The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Wednesday, 8 June 2016
Facebook Security Loophole Could Have Allowed Hackers to Edit Messages
From The Media
Facebook’s Messenger app was recently reported to have a vulnerability that allowed individuals to access chat history and add or change links in a chat session. Links that were added or altered to be malicious could result in a victim downloading malware or establishing a connection to an attacker’s command and control server. Facebook has released a patch addressing this vulnerability.
Read the Story: The Sydney Morning Herald
Analyst Comment
Although malicious actors could have exploited this vulnerability to inject malicious links into historical Facebook conversations, we have not observed any indication that the vulnerability was exploited in the wild prior to Facebook’s prompt patching of the issue. Therefore, we believe exploitation poses little to no ongoing threat to Facebook users.
Related iSIGHT Partners Reports
16-00005706 (Threats Against Social Media Platforms and Users), 27 April 2016
15-00004372 (Recent Facebook Cross-Site Request Forgery Vulnerability CVE-2014-9720), 3 May 2016
Windows BITS Service Used to Reinfect Computers with Malware
From The Media
Malware operators are abusing a Windows utility called Background Intelligent Transfer Service (BITS) to set up reoccurring malware download tasks and automatically install malware. In a recently observed case involving a version of the DNSChanger malware called “Zlob.Q,” malicious actors used BITS to reinstall malware onto a machine from which the malware had previously been detected and deleted. BITS’ trusted program status prevented the antivirus client appropriately flagging the ongoing activity. BITS is designed to transfer files between a client and a server and has autorun capabilities used to install beneficial software updates. It can download and launch Windows update packages as well as updates for other software.
Read the Story: Softpedia
Analyst Comment
In August 2015, FireEye iSIGHT Intelligence detected the “Fearless” Trojan using BITS to transfer files; however, we have not specifically observed BITS being abused by actors for the purposes stated in recent media reports about Zlob.Q. By default, BITS jobs last for 90 days; therefore, if they are near their end date when the malware is detected and deleted, it is possible that the malware would not be reinstalled through the designated BITS job. However, actors may rely on the instances in which the jobs will be intact for several months, thus allowing the malware to continue deploying even after being detected and deleted by antivirus programs.
Related iSIGHT Partners Reports
16-00001528 (Andromeda Version 2.10 Functionality, Development and Growth in Underground Markets), 23 Feb. 2016
16-00002908 (Qakbot: Malware Behavior, Capabilities and Communications), 28 March 2016
14-00000132 (Vawtrak: Behavior, Capabilities and Communications), 28 March 2016
Enterprises Failing to Prioritize, Remediate Application Vulnerabilities Promptly
From The Media
According to WhiteHat Security’s eleventh annual Web Applications Security Statistics Report, the majority of web applications exhibit an average of two or more serious vulnerabilities. Additionally, it takes an average of 150 days to fix all identified vulnerabilities in an application (among those that do get remediated) and critical vulnerabilities are not remediated any quicker than vulnerabilities with lower severity ratings.
Read the Story: DARKReading
Analyst Comment
Failure to make vulnerability prioritization, testing and patching an efficient and valued process increases the opportunity for adversaries to identify and exploit vulnerable systems. We regularly note adversaries exploiting known vulnerabilities because of the low cost of acquisition (compared to zero-day development) and because organizations and individuals that are slow to apply updates remain viable targets until patches are adopted.
Related iSIGHT Partners Reports
16-00008340 (May 2016 Month in Vulnerabilities), 7 June 2016
16-00008802 (Weekly Vulnerability Exploitation Report – June 6, 2016), 6 June 2016
Massive DDoS Attacks Reach Record Levels as Botnets Make Them Cheaper to Launch
From The Media
Akamai reports that 19 distributed denial-of-service (DDoS) attacks exceeded 100 Gbps during the first quarter of 2016—a significant increase over the five observed in the previous quarter. Of note, most of these attacks were conducted by for-hire “booter” services. Previously, booter services rarely conducted attacks exceeding 100 Gbps.
Read the Story: PC World
Analyst Comment
In recent months, we have observed several DDoS contract services advertising attack scales up to 100 Gbps. These services include the for-hire contract service dubbed “Richys Stresser” and the Shenron DDoS service advertised by the hacktivist group Lizard Squad. Over the past year, there has been a significant escalation in the deployment of DDoS attacks, likely due to continuing increases in accessibility to DDoS tools and for-hire services as well as high-profile DDoS attacks popularizing this attack vector among malicious actors.
Related iSIGHT Partners Reports
16-00008192 (Data Obtained from ‘Webstresser.co’ Provides Insight into Attack Vectors; Service Typifies Contract DDoS Threat Landscape), 31 May 2016
16-00008344 (Gafgyt Botnet Possibly Leveraging DDoS Stresser Service to Conduct Attacks), 3 June 2016
16-00002384 (Lizard Squad Promotes and Releases Upgraded Shenron DDoS Service), 28 February 2016
The post ThreatScape Media Highlights Update – Week Of June 8th appeared first on iSIGHT Partners.
