Information Security News
Recently released code that exploits Cisco System firewalls and has been linked to the National Security Agency can work against a much larger number of models than many security experts previously thought.
An exploit dubbed ExtraBacon contains code that prevents it from working on newer versions of Cisco Adaptive Security Appliance (ASA), a line of firewalls that's widely used by corporations, government agencies, and other large organizations. When the exploit encounters 8.4(5) or newer versions of ASA, it returns an error message that prevents it from working. Now researchers say that with a nominal amount of work, they were able to modify ExtraBacon to make it work on a much newer version. While Cisco has said all versions of ASA are affected by the underlying vulnerability in the Simple Network Messaging Protocol, the finding means that ExtraBacon poses a bigger threat than many security experts may have believed.
The newly modified exploit is the work of SilentSignal, a penetration testing firm located in Budapest, Hungary. In an e-mail, SilentSignal researcher Balint Varga-Perke wrote:
Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels (Unified Communications">
From: [email protected]: [redacted]
The sender is spoofed with the victim domain name. The following file was attached to the message:"> $ unzip Message_from_01422520472.wav.zipArchive: Message_from_01422520472.wav.zip testing: 197577509502.wsf OKNo errors detected in compressed data of Message_from_01422520472.wav.zip.$ md5sum 197577509502.wsff2ee33a688a45b161d3191693196cb1d 197577509502.wsf
Note the.wav.zip extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)
Vigor is UK company building ADSL residential modems. This tends to think that the newwave is targeting residential customers.
Here are the C2 servers (for your IDS):
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant