Search This Blog

Showing posts with label Exploits. Show all posts

A New Security Vulnerability Discovered in Bluetooth technology

Two teams of security researchers have discovered a new vulnerability in Bluetooth technology that has been confirmed by The Bluetooth Special Interest Group (SIG), the bloc responsible for Bluetooth interests. The flaw could potentially allow a hacker to take complete control of a user’s Bluetooth enabled device without authorization.

Bluetooth is a short-range, low powered, high-speed open wireless technology that uses the Internet of Things (IoT) for transmitting fixed and mobile electronic device data. Bluetooth replaces the cables that people conventionally used to connect devices, with an added purpose of keeping the communications secure. However, with convenience and productivity, Bluetooth also presents major security threats.

Devices using the Bluetooth standard 4.0 through 5.0 are vulnerable to a flaw called ‘BLURtooth’ in Cross-Transport Key Derivation (CTKD) - it allows an attacker to manipulate the CTKD component and overwrite authentication keys on the victim’s device. The Bluetooth 5.1 standard released by the Bluetooth SIG in January 2019 contains features that provide security against BLURtooth attacks.

Earlier this year, in May, academics from Italy and Germany identified yet another new type of attack ‘Spectra’, it was reported to break the separation between Wi-Fi and Bluetooth running on the same device. While relying upon the fact that transmissions happen in the same spectrum, the attack works against "combo chips".

In a blog post published on their website, the company told that for CTKD attack to be successful “an attacking device would need to be within wireless range of a vulnerable Bluetooth device supporting both BR/EDR and LE transports that supports CTKD between the transports and permits pairing on either the BR/EDR or LE transport either with no authentication (e.g. JustWorks) or no user-controlled access restrictions on the availability of pairing. If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur. This may permit a Man In The Middle (MITM) attack between devices previously bonded using authenticated pairing when those peer devices are both vulnerable.”

“The Bluetooth SIG is also broadly communicating details on this vulnerability and its remedies to our member companies and is encouraging them to rapidly integrate any necessary patches. As always, Bluetooth users should ensure they have installed the latest recommended updates from device and operating system manufacturers,” the blog further read.

New Network Protocols Abused To Launch Large-Scale Distributed Denial of Service (DDoS) Attacks

The Federal Bureau of Investigation issued an alert just the previous week cautioning about the discovery of new network protocols that have been exploited to launch large-scale distributed denial of service (DDoS) attacks. 

The alert records three network protocols and a web application as newfound DDoS attack vectors.  

The list incorporates CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software. 

Three of the four (CoAP, WS-DD, ARMS) have just been exploited in reality to launch monstrous DDoS attacks, the FBI said dependent on ZDNet's previous reporting. 


In December 2018, cyber actors began exploiting the multicast and command transmission features of the Constrained Application Protocol (CoAP) to lead DDoS reflection and amplification assaults, bringing about an enhancement factor of 34, as indicated by open-source reporting. 


In May and August 2019, cyber actors abused the Web Services Dynamic Discovery (WS-DD) convention to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits for every second (Gbps), in two separate influxes of attack, as indicated by open-source reporting. 


In October 2019, cyber actors abused the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to lead DDoS amplification attacks, according to open-source reporting. 


In February 2020, UK security researchers identified a vulnerability in the inherent network discovery protocols of Jenkins servers-free, open-source, automation workers used to help the software development process that cyber actors could exploit to conduct DDoS amplification attacks - as indicated by open-source reporting. 

FBI officials believe that these new DDoS threats will keep on being exploited further to cause downtime and damages for the 'foreseeable future'. 

The reason for the alert is to warn US companies about the 'imminent danger', so they can put resources into DDoS mitigation systems and create partnerships with their internet service providers to quickly respond to any attacks utilizing these new vectors. 

As of now, these four new DDoS attack vectors have been utilized inconsistently, however, industry specialists anticipate that them to become widely abused by DDoS-for-hire services.

Attackers Exploit Two Vulnerabilities in SaltStack to Publish Arbitrary Control Messages and Much More

CISA has sent warnings to the users regarding two critical vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework that has been actively exploited by cybercriminals, leaving around thousands of cloud servers across the globe exposed to the threat.

The vulnerabilities that are easy to exploit are of high-severity and researchers have labeled them as particularly 'dangerous'. It allows attackers to execute code remotely with root privileges on Salt master repositories to carry out a number of commands.

Salt is employed for the configuration, management, and monitoring of servers in cloud environments and data centers. It provides the power of automation as it scans IT systems to find vulnerabilities and then brings automation workflows to remediate them. It gathers real-time data about the state of all the aspects and it employs effective machine learning and industry expertise to examine threats more precisely. In a way, it is used to check installed package versions on all IT systems, look out for vulnerabilities, and then remediate them by installing fixes.

The two vulnerabilities, the first one called CVE-2020-11651 is an authentication bypass flaw and the other one CVE-2020-11652 is a directory transversal flaw, as per the discovery made by F-Secure researchers. The attackers can bypass all authentication and authorization controls by exploiting the vulnerabilities that would allow them to easily connect to the request server. Once the authentication is bypassed, attackers can post arbitrary control messages and make changes in the master server file system. All Salt versions prior to 2019.2.4 and 3000.2 are affected by the vulnerabilities.

Xen Orchestra, an effective all in one user-friendly web-based management service became the latest victim of cybercriminals involved in the exploitation of the two high-severity vulnerabilities in Salt. The attackers ran a cryptominer on the firm's virtual machines (VMs), it has been noticed by the company on the 3rd of May as various services on their infrastructure became inaccessible.

While commenting on the matter, Olivier Lambert, Xen Orchestra's founder, said, “A coin mining script ran on some of our VMs, and we were lucky nothing bad happened to us – no RPMs affected and no evidence that private customer data, passwords or other information have been compromised. GPG signing keys were not on any affected VMs. We don’t store any credit card information nor plain text credentials. Lesson learned...”

“In short, we were caught in a storm affecting a lot of people. We all have something in common: we underestimated the risk of having the Salt master accessible from outside,” he added. “Luckily, the initial attack payload was really dumb and not dangerous. We are aware it might have been far more dangerous and we take it seriously as a big warning. The malware world is evolving really fast: having an auto-update for our management software wasn’t enough."

“If you are running SaltStack in your own infrastructure, please be very careful. Newer payloads could be far more dangerous,” warned Lambert.

NordVPN agrees to 'private' server infringement

NordVPN, a VPN provider has affirmed an intrusion on one of its servers in Finland, although the damage done was nothing serious. There were no dubious records on the server. “We don't trace, retrieve or distribute users' data. It is almost impossible for the attacker to obtain usernames and identifications and also, the hacker couldn't decipher the VPN traffic to different servers,” says the company.

"The only probable way to exploit website traffic was by doing an individual and complex MiTM breach to prevent a private connection that attempted to locate," commented the company on its website. The attack happened in March 2018, when an unapproved user located the NordVPN server in Finland. They used an "unsafe remote administration system" that the data hub provider had forgotten.  The company didn't know of any such system. The server misused was attached to NordVPN's server record on January 31.

The service provider caught the violation and dismissed the account on 20th March without notifying the network provider NordVPN. The company discovered the attack several months back and immediately discontinued its engagement with the data center provider and cleansed all the details on the borrowed servers. It didn't reveal the infringement instantly because the company had to investigate the rest of its system to prevent the same incident from happening again. It also stimulated the decryption of our systems.

"This took a while because of the complex infrastructure and more than 3000 servers that our firm handles," says NordVPN. The problem didn't stir any of NordVPN's other servers. The company says that it would need engaged providers to reach more formidable safety measures. "We are also moving all of our data centers to RAM and this process would take another one year to complete," says NordVPN. While the break won't have any meaningful result on user secrecy, it will create a negative image of the company in the internet society. “NordVPN is multiplying measures on user privacy. We have supported an administration safety inspection and we are striving on a secondary no-records examination for the moment and are planning a fault munificence project." NordVPN will start autonomous surface scrutiny of its data systems to ensure it doesn't miss any loopholes.

Multiple VPN Applications Allow Attackers to Sidestep Authentication; Assists in Taking Control of Affected Systems

Enterprise VPN applications created by Palo Alto Systems, Pulse Secure, Cisco, and F5 Networks are reportedly known to have been 'storing' authentication and session cookies that too insecurely, as indicated by a DHS/CISA alert with a vulnerability note issued by CERT/CC, conceivably enabling attackers to sidestep authentication.

The caution issued on the 14th of April by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) additionally expresses that a potential "attacker could exploit this vulnerability to take control of an affected system."

As detailed in the Common Weakness Enumeration database in CWE-311, the way that an application neglects to "encrypt sensitive or critical information before storage or transmission" could permit would-be attacker to intercept traffic information, read it and infuse malignant code/information to play out a Man-in-the-Middle (MitM) attack.

CERT/CC says:
The following products and versions store the cookie insecurely in log files:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
The following products and versions store the cookie insecurely in memory:
- Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
- Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
-Cisco AnyConnect 4.7.x and prior

As indicated by this note "It is likely that this configuration is generic to additional VPN applications," which suggests that many VPN applications from an aggregate of 237 vendors can conceivably be affected by this data divulgence vulnerability.

Additionally, the vulnerability note composed by Carnegie Mellon University's Madison Oliver says that - "If an attacker has persistent access to a VPN user's endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session."

While VPN applications from Check Point Software Technologies and pfSense were found to not be 'vulnerable', Cisco and Pulse Secure haven't yet issued any data with respect to this vulnerability. Palo Alto Networks have thusly published a security advisory with additional information on this data revelation vulnerability tracked as CVE-2019-1573.

F5 Networks then again, while being "aware of the insecure memory storage since 2013" chosen not to fix it and gives the following solution as a relief measure: "To mitigate this vulnerability, you can use a one-time password or two-factor authentication instead of password-based authentication."

Chrome Zero-Day Attack; Google Advises to Update Immediately!

Chrome releases its latest version and the researchers request all the users to immediately update their versions of the famous browser.

The latest version is 72.0.3626.121 and was released in the very beginning of March 2019.

All that needs to be done to upgrade the older version is, type the specific URL chrome://settings/help which will inform the user what version is currently on.

All these alarm signs are blaring because of a recent zero-day security vulnerability that has emerged.

CVE-2019-5786 has been identified as the vulnerability and Google says it’s aware of it and hence is warning off its users.

A vulnerability happens to be a bug which corrupts the software in a way which reduces security. Whereas, an exploit is just a way of using the vulnerability to get past the security provisions.

All the vulnerabilities pose a threat to the system even if it means producing thousands of unwanted messages.

All exploits emerge from vulnerabilities but all vulnerabilities are not a fruit of exploits.

If made to work the malicious way, vulnerabilities could be forced to do a lot more than just creating error messages.

Zero-day is a vulnerability that the cyber-cons found a way to misuse before the researchers could find an appropriate solution for it.

Meaning that a Zero-day is an attack of which even the best researchers can’t find the solutions.

These attacks are usually found out weeks or even months later they start functioning on the network.

The bug is trying to be fixed by Google and restrictions are being retained until the bug exists.

The vulnerability includes a memory mismanagement bug in a part of Chrome by the name of “FileReader”.

This “FileReader” aids the web developers in springing up menus and dialogs.

The attacker could take control of a lot when it comes to this particular bug. It’s not just restricted to reading from files and goes far as “Remote Code Execution”.

Meaning, any malware could be implanted onto the victim’s system without any warning, pop-up or dialog.

All that could be done to save your system is keeping systems up-to-date at all times.

Also, always keep checking for updates and patches to fix vulnerabilities.

A Programmer Exploits a Crazy Bug in ATMs and Withdraws Over A Million

Qin Qisheng, a 43-year-old programmer discovered and exploited a loophole in ATMs being operated by his employer Huaxia Bank to withdraw over a million.

On a report by the South China Morning Post, Qin discovered a loophole in the bank's core OS which implied that the cash withdrawals made around midnight were not being recorded. In spite of the fact that the bank knew that he had been testing the inner security framework and the cash being taken was resting in a spurious account.

In any case, so as to carry out the exploit as cryptically as possible, Qin embedded a couple of scripts in the banking system that enabled him to test the proviso without setting off the alarm about any withdrawals. Because strangely, the bug was found in 2016 and for over a year, he kept making money withdrawals.

Be that as it may, he had moved the amassed cash to his own account and invested some in the stock market this, at long last lead to his arrest.

While the court has condemned Qin to 10 and a half years in jail, the bank 'acknowledged' that he had been testing the loophole however conceded that a few exercises were not reported which was in 'violation' of the formal systems and procedures.

The Exploitation of Rowhammer Attack Just Got Easier

With an increase in the number of hacks and exploits focused solely on fundamental properties of underlying hardware, Rowhammer, is one such attack known since 2012 which is a serious issue with recent generation dynamic random access memory (DRAM) chips which oftentimes while accessing a column of memory can cause "bit flipping" in a contiguous line, enabling anybody to alter the contents of the PC memory.

All previously known Rowhammer attack methods required privilege acceleration, which implies that the attacker needed to have effectively found and exploited a weakness within the framework. Lamentably, that is no longer true as researchers have discovered that you can trigger a Rowhammer attack while utilizing network packets.

Termed as 'Throwhammer,' the newfound technique could enable attackers to dispatch Rowhammer attack on the said focused frameworks just by sending uniquely crafted packets  to the vulnerable system cards over the Local Area Network.

A week ago, security researchers point by point developed a proof-of-concept Rowhammer attack strategy, named GLitch, that uses installed graphics processing units (GPUs) to carry out the Rowhammer attacks against Android gadgets.

Be that as it may, all previously known Rowhammer attack methods required privilege acceleration on a target device, which means that the attackers needed to execute code on their focused machines either by drawing casualties to a pernicious site or by deceiving them into installing a malignant application.

Tragically, this limitation has now been eliminated, at least for some devices.
Researchers at the Vrije Universiteit Amsterdam and the College of Cyprus have now discovered that sending despiteful packets over LAN can trigger the Rowhammer attack on systems running Ethernet network cards outfitted with Remote Direct Memory Access (RDMA), which is generally utilized as a part of clouds and data centres.

Since RDMA-enabled network cards allow computers in a system to trade information (with read and write privileges) in the fundamental memory, mishandling it to get to host's memory in fast progression can trigger bit flips on DRAM.

"We rely on the commonly-deployed RDMA technology in clouds and data centres for reading from remote DMA buffers quickly to cause Rowhammer corruptions outside these untrusted buffers, these corruptions allow us to compromise a remote Memcached server without relying on any software bug." researchers said in a paper [PDF] published Thursday.

Since activating a bit flip requires a huge number of memory accesses to particular DRAM locations within milliseconds, a fruitful  Throwhammer attack would require a very high-speed network of no less than 10Gbps.

In their experimental setup, the researchers achieved bit flips on the said focused server subsequent to accessing its memory 560,000 times in 64 milliseconds by sending packets over LAN to its RDMA-empowered network card.

Since Rowhammer exploits a computer hardware weakness no software fix can completely settle the issue once and for all. Researchers trust that the Rowhammer risk isn't just genuine but also has the potential to cause serious damage.

For additional in-depth knowledge on this new attack technique, the users' can access this paper published by the researchers on Thursday [PDF], titled
 "Throwhammer: Rowhammer Assaults over the System and Resistances"

Researchers say North Korea behind attacks exploiting a Korean word processing program

Recent reports had confirmed that the relations between the two Koreas (North and South), which were bad for years, now showed some signs of improvement. After Seoul and Pyongyang had exchanged reconciliatory gestures and expressed their willingness to talk. There was even a rather high probability that the third intra-Korean summit would happen in near future.

However, the situation might go in other direction after reading a PDF report by FireEye, a U.S-based security company that provides automated threat forensics and dynamic malware protection against advanced cyber threats. The report says that North Korea is likely behind cyber-attacks that have focused on exploiting a word processing program widely used in South Korea.

Genwei Jiang and Josiah Kimble, authors of the report, identified several malicious documents in the wild that exploit a previously unknown vulnerability (CVE-2015-6585) in the Hangul Word Processor (HWP). HWP, published by a South Korean company, is a Korean word processing application.

“It is widely used in South Korea, primarily by government and public institutions. Some HWP programs are frequently used by private organizations, such as HWP Viewer. The payloads and infrastructure in the attack are linked to suspected North Korean threat actors. Hancom patched CVE-2015-6585,” the authors said in the report.

The authors have said that only a handful of attacks have been publicly attributed to the secretive nation, which is known to have well-developed cyber capabilities.

According to them, if the malicious HWP file is opened, it installs a backdoor which FireEye nicknamed "Hangman", which is used for downloading files and probing file systems and similar to backdoor FireEye calls Peachpit, which may have been developed by North Korea, the report said.

Once Hangman has collected data, it sends it to command-and-control servers over an SSL (Secure Sockets Layer) connection. The IP addresses of those servers are hard-coded into Hangman and have been linked to other suspected North Korea-related attacks.

“While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye Intelligence assesses that this activity may be associated with North Korea-based threat actors,” the authors added.

According to a news report published in PCWorld, one of the most prominent instances was the devastating attack in November 2014 against Sony Pictures, which lost sensitive corporate data and email and saw many of its computers rendered inoperable.

“In a rare move, the FBI blamed North Korea for the Sony hack based on an analysis of malware suspected to have been developed by the country and used in other attacks,” the news report added.

Opening an email containing RTF in Outlook hands your computer to hackers

How many of you are using Microsoft Outlook in your office? Previewing or opening an email containing .RTF file in Microsoft Outlook will open a backdoor for remote hackers to access your machine.

Microsoft warned today that attackers are exploiting a new zero-day vulnerability in Microsoft Word that allows them to run arbitrary code in the vulnerable system.

"The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word" Security advisory reads. "or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer."

The vulnerability affects Microsoft word 2003, 2007,2010,2013, word viewer and Microsoft Office for Mac 2011.  Advisory states that the exploits it has seen so far have targeted Microsoft word 2010 users.

Microsoft is in the process of creating patch for this security flaw.  In the meantime, they have released a temporary Fix it solution which prevents opening of RTF files in Microsoft word.

Other suggestion to prevent yourself from being victim are 'configuring the outlook to read email messages in plain text format', 'using Enhanced Mitigation Experience Toolkit(EMET)'.

CVE-2009-0927 : PDF Exploit targets Aviation Defense Industry

PDF exploits

Security Researcher have come across a Spam email that leads to a malware page which delivers the PDF exploit(CVE-2009-0927).    The campaign seems to be targeting the aviation defense Industry.

About CVE-2009-0927:
A stack-based buffer overflow vulnerability in the Adobe Reader and Adobe Acrobat before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object "Collab.getIcon()".
If the recipient open the malicious PDF file, it opens a fake document and displays an invitation to an actual defense industry event. In the background, it exploits the PDF vulnerability.

If the victim's machine has the vulnerable version , then shellcode inside the pdf will start to execute.  The shellcode creates a file and run "evtmgr.exe in the Temp folder .

The exe file drops another dll file called mssrt726.dll which performs network communication and opens the backdoor at TCP port 49163.

CVE-2012-4681 : New zero-day Java Exploit added to Blackhole Exploit kit

As we expected , The Cyber criminals have added the New zero-day java exploit to the BlackHole Exploit kit.

According to a post of Paunch, the Blackhole creator, the actual java 0 day (CVE-2012-4681) is available for Blackhole owner since yesterday evening.

"ATTENTION! Added 0day Java exploit to knock for new clothes, breaking is cool ... competitors - Tightens)))" He said(translated).

The exploited vulnerability exists in all versions of Java 7, and can be used to exploit not just Windows, but also Apple OS X and Linux systems

As there is no patch from Oracle, the only solution to protect you from this attack is disabling the Java.

Update: The exploit has been included in other exploit kits includeing redkit,sakura kits.

[POC] Source code for the New 0-day Java Exploit is available

Security Researchers from FireEye have reported that a new Zero-day Java vulnerability is currently being exploited in a wild. The most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable.

Initially , Researchers discovered that this exploit hosted on named Currently this domain is resolving to an IP address in China.

A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.(

The Dropper.MsPMs connects to C&C domain which is currently resolving to an IP address located in Singapore.

Metasploit researchers has developed a metasploit module that exploit this latest vulnerability and the source code is available in public( 

Researchers successfully exploit a fully patched Windows 7 SP1 with Java 7 Update 6.They  have also tested the module against the following environments:

  • Mozilla Firefox on Ubuntu Linux 10.04
  • Internet Explorer / Mozilla Firefox / Chrome on Windows XP
  • Internet Explorer / Mozilla Firefox on Windows Vista
  • Internet Explorer / Mozilla Firefox on Windows 7
  • Safar on OS X 10.7.4

While this is in the wild, this is not being widely used at this time.  What is more worrisome is the potential for this to be used by other malware developers in the near future. I believe that this exploit will soon be rolled into the BlackHole exploit kit.

Java users should take this problem seriously, because there is currently no patch from Oracle. We recommend users to either unplug Java from your browser or uninstall it from your computer completely.

CVE-2012-1535: Adobe Flash player being exploited in the wild

A word document 'iPhone 5 Battery.doc' containing a malicious embedded flash file explotis the recently patched Adobe Flash player vulnerability(CVE-2012-1535), Alienvault researchers warns.

About CVE-2012-1535:Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content.

Once victim open the the malicious document , it will exploit the vulnerability and executes the shellcode. Once the payload is executed, it drops a malicious dll file. While executing the malicious code, the malware displays a genuine article about leaked iPhone 5 battery Images.

This backdoor is know as c0d0so0 and also Backdoor.Briba and it has been seen in other targeted attacks exploiting CVE-2012-0779 among others during the past few months.

The backdoor contacts the remote sever using a HTTP POST request and attempts to download an executable file encapsulated in a ZIP and disguised as a GIF.

"The use of Dynamic DNS providers like , is very common in this kind of threats. You should be monitoring the requests to dynamic dns providers in your network,"Researcher says.

Nepalese Government Sites hacked and serves Zegost RAT

Nepalese Government Sites exploits java vulnerability and infects users system with Zegost malware 

Researchers have detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister ( and respectively), have been compromised and serves Zegost(Gh0st RAT) malware.

The site injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. After successul exploitation, it will infect the visitor system with the Zegost.

Interestingly, the binary installed on infected machines as part of the attack is signed by a valid certificate issued by VeriSign.

"The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework" Gianluca Giuliani of Websense said in an analysis of the attack.

"If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f),"

Zegost is a known Remote-Administration Tool(RAT) that's been used in other targeted attacks, specifically in Asia. Once on an infected machine, the backdoor used in the attack on the Nepalese sites initiates an outbound connection to a C&C server hosted on a domain in China at "".

That same Java vulnerability was used in attacks earlier this year on Amnesty International and the Institute for National Security Studies in Israel, Websense said.

AV Bypass for Malicious PDFs Using XML Data Package (XDP) format

Security researcher Brandon Dixon has discovered a way to bypass the Antivirus detection for malicious PDFs using the XML Data Package(XDP) format.

XDP is an XML file format created by Adobe Systems in 2003. It is intended to be an XML-based companion to PDF. It allows PDF content and/or Adobe XML Forms Architecture (XFA) resources to be packaged within an XML container.

As XDP files are opened by Adobe Reader just like a normal PDF would be , opening the malicious XDP file can result in Adobe Reader Exploit.

Dixon's test document, which uses a two-year-old security vulnerability in Adobe Reader, was only detected by one anti-virus package in his tests. After experimenting with the XDP format, he was able to create another file that fooled all 42 anti-virus engines used on VirusTotal.

"The exploit is old. The JS is not encoded. This shoud be fixed. If you are wondering how to combat against this on your network or in your inbox, then look for XDP files."Dixon said in his blog.

"Of course, one could simply change the extension and still trick the user, but only awareness can fix that. For those with DPI, look for the Adobe XDP namespace and base64 code to identify the PDF embedded inside. "

PHP 5.4 Remote Exploit PoC in the wild

There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port.

The exploit can be found here:

Since there is no patch available for this vulnerability yet, you might want to do the following:
  • Block any file upload function in your php applications to avoid risks of exploit code execution.
  • Use your IPS to filter known shellcodes like the ones included in metasploit.
  • Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336 registered at the beginning of the month.
  • Use your HIPS to block any possible buffer overflow in your system.

    The Amnesty International UK site hacked, serves GH0st RAT

    The Amnesty International UK website was compromised between May 8 and 9 and infect visitors with infamous Gh0st RAT, WebSense informs.

    After analyzing the incident, WebSense researchers has found that the injection is similar to the one that affected INSS site last week , injected with malicious java code. The Java file try to exploit the famous Java vulnerability (CVE-2012-0507).

    Injected malicious code

    Once the exploit is successful, it downloads an executable file"sethc.exe", it creates a new binary file in the Windows system directory: C:\Program Files\... Interestingly, executable file has been signed by a "valid" certificate authority (CA).

    According to the web sense researchers, this is not the first time when the site of Amnesty International UK is being infected with malware.

    RedKit: a new private exploit kit spotted in the wild

    Trustwave security researchers have spotted a new private exploit kit in the wild. The new kit has no official name, so the researchers dubbed it'Redkit' due to the red bordering used in the application's panel.

    The developers promote the kit with a standard banner, the buyers are required to share their Jabber username by filling the online form hosted on a compromised site of some unsuspecting Christian church.

    "Logging to the admin panel presents you with options which are typically used by other exploit kits.The panel allows you to check the statistics for incoming traffic, upload a payload executable and even scan this payload with no less than 37(!) different AV’s." Trustwave researchers said.

    As each malicious URL gets blocked by most security firms after 24 to 48 hours, the Redkit's author have provide a new API which will produce a fresh URL every hour, so that customer of this exploit kit can now set up an automated process for updating the traffic sources every hour or so to point to the new URL.

    The kit exploits two of the most popular vulnerabilities but the authors probably will add more exploits soon in order to catch up with the “industry leaders” such as BlackHole and Phoenix exploit kits.

    The first exploit is a fairly obfuscated PDF file that exploits the LibTIFF vulnerability (CVE-2010-0188) and the second one is Java AtomicReferenceArray vulnerability (CVE-2012-0507).

    The Institute for National Security Studies (Israel) website serves Poison Ivy RAT

    The official website of Institute for National Security Studies (INSS) website in Israel was injected with malicious code, warns Websense security researchers.

    Interestingly, the injected code try to exploit the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac users in a massive scatter attack dubbed Flashback a few weeks ago.

    When a user visit the website, the injected malicious Javascript code loads a Java exploiter. The injected code shown below consists of a "document.write" function call that uses decimal-encoded string characters to hide the exploit URL. Once decoded, it redirects user to exploit page.

    The exploit page hosts a 'test.jar' file that exploits of the well-known Java vulnerability CVE-2012-0507.

    After analyzing the contents of the Jar file, researchers found that it was generated by the Metasploit toolkit, holds the vulnerability CVE-2012-0507. A variant of Poison Ivy RAT is automatically installed on the victim's computer after a successful java exploitation.