Feed aggregator

TA15-213A: Recent Email Phishing Campaigns – Mitigation and Response Recommendations

US-CERT Security Alerts - Sat, 08/01/2015 - 14:01
Original release date: August 01, 2015
Systems Affected

Microsoft Windows Systems, Adobe Flash Player, and Linux

Overview

Between June and July 2015, the United States Computer Emergency Readiness Team (US-CERT) received reports of multiple, ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures.

Description

US-CERT is aware of three phishing campaigns targeting U.S. Government agencies and private organizations across multiple sectors. All three campaigns leveraged website links contained in emails; two sites exploited a recent Adobe Flash vulnerability (CVE-2015-5119) while the third involved the download of a compressed (i.e., ZIP) file containing a malicious executable file. Most of the websites involved are legitimate corporate or organizational sites that were compromised and are hosting malicious content.

Impact

Systems infected through targeted phishing campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.

Solution

Phishing Mitigation and Response Recommendations

  • Implement perimeter blocks for known threat indicators:
    • Email server or email security gateway filters for email indicators
    • Web proxy and firewall filters for websites or Internet Protocol (IP) addresses linked in the emails or used by related malware
    • DNS server blocks (blackhole) or redirects (sinkhole) for known related domains and hostnames
  • Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge).
  • Identify recipients and possible infected systems:
    • Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted the email and were not identified in purge of mailboxes)
    • Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked.
    • Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the malware.
    • Review anti-virus (AV) logs for alerts associated with the malware.  AV products should be configured to be in quarantine mode. It is important to note that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected.
    • Scan systems for host-level indicators of the related malware (e.g., YARA signatures)
  • For systems that may be infected:
    • Capture live memory of potentially infected systems for analysis
    • Take forensic images of potentially infected systems for analysis
    • Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment)
  • Report incidents, with as much detail as possible, to the NCCIC.

Educate Your Users

Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should:

  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.  Be particularly wary of compressed or ZIP file attachments.
  • Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organization’s helpdesk or sear the Internet for the main website of the organization or topic mentioned in the email).
  • Report any suspicious emails to the information technology (IT) helpdesk or security office immediately.

Basic Cyber Hygiene

Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by today’s security practitioners:

  • Privilege control (i.e., minimize administrative or superuser privileges)
  • Application whitelisting / software execution control (by file or location)
  • System application patching (e.g., operating system vulnerabilities, third-party vendor applications)
  • Security software updating (e.g., AV definitions, IDS/IPS signatures and filters)
  • Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls and virtual local area networks)
  • Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards)

Further Information

For more information on cybersecurity best practices, users and administrators are encouraged to review US-CERT Security Tip: Handling Destructive Malware to evaluate their capabilities encompassing planning, preparation, detection, and response. Another resource is ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.

References Revision History
  • August 1, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

MS15-078 - Critical: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Version: 2.0

Microsoft Security Notifications - Tue, 07/28/2015 - 23:00
Severity Rating: Critical
Revision Note: V2.0 (July 29, 2015): Bulletin published.
Summary: Bulletin rereleased to announce the availability of an update package for Windows 10 systems. Customers running Windows 10 should apply the 3074683 update to be protected from the vulnerability discussed in this bulletin. The update is available via Windows Update only. The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.
Categories: Security Alerts

MS15-069 - Important: Vulnerabilities in Windows Could Allow Remote Code Execution (3072631) - Version: 1.1

Microsoft Security Notifications - Tue, 07/28/2015 - 23:00
Severity Rating: Important
Revision Note: V1.1 (July 29, 2015): Bulletin revised to correct the Desktop Experience footnote in the Affected Software section. The footnote had incorrectly applied to update 3070738 on Windows Server 2008 R2 when it should have applied to update 3067903 on Windows Server 2008 and Windows Server 2008 R2. Also added a footnote for the 3070738 update to clarify that only systems with RDP 8.1 installed are affected. These are informational changes only. Customers who have already successfully applied the updates do not need to take any action. Customers who have not already installed the necessary updates should do so to be protected from the vulnerability it addresses.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow Remote Code Execution if an attacker first places a specially crafted dynamic link library (DLL) file in the target user’s current working directory and then convinces the user to open an RTF file or to launch a program that is designed to load a trusted DLL file but instead loads the attacker’s specially crafted DLL file. An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Categories: Security Alerts

MS15-074 - Important: Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (3072630) - Version: 2.0

Microsoft Security Notifications - Tue, 07/28/2015 - 23:00
Severity Rating: Important
Revision Note: V2.0 (July 29, 2015): Bulletin published.
Summary: Bulletin rereleased to announce the availability of an update package for Windows 10 systems. Customers running Windows 10 should apply the 3074683 update to be protected from the vulnerability discussed in this bulletin. The update is available via Windows Update only. The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.
Categories: Security Alerts

MS15-006 - Important: Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365) - Version: 2.0

Microsoft Security Notifications - Tue, 07/21/2015 - 23:00
Severity Rating: Important
Revision Note: V2.0 (July 22, 2015): Bulletin revised to inform customers of the July 14, 2015 reoffering of the 3004365 update for Windows 8.1 and Windows Server 2012 R2 systems. The update provides defense-in-depth measures beyond what was provided in the original update issued on January 13, 2015. Customers running these operating systems who have already successfully applied the update should reinstall the update to be best protected from the vulnerability discussed in this bulletin.
Summary: This security update resolves a privately reported vulnerability in Windows Error Reporting (WER). The vulnerability could allow security feature bypass if successfully exploited by an attacker. An attacker who successfully exploited this vulnerability could gain access to the memory of a running process. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Categories: Security Alerts

MS15-058 - Important: Vulnerabilities in SQL Server Could Allow Remote Code Execution (3065718) - Version: 1.1

Microsoft Security Notifications - Tue, 07/21/2015 - 23:00
Severity Rating: Important
Revision Note: V1.1 (July 22, 2015): Bulletin revised to improve the Update FAQ section to help customers more easily identify the correct update to apply based on a currently installed version of SQL Server. This is an informational change only. Customers who have already successfully installed the update do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities could allow remote code execution if an authenticated attacker runs a specially crafted query that is designed to execute a virtual function from a wrong address, leading to a function call to uninitialized memory. To exploit this vulnerability an attacker would need permissions to create or modify a database.
Categories: Security Alerts

MS15-065 - Critical: Security Update for Internet Explorer (3076321) - Version: 1.1

Microsoft Security Notifications - Tue, 07/21/2015 - 23:00
Severity Rating: Critical
Revision Note: V1.1 (July 22, 2015): Corrected the affected software entries for CVE-2015-1733 in the Severity Ratings and Vulnerability Identifiers table. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.
Summary: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities

US-CERT Security Alerts - Tue, 07/14/2015 - 15:13
Original release date: July 14, 2015 | Last revised: July 15, 2015
Systems Affected

Microsoft Windows systems with Adobe Flash Player installed.

Overview

Used in conjunction, recently disclosed vulnerabilities in Adobe Flash and Microsoft Windows may allow a remote attacker to execute arbitrary code with system privileges. Since attackers continue to target and find new vulnerabilities in popular, Internet-facing software, updating is not sufficient, and it is important to use exploit mitigation and other defensive techniques.

Description

The following vulnerabilities illustrate the need for ongoing mitigation techniques and prioritization of updates for highly targeted software:

  • Adobe Flash use-after-free and memory corruption vulnerabilities (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123) Adobe Flash Player contains critical vulnerabilities within the ActionScript 3 ByteArray, opaqueBackground and BitmapData classes. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on a vulnerable system.
  • Microsoft Windows Adobe Type Manager privilege escalation vulnerability (CVE-2015-2387)
    The Adobe Type Manager module contains a memory corruption vulnerability, which can allow an attacker to obtain system privileges on an affected Windows system. The Adobe Type Manager is a Microsoft Windows component present in every version since NT 4.0. The primary impact of exploiting this vulnerability is local privilege escalation.
Vulnerability Chaining

By convincing a user to visit a website or open a file containing specially crafted Flash content, an attacker could combine any one of the three Adobe Flash vulnerabilities with the Microsoft Windows vulnerability to take full control of an affected system.

A common attack vector for exploiting a Flash vulnerability is to entice a user to load Flash content in a web browser, and most web browsers have Flash installed and enabled. A second attack vector for Flash vulnerabilities is through a file (such as an email attachment) that embeds Flash content. Another technique leverages Object Linking and Embedding (OLE) capabilities in Microsoft Office documents to automatically download Flash content from a remote server.

An attacker who is able to execute arbitrary code through the Flash vulnerability could exploit the Adobe Type Manager vulnerability to gain elevated system privileges. The Adobe Type Manager vulnerability allows the attacker to bypass sandbox defenses (such as those found in Adobe Reader and Google Chrome) and low integrity protections (such as Protected Mode Internet Explorer and Protected View for Microsoft Office).

Impact

The Adobe Flash vulnerabilities can allow a remote attacker to execute arbitrary code. Exploitation of the Adobe Type Manager vulnerability could then allow the attacker to execute code with system privileges.

Solution

Since attackers regularly target widely deployed, Internet-accessible software such as Adobe Flash and Microsoft Windows, it is important to prioritize updates for these products to defend against known vulnerabilities.

Since attackers regularly discover new vulnerabilities for which updates do not exist, it is important to enable exploit mitigation and other defensive techniques.

Apply Security Updates

The Adobe Flash vulnerabilities (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123) are addressed in Adobe Security Bulletins APSB15-16 and APSB15-18. Users are encouraged to review the Bulletins and apply the necessary updates.

The Microsoft Windows Adobe Type Manager vulnerability (CVE-2015-2387) is addressed in Microsoft security Bulletin MS15-077. Users are encouraged to review the Bulletin and apply the necessary updates.

Additional information regarding the vulnerabilities can be found in Vulnerability Notes VU#561288, VU#338736, VU#918568, and VU#103336.

Limit Flash Content

Do not run untrusted Flash content. Most web browsers have Flash enabled by default, however, it may be possible to enable click-to-play features. For information see  http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/

Use the Microsoft Enhanced Mitigation Experience Toolkit (EMET)

EMET can be used to help prevent exploitation of the Flash vulnerabilities. In particular, Attack Surface Reduction (ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control. See the following link for additional information: http://www.microsoft.com/en-us/download/details.aspx?id=46366

References Revision History
  • July 14, 2015: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security Alerts

MS15-076 - Important: Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege (3067505) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability, which exists in Windows Remote Procedure Call (RPC) authentication, could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Categories: Security Alerts

MS15-073 - Important: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3070102) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
Categories: Security Alerts

MS15-075 - Important: Vulnerabilities in OLE Could Allow Elevation of Privilege (3072633) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if used in conjunction with another vulnerability that allows arbitrary code to be run. Once the other vulnerability has been exploited, an attacker could then exploit the vulnerabilities addressed in this bulletin to cause arbitrary code to run at a medium integrity level.
Categories: Security Alerts

MS15-068 - Critical: Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution (3072000) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Windows Hyper-V. The vulnerabilities could allow remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine hosted by Hyper-V. An an attacker must have valid logon credentials for a guest virtual machine to exploit this vulnerability.
Categories: Security Alerts

MS15-071 - Important: Vulnerability in Netlogon Could Allow Elevation of Privilege (3068457) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system. The attacker must be logged on to a domain-joined system and be able to observe network traffic.
Categories: Security Alerts

MS15-072 - Important: Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if the Windows graphics component fails to properly process bitmap conversions. An authenticated attacker who successfully exploited this vulnerability could elevate privileges on a targeted system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. An attacker must first log on to the system to exploit this vulnerability.
Categories: Security Alerts

MS15-067 - Critical: Vulnerability in RDP Could Allow Remote Code Execution (3073094) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Categories: Security Alerts

MS15-066 - Critical: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3072604) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Critical
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Categories: Security Alerts

MS15-077 - Important: Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a target system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Categories: Security Alerts

MS15-070 - Important: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3072620) - Version: 1.0

Microsoft Security Notifications - Mon, 07/13/2015 - 23:00
Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Categories: Security Alerts

MS15-049 - Important: Vulnerability in Silverlight Could Allow Elevation of Privilege (3058985) - Version: 1.1

Microsoft Security Notifications - Mon, 06/22/2015 - 23:00
Severity Rating: Important
Revision Note: V1.1 (June 23, 2015): Bulletin published.
Summary: Bulletin revised to announce a detection change in the 3056819 update for Microsoft Silverlight 5. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Categories: Security Alerts

MS15-044 - Critical: Vulnerabilities in Microsoft Font Drivers Could Allow Remote Code Execution (3057110) - Version: 2.1

Microsoft Security Notifications - Mon, 06/22/2015 - 23:00
Severity Rating: Critical
Revision Note: V2.1 (June 23, 2015): V2.1 (June 23, 2015): Bulletin revised to announce a detection change in the 3056819 update for Microsoft Silverlight 5. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.
Categories: Security Alerts
Syndicate content