fraudulent scheme. A simple layer is added on top of the page to give this optical illusion. JavaScript code is able to track mouse movements and knows if the user has actually clicked on the advert... The fake adult image (which covers the whole page) is dynamically generated on the fly and a new one is retrieved randomly from a remote server (5.39.99.215)... that image will disappear after a few seconds of inactivity to reveal the actual underlying WordPress site. The majority of the sites we found were highly suspicious and most likely used for hosting various other spammy content. When users click to play the -bogus- video, their action triggers the ad fraud component of this scam by abusing Google’s DoubleClick... In this particular malvertising instance, users are not put at risk with malicious code, they are simply being duped so that the crooks behind this can generate ad money for each click. However, we have also observed redirections to exploit kits via the same ad platform (TrafficHolder) so you should be extra vigilant and use a proactive line of defence such as exploit protection to avoid getting infected. We have reported this ad fraud to Google and will keep monitoring the situation as one can expect those rogue actors to come up with a different plan to monetize low quality traffic."
5.39.99.215: https://www.virustotal.com/en/ip-address/5.39.99.215/information/
___
Password Re-user? Get Ready to Get Busy
- http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/
June 6, 2016 - "In the wake of megabreaches at some of the Internet’s most-recognized destinations, don’t be surprised if you receive password-reset-requests from numerous companies that didn’t experience a breach:
Some big name companies — including Facebook and Netflix — are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix .com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half -billion- usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services:
>> http://krebsonsecurity.com/wp-content/uploads/2016/06/netflixnotice-580x1031.png
... Netflix is taking this step because it knows from experience that -cybercriminals-will- be using the credentials leaked from Tumblr, MySpace and LinkedIn to see if they work on a variety of third-party sites (including Netflix)... Facebook* also has been known to mine-data-leaked in major external password breaches for any signs that users are re-using their passwords at the hacked entity."
* http://krebsonsecurity.com/2013/11/facebook-warns-users-after-adobe-breach/
:fear::fear:
Last edited: