On Wednesday 2017-05-10, @thlnk3r tweeted about Rig exploit kit (EK) activity. @DynamicAnalysis has already posted an analysis of this traffic on (always a good read), but Ive also looked into it. Today border-width:2px" />
Shown above: Tweet about this Rig EK activity from @thlnk3r (link).


This is not one of the campaigns that use Rig EK like pseudoDarkleech or EITest (both of which I havent seen since April 2017). This traffic has different characteristics. Cisco is calling it the Seamless Campaign due to an associated iframe attribute back when it was first discovered.

By the time I investigated this traffic, the compromised site that kicked off the chain of events was already off-line. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Some Ramnit alerts after reading the pcap with Snort using the Snort Subscription ruleset.

ors of Compromise (IOCs)

The following IP addresses and domains are associated with this traffic:

  • port 80 - - GET /flow335.php [Seamless gate]
  • port 80 - - Rig EK (1st run)
  • port 80 - - Rig EK (2nd run)
  • port 443 - - Post-infection encoded/encrypted traffic
  • Note: The infected Windows host also tried several attempts at contacting

The following files are associated with this traffic:

Final words

Rig EK is still an ongoing factor in our current threat landscape. Thanks to everyone on Twitter who tweets about EK activity. Without help from the community, this traffic is difficult to obtain.

As always, if you follow best security practices (keep your Windows computer up-to-date and patched, etc.), your risk of infection is minimal. Unfortunately, many people dont follow best practices. Until this situation changes, EKs will likely remain a profitable method for criminals distributing malware.

Emails, malware samples, and pcaps associated with the 2017-05-10 Rig EK traffic can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Cisco WebEx Meetings Server CVE-2017-6651 Information Disclosure Vulnerability
Red Hat JBoss BRMS and BPM Suite CVE-2017-7463 Cross Site Scripting Vulnerability
ImageMagick CVE-2017-8356 Denial of Service Vulnerability
Veritas Backup Exec Use After Free Remote Code Execution Vulnerability
ImageMagick CVE-2017-8354 Denial of Service Vulnerability
Veritas NetBackup Appliance CVE-2017-8859 Arbitrary Command Execution Vulnerability
Veritas NetBackup and NetBackup Appliance Arbitrary Command Execution Vulnerability
Network Time Protocol 'ntp_control.c' Directory Traversal Vulnerability
Network Time Protocol CVE-2015-7850 Denial of Service Vulnerability
Network Time Protocol 'authkeys.c' Use After Free Memory Corruption Vulnerability
Network Time Protocol CVE-2015-7848 Denial of Service Vulnerability
Cisco IOS and IOS XE Software CVE-2016-1344 Denial of Service Vulnerability
Cisco IOS/ IOS XE/ Unified Communications Manager CVE-2016-1350 Denial of Service Vulnerability

I love it when people write tools to pull data from this site, and we try to accommodateautomated tools like this with our API. but sometimes, scripts go bad and we keep having cases were scripts pull the same data several times a second. I would love to let the owner of the script know, but often this is hard.

To prevent some of these issues, I am going to enforce a new rule going forward: Your User-Agent has to include a contact for the script. I prefer a simple e-mail address. A URL will do if that is easier for you. The data will exclusively be used to contact you in case of a problem.

To enforce this, generic user agents will be blocked (like Python-urllib/2.7, Wget/1.12 (linux-gnu), curl/7.38.0). I will start doing so with older pages that should no longer be used by automated scripts anyway (as they are not designed for automation like our API), and initially only block specific User Agents.

If you hit the page with a blocked User Agent, a 403 error will be returned (Forbidden) and a simple text message pointing to this post [1].


Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Multiple SIMATIC WinCC Products CVE-2017-6867 Denial of Service Vulnerability

Enlarge / Newly elected French president Emmanuel Macron poses with a woman for a selfie. (credit: PATRICK KOVARIK / Getty Images)

The failed effort by Russian attackers to influence the outcome of the French presidential campaign in its final hours was in part a forced error, thanks to an active defense by the digital team of French president-elect Emmanuel Macron's campaign organization, the digital director of the campaign has claimed. Campaign team members told the New York Times that as the phishing attacks mounted, they created a collection of fake e-mail accounts seeded with false information.

"We created false accounts, with false content, as traps," Macron campaign digital director Mounir Mahjoubi told the Times. "We did this massively, to create the obligation for them to verify, to determine whether it was a real account."

The move was a delaying tactic aimed at increasing the attacker's workload. The "honeypot" accounts were filled with large volumes of fake documents. "That forced them to waste time, by the quantity of the documents we put in and documents that might interest them,” Mahjoubi said. "Even if it made them lose one minute, we’re happy.”

Read 2 remaining paragraphs | Comments

SEC Consult SA-20170510-0 :: Insecure Handling Of URI Schemes in Microsoft OneDrive iOS App
Multiple Siemens Products CVE-2017-6865 Denial of Service Vulnerability
Apache Cordova For Android CVE-2016-6799 Information Disclosure Vulnerability
Microsoft Office CVE-2017-0262 Remote Code Execution Vulnerability
ImageMagick 'mat.c' Denial of Service Vulnerability
ImageMagick 'exr.c' Denial of Service Vulnerability
Oracle Java SE CVE-2017-3509 Remote Security Vulnerability
Google Android Qualcomm Components CVE-2016-10297 Unspecified Security Vulnerability
Oracle Java SE CVE-2017-3539 Remote Security Vulnerability
Google Android Mediaserver CVE-2017-0591 Remote Code Execution Vulnerability
Google Android Mediaserver CVE-2017-0592 Remote Code Execution Vulnerability
ImageMagick CVE-2017-8344 Denial of Service Vulnerability
[SECURITY] [DSA 3848-1] git security update
Multiple Vulnerabilities in ASUS Routers [CVE-2017-5891 and CVE-2017-5892]
[SECURITY] [DSA 3847-1] xen security update
[security bulletin] HPESBST03739 rev.1 - HPE StoreFabric B-series Switches, Remote Elevation of Privilege
CVE-2016-6799: Internal system information leak
Internet Storm Center Infocon Status