(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[slackware-security] openssl (SSA:2016-124-01)


Seems like were always finding new ransomware. In early March 2016, BleepingComputer announced a new ransomware named Cerber had appeared near the end of February [1]. A few days later, Malwarebytes provided further analysis and more details on subsequent Cerber samples [2].

Ive seen Cerber distributed through exploit kits (EKs) and malicious spam (malspam). Im only aware of .rtf attachments that download and install Cerber when opened in Microsoft Word [3]." />
Shown above: Image of Cerber malspam from tier1net.com

By April 2016, Proofpoint reported Cerber was being distributed by Magnitude exploit kit (EK) using a Flash exploit based on CVE-2016-1019 (then a zero-day exploit) [4]. I ran across two Cerber malware samples sent by Neutrino EK near the end of April 2016, but I didnt realize it at the time [5]. Since then, other sources like broadanalysis.com have also reported Neutrino EK sending Cerber [6].

This diary examines a Cerber ransomware infection from Neutrino EK on Tuesday 2016-05-03." />
Shown above: Cerber fromNeutrino EK.


The few compromised websites Ive seen associated with this particular Neutrino EK campaign have similar patterns of injected script as seen below." />
Shown above: Injected script in page from a compromised website leading to Neutrino EK.

Its a fairly straight-forward sequence of events. The compromised website leads to Neutrino EK. Then Neutrino EK sends Cerber ransomware. The only issue I had was generating an infection on a virtual machine (VM). On a VM, Cerber generated nearly the same network traffic, but it did not encrypt any files or generate any notices before deleting itself. On a normal host, Cerber acts as you might expect, encrypting files and showing notifications. Cerber also checks its IP and location at ipinfo.io on a normal host." />
Shown above:" />
Shown above: Traffic from a Cerber infection on a VM filtered in Wireshark.

ove two images, Neutrino EK is on over TCP port 80 using the following domains:

  • blmeujdhcb.eilong.top
  • mifblup.eilong.top
  • psjebmwpes.eaautomatic.top
  • wocvx.eaautomatic.top

With or without the IP check at ipinfo.io, Cerber sent UDP traffic with 9 bytes of data to 16,384 IP address from to ( in CIDR notation). The infected host used the same source/destination ports, but content within those 9 bytes changed each time. Previous Cerber samples use different IP ranges and UDP ports. Not sure what this UDP traffic means, though. I havent found any more information about it, and I havent have time to dig into it further.

Images from the infected host" />
Shown above:">As others have already reported, Cerber speaks to you. It does this through a .vbs file named # DECRYPT MY FILES #.vbs. This .vbs file contains Visual Basic script that causes your Windows computer to speak, saying Attention! Attention! Attention! ten times followed by Your documents, photos, databases and other important files have been encrypted!" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:">Final words

e seen other ransomware like CryptXXX from Angler EK or Locky from malspam. However, Cerber has been a fairly consistent threat since it first appeared. I expect well see more Cerber in the coming weeks.

Pcaps and malware for this ISC diary can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net


[1] http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/
[2] https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
[3] https://www.tier1net.com/cerber-ransomware-campaign/
[4] https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg
[5] http://www.malware-traffic-analysis.net/2016/04/29/index.html
[6] http://www.broadanalysis.com/2016/05/02/neutrino-ek-from-185-58-227-227-sends-cerber-ransomware/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

iT News

Ask your cloud vendors the tough questions: APRA
iT News
In a speech at the CeBIT Conference in Sydney, Australian Prudential and Regulatory Authority security chief Mikhail Lopushanski urged infosec leaders to ditch discussions when vendors aren't forthcoming. "[APRA] wanted to deploy a tool for agile ...


(credit: Tim Green)

A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.

The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

Read 6 remaining paragraphs | Comments

[SECURITY] [DSA 3566-1] openssl security update
NetCommWireless HSPA 3G10WVE Wireless Router Multiple vulnerabilities
LSE Leading Security Experts GmbH - LSE-2016-02-03 - OXID eShop Path Traversal Vulnerability
Swagger Editor v2.9.9 "description" Key DOM-based Cross-Site Scripting

(credit: Ben Schumin)

Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers.

The updates were released Tuesday morning for both versions 1.0.1 and 1.0.2 of OpenSSL, which a large portion of the Internet relies on to cryptographically protect sensitive Web and e-mail traffic using the transport layer security protocol. OpenSSL advisories labeled the severity of both vulnerabilities "high," meaning the updates fixing them should be installed as soon as possible. The fixes bring the latest supported versions to 1.0.1t and 1.0.2h.

The decryption vulnerability is the result of what cryptographers call a padding oracle weakness, which allows attackers to repeatedly probe an encrypted payload for clues about the plaintext content inside. According to TLS expert Filippo Valsorda, the bug allows for only 16 bytes of encrypted traffic to be recovered, and even then only when an end user sends it repeatedly. Still, the conditions might make it possible for an attacker with the ability to monitor the connection to obtain authentication cookies and other small chunks of encrypted text, Valsorda wrote. The vulnerability is indexed as CVE-2016-2107.

Read 3 remaining paragraphs | Comments


TheOpenSSLupdates pre-announced last week have dropped. The latest versions are1.0.1t and 1.0.2h. These updates dont come with same level of urgency as some we have seen in the recent past, but these should are rated High.It is always a good idea to update your servers to the most up to date version of">CVE-2016-2108,High severity:Ita ASN.1 encoding issue (CVE-2016-2108) that could cause an out of bounds write leading to memory corruption. ">CVE-2016-2107,High severity: A padding attack could be used to permit an attacker who is in a position to Man-in-the-Middle the session to decrypt traffic.

CVE-2016-2105,Low severity:This is a heap overflow resulting in heap corruption. The vulnerable function is internal to OpenSSL and is not believed to be exploitable.

CVE-2016-2106,Low severity:This appears to be the same function as CVE-2016-2105 and because it is only used internally to OpenSSL it is not believed to be exploitable.

CVE-2016-2109, Low severity:Is a resource exhaustion and/or memory exhaustion issue in the ASN.1 read. This is internal to OpenSSL and not believed to be exploitable.

CVE-2016-2176, Low severity: An ASN.1 overread could result in access to arbitrary stack information being returned. The release is not clear on exploitability.

There is no indication that there are exploits in the wild at this time.

UPDATE: There is now a PoC for CVE-2016-2107

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Cybersecurity Job Interview Tips from a Penetration Tester
PR Newswire (press release)
But given the variety of backgrounds and paths that lead people into information security, it's not always easy to know what interviewees should emphasize, nor what interviewers are looking for in a job candidate. That's where penetration tester Fabio ...

and more »
CVE-2016-4338: Zabbix Agent 3.0.1 mysql.size shell command injection

Softpedia News

Google Renames Nexus Security Bulletin as Android Security Bulletin
Softpedia News
The bug affected all Android versions supported by Google (4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1), which received a patch against this type of exploit. Other security researchers that contributed to the May 2016 Android Security Bulletin include infosec ...

and more »

Onapsis Selected as Finalist for the Cybersecurity Excellence Awards
GlobeNewswire (press release)
Finalists are recognized for their achievements in the cybersecurity startup space and for providing superior security products and services to the information security industry. Finalists and winners are published on the Cybersecurity Excellence ...

and more »
Internet Storm Center Infocon Status