This entry is the monthly continuation of Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team. The purpose of these briefings is to publish some of the significant campaigns that our team of Sherlocks are tracking at this time.
Threat intelligence requires information, attention, and context. We’ve got information aplenty. Each month there are hundreds of bugfixes and vulnerabilities discovered across all platforms and the associated flaming car-crashes that are the now-weekly Big Breaches. What to pay attention to? It’s a good question for an organization’s security team. The easy answer that everyone wants to hear is “everything.” Pay attention to everything! But that “everything” has to be contextualized so that we can actually pay attention to the right stuff. And once put into context, “everything” is a lot less daunting, and more useful.
Our Sherlocks pay attention. We learn what an organization needs to care about and then care about it like it’s our own. Here are a few of the things we’re caring about this month.
SFX file “Vulnerability” in WinRAR
WHAT: A somewhat contentions vulnerability was discovered in WinRAR this month that has prompted us to examine SFX files entering the network. The “vulnerability” is a particular feature which allows an SFX created with specially crafted HTML to download and run arbitrary code on execution.
WHY: As a WinRAR developer noted: executable files are dangerous, so you should only open them if you trust them. However, SFX files in particular are usually not on a security team’s radar in favor of more common vectors. We’re concerned that the features of this file type may make it more attractive for attackers as a vector instead of .exe, .bat, or .vbs which are largely known and possibly blocked via e-mail filters or file-type filtering at the perimeter.
WordPress Platform: Still Highly Vulnerable
WHAT: WordPress is the most popular content management platform on the Internet. Popular products mean the biggest returns for malware writers and this last month saw an even larger raft of vulnerabilities in many WordPress extensions to watch out for.
WHY: Lack of patching is one of the most fundamental issues we see in security analysis. This problem gets compounded when non-IT people begin taking on a “quasi” IT roles, such as administering a WordPress site. Furthermore, third-party hosted sites may not be within organizational IT’s direct purview, but the services they run, and the breach of those services, still impacts the business. We’ve paid close attention to WordPress this last year, and frequently advise on the stream of needed updates.
WHAT: September saw an increase in a trend we’ve followed for a while: malware injection via prominent ad networks. MSN, Google, Yahoo, and many more saw an increase in cheap ads purchased and used for drive-by malware injection in otherwise perfectly innocent browsing traffic.
WHY: A common argument against properly securing endpoints, from a policy-perspective, is that an organization trusts its users. However, it is unfortunate that trustworthy users can fall prey to attacks by doing completely acceptable web-browsing. We analyze a lot of web traffic in our hunts, and we’ve been paying more and more attention to ad-traffic because of its attractiveness to attackers. Ads can be purchased inexpensively and malware cast in an indiscriminant net.
Sometimes, and more lately, these are used to…
Botnet Trends: DDoS
WHAT: Since DDoS-as-a-Service sprang up we’ve seen a sharp uptick in exploit kit payloads that join infected machines to these services, even if they’re mobile devices!
WHY: It’s bad enough to have to deal with an infected endpoint. It provides a malicious party a gateway into your network and potential access to critical information. And then the malicious party has a party—stealing your stuff. Now they’re using it to make even more money by adding to the strength of DDoS services that they resell, which means infected endpoints take part in even more malicious activity. Traffic anomalies can indicate what may not ring IPS/AV bells here, especially high packet counts for low bandwidth usage.
This month’s Threat Intelligence gathering was incredibly varied: like choosing favorite children it was hard to pick only a few. Still, we hope these highlights for the last month have been useful to you. We welcome any conversation on these topics in the comments below!
Check back next month for our November Sherlock report.