How To Defend Against Advanced IE Exploitation

Posted on by IPS Team

In February, Microsoft awarded $100,000 to Yu Yang (@Tombkeeper) for reporting a new mitigation bypass technique as part of Microsoft’s Bounty Program. Yu later demonstrated his research at CanSecWest in March. In his slides, he mentioned that a "god mode" of Internet Explorer could be turned on by a one byte overwrite. However, he had to heavily redact this information due to an agreement between himself and Microsoft.

After his slides were released, researchers began working to determine what the missing parts were. And before long, Yuki Chen (@guhe120), a Chinese researcher, posted his answer. Although the code was removed soon after posting, a copy was still maintained and used by Metasploit. Following this code, another researcher posted his VB script version using more advanced techniques. Yu Yang then pasted his shellcode that used similar methods to run arbitrary code, showing that the method Yuki Chen used is exactly the one that won Yu the $100,000 award.

The main idea of new exploitation technique is to alter a flag that is used to control the security setting of an ActiveX object. If an attacker could modify it, then any script can be run, such as downloading and executing a PE file, without any notification or alert. Further details were discussed in depth last month on Rapid7’s blog. The most interesting aspect of this method is that it could bypass all existing mitigation techniques including DEP/ASLR/EMET, and it also defeats some academic methods such as Control Flow Integrity (CFI). So this raises another question: If there are no mitigation functions, do we have any other ways to defend against attacks similar to this?

Continue reading "How To Defend Against Advanced IE Exploitation"

How Well Do You Understand Your Cyber Adversary? – Part 3

Posted on by Rick Howard

PAN-blue-2

This is the third and final installment of my blog series differentiating the various kinds of cyber adversaries who are looking to gain access to enterprise and government networks. Follow these links to get to Part 1 and Part 2. Continue reading "How Well Do You Understand Your Cyber Adversary? – Part 3"

The Latest Kuluoz Spam Campaign Kicks Off

Posted on by Ryan Olson

At 06:47 PST on May 20 Palo Alto Networks WildFire detected the start of the latest Kuluoz spam campaign. The total number of e-mails detected quickly rose to over 30,000 per hour around noon PST and had not begun to slow down as of 1:30PM PST.

Untitled
 

Kuluoz is a descendant of the Asprox malware and spreads by sending copies of itself as an e-mail attachment. As the malware infects more systems, the systems begin sending more e-mails which leads to more infections. Kuluoz makes money for its owner by installing other malware, such as crimeware or fake antivirus programs.

Continue reading "The Latest Kuluoz Spam Campaign Kicks Off"

How Well Do You Understand Your Cyber Adversary? – Part 2

Posted on by Rick Howard

PAN-blue-2

In my previous post, I wrote of my distaste for how loosely the cybersecurity community uses terms like cyber terrorism and cyber crime.  There are different motivations driving those who would try to gain unauthorized entry into a corporate network. So let’s take a look at who they are and what drives them to do what they do. Continue reading "How Well Do You Understand Your Cyber Adversary? – Part 2"

How Well Do You Understand Your Cyber Adversary? - Part 1

Posted on by Rick Howard

PAN-blue-2

This is a pet peeve of mine, but when I hear somebody from the cybersecurity community refer to a web-defacement as cyber warfare, my soul dies a little. Really? A hacktivist converts the corporate logo on a company web site into a Guy Fawkes mask and it's cyber warfare? Hardly.

A criminal steals customer credit card data from a retail database and we call that cyber terrorism? Not likely. A cyber spy steals a collection of intellectual property secrets and we call that a cyber crime? Yes, but while it’s a criminal offense to break into a corporate network, good-luck prosecuting a nation state that wants your secrets. Continue reading "How Well Do You Understand Your Cyber Adversary? - Part 1"

Funtasy Trojan Targets Spanish Android Users with Sneaky SMS Charges

Posted on by Zhi Xu

Summary

  • A new Android Trojan, named Funtasy, began targeting Spanish Android users in mid-April.
  • Users have downloaded 18 different variants of Funtasy between 13,500 and 67,000 times from the Google Play store.
  • Funtasy currently targets users of multiple Spanish mobile networks, and one Australian mobile network.
  • Funtasy subscribes victim’s phones to premium SMS services which cost up to 30 euros per month, while hiding the evidence of the subscription.

Let the Funtasy Begin

Continue reading "Funtasy Trojan Targets Spanish Android Users with Sneaky SMS Charges"

A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks

Posted on by Bo Qu

Summary

  • The exploit code used in the recent CVE-2014-1776 attacks shares many similar characteristics with code that exploited CVE-2014-0322 and CVE-2013-3163.
  • The shared techniques, variable names and code structure suggest these exploits share a common author or template.
  • Palo Alto Networks customers are protected by from exploitation of CVE-2014-1776 with content release 433-2194.

Late last month reports surfaced that a new Internet Explorer vulnerability (CVE-2014-1776) was being exploited in targeted attacks. The vulnerability allows an attacker to take full control over the system after a user views a web page in their browser. According to Microsoft, it affects versions of Internet Explorer from version 6 to 11, meaning that almost all IE users are vulnerable to this bug. This vulnerability is so widespread that Microsoft has released patches to protect Windows XP, for which Microsoft has ended support since April 8, 2014.

Continue reading "A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks"

Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776

Posted on by Scott Simkin

Summary

  • Critical vulnerability (CVE-2014-1776) identified in Internet Explorer, with active attacks observed in the wild
  • IE vulnerability could be used to exploit multiple versions of Internet Explorer, including those on Windows-XP based systems, which no longer receive security updates from Microsoft
  • Palo Alto Networks Threat Prevention customers are protected from exploitation of the vulnerability
  • Cyvera endpoint solution specializes in preventing the type of exploitation behavior used in this attack

On Saturday, Microsoft disclosed a critical vulnerability in Internet Explorer, CVE-2014-1776, affecting Internet Explorer versions 6 through 11. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability allows an attacker to execute arbitrary code in the context of the current user within Internet Explorer. This could be exploited with drive-by downloads or watering-hole attacks, and has been observed being used in attacks in the wild. Continue reading "Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776"

Cardbuyer: New Smart Android Trojan Defeats Multi-factor Verification and Steals Prepaid Game Cards

Posted on by Claud Xiao

On April 21st our WildFire analysis cloud detected a new Android Trojan, which is currently completely undetected in VirusTotal and uses a new combination of tactics to make money for the author. Based on the state of the code and the limited distribution we believe we may have detected this malware during a testing phase, before the attacker released it into the wild through an app store or other means. We’ve named the Trojan Cardbuyer because of the way it converts an infection into cash for the author.

Cardbuyer is much “smarter” compared to the existing Android malware families that we have ever seen. Specifically, this malware sample can solve CAPTCHA challenges, emulate user’s behaviors, parse SMS’s content from different vendors, and then automatically reply the confirmation message accordingly. Code analysis shows that this malware sample can defeat the existing multi-factor verification procedures of many popular game platforms or online payment systems, and impersonate the smartphone user in making the purchase.

Continue reading "Cardbuyer: New Smart Android Trojan Defeats Multi-factor Verification and Steals Prepaid Game Cards"

8 Tips For Dealing With Heartbleed Right Now

Posted on by Rick Howard

This has been a fun week. We have not had a significant cyber event like this – something that affects just about everybody on the Internet -- since the Kaminsky DNS vulnerability of 2008. Everybody I know has been scrambling to understand what it means to their organization, to their business and to their immediate family. Yes, I said family. I am sure I am not the only one who has answered a question or two from his mother-in-law about how the Internet is melting down based on what she’s been reading in the press.

There’s a lot out there already about what Heartbleed means for the Web and beyond, and I’ll point you to our own analysis written by Scott Simkin or an essay by Dan Goodin over at ars technica for that explanation. Instead, here are eight things I am doing right now to protect Palo Alto Networks and my home (and mother-in-law) and that you should be doing, too:

Continue reading "8 Tips For Dealing With Heartbleed Right Now"

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow