Li-Fi fantastic - Quocirca's report from Infosec 2015
IT-Director.com (blog)
As with any trade show, Infosec (Europe's biggest IT security bash) can get a bit mind-numbing, with one vendor after another going on about the big issues of the day—advanced threat detection, threat intelligence networks, the dangers of the ...

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Adobe has received some bad publicity regarding zero-day Flash player exploits due to the recent Hacking Team compromise [1,2]. This certainly isnt the first time Adobe hashadsuch issues[3]. With HTML5 video as an alternative to Flash player, one might wonder how long Flash player will be relevant. Google has announced the next stable version of Chrome will block auto-playing Flash elements [4], and Firefox started blacklisting Flash player plugins earlier this week [5]. With people like Facebooks chief security officer calling for Adobe to announce an end-of-life date for Flash [6], Ive been wondering about the future of Flash player.

More specifically, Ive been wondering what exploit kit (EK) authors will turn to, once Flash player is no longer relevant.

In recent months, most EK traffic Ive generated used a Flash exploit to infect vulnerable Windows hosts. The situation with Flash player today is much like the situation with the Javathat Irememberback in 2013 and most of 2014. However, in the fall of 2014, most EKs dropped Java exploits from their arsenal and started relying on Flash player as a vehicle for their most up-to-date exploits.

A recent history Java exploits in EK traffic

Java exploits were prevelant when I first started blogging about EK traffic in 2013 [7]. Back then, Blackhole EK was still a player, and I commonly saw Java exploits in EK traffic.

The threat landscape altered a bit when the EKs alleged creator Paunch was arrested. Organizations that monitor EK traffic noticed a sharp reduction of Blackhole EK traffic in 2014 compared to the previous year [8]. Duringthatsame time, I started noticing moreFlash exploits in EK traffic.By September 2014 most of the remaining EKs stopped using Java.

My last documented dates for Java exploits in exploit kit traffic are below (read: exploit kit name- date Java exploit last seen).

  • Angler EK - 2014-09-16 [9]
  • FlashPack EK - 2014-08-30 [10]
  • Nuclear EK - 2014-09-08 [11]
  • Magnitude EK - 2014-08-15 [12]
  • Sweet Orange EK - 2014-09-25 [13]
  • Rig EK - 2014-09-06 [14]

Of note, FlashPack EK and Sweet Orange EK have disappeared, and they are not currently a concern. Neutrino EK was dormant from April through October of 2014, and when it came back, I didnt see it using any Java exploits.

Fiesta EK still sends several different types of exploits depending on the vulnerable client, and it still has Java exploits in its arsenal. Other lesser-seen EKs like KaiXin still use Java exploits. However, the majority of EKs gave up on Java sometime last year.

What were recently seeing with Flash exploits

Most exploit kits use the latest available Flash exploits. Angler, Neutrino, Nuclear, Magnitude, and Rig EK are all using the latest Hacking Team Flash player exploit based on CVE-2015-5122 [15]. If youhave Flash player on a Windows computer, you should be running the most recent Flash update (version as Im writing this).

Earlier I generated Angler EK traffic to infect a Windows host running Flash player on IE 11." />
Shown above: An image of the Angler EK infection and post-infection CryptoWall 3.0 traffic in Wireshark. " />
Shown above: Angler EK sending a Flash exploit, based on CVE-2015-5122, targeting Flash

ted hostsbitcoin address for ransompaymentwas 1LY58fiaAYFKgev67TN1UJtRveJh81D2dU. The address is the same one" />
Shown above: Decrypt instructions from the infected host.

Final words

Today, the majority ofEKs utilizeFlash player exploits based on the most recently knownvulnerabilities. But this situation cant last forever. If Flash is no longer relevant, what will EK authors turn to for their latest exploits? Will they go back to Java? Will they focus on browser vulnerabilities? It will be interesting to see where things stand in the next year or so.

A pcap of the 2015-07-15 Angler EK infection traffic is available at:

A zip file of the associated malware is available at:

The zip file is password-protected with the standard password. If you dont know it, email [email protected] and ask.

Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic


[1] https://krebsonsecurity.com/2015/07/adobe-to-patch-hacking-teams-flash-zero-day/
[2] http://www.pcworld.com/article/2947312/second-flash-player-zeroday-exploit-found-in-hacking-teams-data.html
[3] http://krebsonsecurity.com/2015/02/yet-another-flash-patch-fixes-zero-day-flaw/
[4] http://arstechnica.co.uk/information-technology/2015/06/google-chrome-will-soon-intelligently-block-auto-playing-flash-ads/
[5] http://arstechnica.com/security/2015/07/firefox-blacklists-flash-player-due-to-unpatched-0-day-vulnerabilities/
[6] https://twitter.com/alexstamos/status/620306643360706561
[7] http://malware-traffic-analysis.net/2013/06/18/index.html
[8] http://www.symantec.com/connect/blogs/six-months-after-blackhole-passing-exploit-kit-torch
[9] http://malware-traffic-analysis.net/2014/09/16/index2.html
[10] http://malware-traffic-analysis.net/2014/08/30/index.html
[11] http://malware-traffic-analysis.net/2014/09/08/index2.html
[12] http://malware-traffic-analysis.net/2014/08/15/index.html
[13] http://malware-traffic-analysis.net/2014/09/25/index.html
[14] http://malware-traffic-analysis.net/2014/09/06/index.html
[15] http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html
[16] https://isc.sans.edu/forums/diary/Another+example+of+Angler+exploit+kit+pushing+CryptoWall+30/19863/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Almost a third of the world's encrypted Web connections can be cracked using an exploit that's growing increasingly practical, computer scientists warned Wednesday. They said the attack technique on a cryptographic cipher known as RC4 can also be used to break into wireless networks protected by the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Researchers have long known statistical biases in RC4 make it possible for attackers to predict some of the pseudo-random bytes the cipher uses to encode messages. In 2013, a team of scientists devised an attack exploiting the weakness that required about 2,000 hours to correctly guess the characters contained in a typical authentication cookie. Using refinements, a separate team of researchers is now able to carry out the same feat in about 75 hours with a 94 percent accuracy. A similar attack against WPA-TKIP networks takes about an hour to succeed. The researchers said the only reliable countermeasure is to stop using RC4 altogether.

“Very worrisome”

"Our work significantly reduces the execution time of performing an attack, and we consider this improvement very worrisome," the researchers wrote in a blog post. "Considering there are still biases which are unused, that more efficient algorithms can be implemented, and better traffic generation techniques can be explored, we expect further improvements in the future."

Read 5 remaining paragraphs | Comments


Most of us have a cheat sheet [CS] here and there. In my jump bag there is a 3 ring binder with cheat sheets in plastic sheet protectors. In this, it got me thinking about cheat sheets again and there are a few things to share. First, we have wrote about them many times over the years (located with site:isc.sans.edu Cheat Sheets) [1] [2] [3] [4] [5]. There are also a series of cheat sheets all over the intertubes">From here On, I am talking about an Apple OS X only App. If someone wants to contribute something similar for Linux and Windows email me ( rporter at isc dot sans dot edu ) or twitter @packetalien and I will post an update.

One common thing that has been bothering me as of late is search-ability and ease of getting to quick answers in a cheat sheet. Then I thought about possible solutions and wanted to share.

For other coding references there is Dash [11] which I use heavily and they have tons of cheat sheets [12]. While sitting in a SANS 572 Advanced Network Forensics, it hit me, write a Packet Forensics CS, to the Dash Docs Batman.

As it turns out, the format is easy to understand and based in Ruby [12] and there is a Ruby gem called Cheatset [13] that has great samples.

Here is a screenshot of what Ive got so far, and this cheat sheet will be for packet forensicators" />

l be more to come as time permits and if anyone is interested in the source or docset for this and or would like to contribute email me ( rporter at isc dot sans dot edu ) or twitter @packetalien.

A final note, when doing forensics on a case, it is always good to have references handy!

[1] https://isc.sans.edu/diary/2+Cheat+Sheets+for+Incident+Handling/5354

[2] https://isc.sans.edu/diary/Cheat+Sheet%3A+Analyzing+Malicious+Documents/7705

[3] https://isc.sans.edu/diary/New+and+updated+cheat+sheets/6958

[4] https://isc.sans.edu/diary/New+Incident+Response+Methodology+Cheat+Sheet/10828

[5] https://isc.sans.edu/diary/OWASP+Session+Management+%22Cheat+Sheet%22/11263

[6] https://isc.sans.edu/presentations/

[7] https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

[8] https://cert.societegenerale.com/en/publications.html

[9] http://packetlife.net/library/cheat-sheets/

[10] https://github.com/detailyang/cheat-sheets

[11] https://kapeli.com/dash

[12] https://github.com/Kapeli/cheatsheets

[13] https://github.com/Kapeli/cheatset

Richard Porter

@packetalien, packetalien.com, rporterat isc dot sans dot edu

--- ISC Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Backdoor credentials found in 4 TOTOLINK router models
4 TOTOLINK router models vulnerable to CSRF and XSS attacks
15 TOTOLINK router models vulnerable to multiple RCEs
Linux Kernel CVE-2015-3636 Local Privilege Escalation Vulnerability
Oracle MySQL Server CVE-2015-0511 Remote Security Vulnerability

More details are emerging about the international law enforcement operation that dismantled Darkode, described by authorities as the world's biggest English-language online crime forum. Among the 70 people arrested worldwide are the site's alleged administrator, aged 27, and a 20-year-old man who allegedly designed malware intended to remotely control and steal data from Google Android devices.

The site had from 250 to 300 active members. Before it was shut down Tuesday, it had been secretly infiltrated by FBI agents for more than 18 months. While monitoring the day-to-day activities of members, agents observed advertised products including personal information of 39,000 people taken from a database of Social Security numbers, 20 million e-mail addresses and user names used in a variety of scams, ransomware programs, and other online criminal wares. Some of the users allegedly took part in hacks late last year on Sony's PlayStation and Microsoft's Xbox networks.

"Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world," US Attorney Hickton of the Western District of Pennsylvania said in a statement published Wednesday morning. "Through this operation, we have dismantled a cyber hornets' nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable."

Read 2 remaining paragraphs | Comments

The Commerce Departments Public Safety Communications Research (PSCR) program is signing up a new round of industry collaborators for the test bed used to evaluate advanced broadband equipment and software for emergency first ...
Cisco Security Advisory: Cisco Videoscape Delivery System Denial of Service Vulnerability

The Register

Infosec bigwigs rally against US cyber export control rule
The Register
Infosec heavyweights are uniting to oppose US government proposals to tighten up export controls against software exploits, a move critics argue threatens to imperil mainstream security research and information sharing. The proposed regulation, based ...
Infosec firms oppose 'misguided' exploit export controlsiT News

all 3 news articles »

Ubuntu PC maker System76 will stop installing Adobe Flash on its laptops and desktops, saying the software is too dangerous and is no longer necessary."In 2007 System76 was granted a license from Adobe to pre-install Flash on all our laptops and desktops," the company said in a blog post yesterday. "In terms of making a great first impression with our customers, especially those new to Ubuntu, this was an important detail."

But Web content generally works well without Flash these days, and the software has been afflicted by repeated security problems, System76 noted.

This week, Adobe issued an emergency update for Flash Player to patch two critical zero-day vulnerabilities that allow attackers to install malware.

Read 4 remaining paragraphs | Comments


Privacy advocates disappointed about the sudden and unexplained demise of the ProxyHam device for connecting to the Internet have reason to cheer up: there are two similarly low-cost boxes that do the same thing or even better.

The more impressive of the two is the ProxyGambit, a $235 device that allows people to access an Internet connection from anywhere in the world without revealing their true location or IP address. One-upping the ProxyHam, its radio link can offer a range of up to six miles, more than double the 2.5 miles of the ProxyHam. More significantly, it can use a reverse-tunneled GSM bridge that connects to the Internet and exits through a wireless network anywhere in the world, a capability that provides even greater range.

Its creator, serial hacker Samy Kamkar, wrote in a blog post:

Read 4 remaining paragraphs | Comments

Adobe Reader and Acrobat Multiple Security Bypass Vulnerabilities
XSS, Code Execution, DOS, Password Leak, Weak Authentication in GetSimpleCMS 3.3.5
XSS vulnerability in OFBiz forms
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security [More...]
LinuxSecurity.com: Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]
LinuxSecurity.com: Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
Internet Storm Center Infocon Status