(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge

Recently released code that exploits Cisco System firewalls and has been linked to the National Security Agency can work against a much larger number of models than many security experts previously thought.

An exploit dubbed ExtraBacon contains code that prevents it from working on newer versions of Cisco Adaptive Security Appliance (ASA), a line of firewalls that's widely used by corporations, government agencies, and other large organizations. When the exploit encounters 8.4(5) or newer versions of ASA, it returns an error message that prevents it from working. Now researchers say that with a nominal amount of work, they were able to modify ExtraBacon to make it work on a much newer version. While Cisco has said all versions of ASA are affected by the underlying vulnerability in the Simple Network Messaging Protocol, the finding means that ExtraBacon poses a bigger threat than many security experts may have believed.

(credit: SilentSignal)

The newly modified exploit is the work of SilentSignal, a penetration testing firm located in Budapest, Hungary. In an e-mail, SilentSignal researcher Balint Varga-Perke wrote:

Read 7 remaining paragraphs | Comments

 
MatrixSSL Bignum Denial of Service Vulnerability
 
Foxit Reader and Foxit PhantomPDF Out of Bounds Read and Write Remote Code Execution Vulnerability
 
Foxit Reader and Foxit PhantomPDF Out of Bounds Read Information Disclosure Vulnerability
 
Foxit Reader and Foxit PhantomPDF Out of Bounds Multiple Remote Code Execution Vulnerabilities
 
lshell Multiple Security Bypass Vulnerabilities
 

Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels (Unified Communications"> From: [email protected]: [redacted]Subject: [Vigor2820 Series] New voice mail message from 01422520472 on 2016/08/23 15:55:25Dear [redacted]:There is a message for you from 01422520472, on 2016/08/23 15:55:25 .You might want to check it when you get a chance.Thanks!

The sender is spoofed with the victim domain name. The following file was attached to the message:"> $ unzip Message_from_01422520472.wav.zipArchive: Message_from_01422520472.wav.zip testing: 197577509502.wsf OKNo errors detected in compressed data of Message_from_01422520472.wav.zip.$ md5sum 197577509502.wsff2ee33a688a45b161d3191693196cb1d 197577509502.wsf

Note the.wav.zip extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)[1]

Vigor is UK company building ADSL residential modems[2]. This tends to think that the newwave is targeting residential customers.

Here are the C2 servers (for your IDS):

%%ip:89.42.39.81%%
%%ip:213.205.40.169%%
%%ip:51.254.55.171%%
%%ip:194.67.210.183%%
%%ip:185.51.247.211%%
%%ip:185.129.148.19%%
%%ip:91.201.202.125%%

[1]https://www.virustotal.com/en/file/97be73cf491cf8e4d30e0e6d9b73e95151f77b3e52813e06b2ef391fa6f26b2a/analysis/1471949327/
[2]http://www.draytek.co.uk/products/legacy/vigor-2820

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
PHP 'php_url_encode()' Function Integer Overflow Vulnerability
 
PHP 'php_quot_print_encode()' Function Integer Overflow Vulnerability
 
Internet Storm Center Infocon Status