Feed aggregator

Microsoft Warns Fraudulent Certificate Could Lead to MiTM Attacks

Threatpost for B2B - Tue, 03/17/2015 - 10:09
Microsoft has blacklisted a phony SSL certificate and is warning the certificate could be leveraged to stage man-in-the-middle attacks.

Stealthy, Persistent DLL Hijacking Works Against OS X

Threatpost for B2B - Tue, 03/17/2015 - 06:53
Researcher Patrick Wardle of Synack is expected this week at CanSecWest to unveil malicious dylib attacks against Apple’s Mac OS X.

Yeti still Crouching in the Forest

Secure List feed for B2B - Tue, 03/17/2015 - 03:53

Last July, we published details on Crouching Yeti (aka Energetic Bear), an advanced threat actor involved in several APT campaigns.

A quick summary:

  • Campaign status: Active
  • Discovery: January 2014
  • Targeted platforms: Windows
  • First known sample: 2010
  • Number of targets: 2,001-3,000
  • Top target countries: United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland, China
  • Propagation method: Social engineering, Exploit, Watering hole attack, Trojanized software installers
  • Purpose/functions: Data theft
  • Special features: Interest in OPC/SCADA. Trojanized software used to administer remote OPC servers as well as modules to scan networks for OPC servers.
  • Targets: Industrial/machinery, Manufacturing, Pharmaceutical, Construction, Education, Information technology
  • Artifacts: Russian-speaking authors

This post is an update about the operational status of the campaign described in the original "Crouching Yeti" report.

Since the beginning of the research, we've been monitoring some of the C2 servers used by the components used in the attack – the Havex Trojan, the Sysmain Trojan and the ClientX backdoor. The following analysis is based on data gathered until March 04, 2015

C2 and victims:

Overall, we successfully monitored 69 C2 server (unique domains), receiving hits from 3699 victims (unique IDs of the Trojan/backdoor) connecting from 57796 different IP addresses. We gathered four additional C2s since the publication of the first report (65 in the last report).

Based on the graph below, the top five C2 servers share most of the unique victims:

Victims per C2


Although the trendline shows a decreasing number of hits on the C2, there are still >1.000 unique victim connections per day. These top five C2s with most of the victims coincides with the activity analyzed in the previous research and publication.

Another interesting figure is the number of hits by date which shows a decreasing trend:

The following figure shows the entire picture regarding Crouching Yeti victim country distribution including all the malware (Havex, ClientX,Sysmain) reporting to the C2s on which we have visibility. The graph contains the total dataset (inluding data for the previous report as well as the gathered during this period) and contains all the unique IP addresses observed. Be aware that there are some unique IDs using several IP addresses probably pertaining to infected computers used by travellers.

This shows the big (and updated) picture regarding Crouching Yeti victims by country. Spain, Poland and Greece are in the Top 3. Japan and especially the United States have significantly reduced position (less victims) since the last report, contrary to Poland and Italy that increased position remarkably (more victims reporting to the C2).

An additional representation of victim country distribution including the full dataset (all countries) :


The most widely used Trojan on these C2 server is Havex with 3375 unqiue victims. Sysmain counts 314 and ClientX 10 (as in the last year's report). For Havex, version 024 is still the most widespread, followed by version 043. This is consistent with the trend observed in our last publication.

The following two graphs show the distribution of victims per malware type. We decided to divide the identified versions in two groups for purposes of clarity. The series names Report contains the data published in the first Crouching Yeti release (blue) and the Update (red) series contains the data analyzed.

During this period, the first subset shows an increase for almost all the included versions except for Havex-038 and Havex-01D which showed bigger activity in the first Crouching Yeti release . On the other hand, Havex-043 has the most significant increase during this period.

For the second subset, the picture looks pretty similar (global increase) except for Havex-01d which shows a decrease during this period.

Already before and also after the announcements around this actor other researcher digged into. Therefore the datasets are cleaned but may still include few research based non-victim systems.

The following graphs shows the operating system distribution amongst Havex victims during this period:

Apart from the increase of the category "unknown", there are no substantial differences when comparing the data analyzed in the first report :

In order to complement the data from the C2, we extracted some stats for the most relevant Trojans used by the Crouching Yeti operators. Almost all of them shows a residual impact during 2015. Nevertheless, we notice some very specific peaks during this month, especially for the Trojan.Win32.Ddex verdict. This component is a simple downloader with the functionality similar to the Havex component. All the detections are located within the Russian Federation.

In conclusion, the data analyzed during this period show us that Crouching Yeti's impact continues to increase in terms of infected victims reporting to the C2s, although internal data from KSN shows a different picture (residual number of infections). In this update, we did not see relevant changes in the infrastructure or in the C2 activity.

Taking into account the nature of this threat actor and the operational status of the infrastructure, it is likely the operators already switched infrastructure, techniques and targets.

We will continue to track this threat actor and providing updates accordingly.

D-Link Patches Two Remotely Exploitable Bugs in Firmware

Threatpost for B2B - Mon, 03/16/2015 - 16:13
Router company D-Link has patched two separate vulnerabilities in its firmware that could be exploited remotely and lead to takeover and arbitrary code execution. Devices under the DCS-93xl umbrella, including the following IP cameras with a custom Linux distribution models: DCS-930L, DCS-931L, DCS-932L, and DCS-933L, contain a hole that enabled remote authenticated attackers to upload their […]

Google Aware of Memory Leakage Issue in Android 5.1, Fix Forthcoming

Threatpost for B2B - Mon, 03/16/2015 - 13:27
Google is prepping a fix for Android users to address a meddlesome memory leakage issue that’s plagued some device users since the beginning of the year.

Facebook Transparency Report: US Data Requests Dip Slightly

Threatpost for B2B - Mon, 03/16/2015 - 12:59
Facebook's Transparency Report for the latter half of 2014 shows slightly fewer U.S. government requests for user data; the company also updates its Community Standards.

Yahoo Previews End-To-End Email Encryption Extension

Threatpost for B2B - Mon, 03/16/2015 - 09:37
Yahoo CISO Alex Stamos said a preview of the company’s end to end encryption extension has been released to GitHub for review.

Threatpost News Wrap, March 13, 2015

Threatpost for B2B - Fri, 03/13/2015 - 14:20
Dennis Fisher and Mike Mimoso discuss the new patch for the fiver-year-old LNK vulnerability used by Stuxnet, the new iOS patches and the other news of the week.

Mozilla Releases Open Source Masche Forensics Tool

Threatpost for B2B - Fri, 03/13/2015 - 11:11
Mozilla has released an open source memory forensics tool that some college students designed and built during the company’s recent Winter of Security event. The new tool, known as Masche, is designed specifically for investigating server memory and has the advantage of being able to scan running processes without causing any problems with the machine. […]

Google Apps ‘Defect’ Leaks Private WHOIS Data Of 280,000

Threatpost for B2B - Fri, 03/13/2015 - 09:54
A Google Apps bug leaked hidden WHOIS registrant information in the clear, putting close to 300,000 domain owners at risk for identity theft, phishing scams and more.

Adobe Patches 11 Critical Vulnerabilities in Flash Player

Threatpost for B2B - Thu, 03/12/2015 - 19:45
Adobe released an updated Flash Player with patches for 11 critical vulnerabilities, most of which lead to remote code execution.
Syndicate content