AlienVault Labs - Archive

New Internet Explorer zeroday was used in the DoL Watering Hole campaign

A few days ago we reported a new Watering Hole campaign affecting a U.S Department of Labor website.

In our first analysis we reported that the exploited vulnerability was CVE-2012-4792 . Further analysis showed that the vulnerability exploited wasn’t CVE-2012-4792 but a new zeroday vulnerability affecting Internet Explorer 8 (CVE-2013-1347). It was confirmed by Microsoft that released a Security Advisory on Friday and also FireEye and Invincea.

In addition we have found that the U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time. The list of affected sites includes several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.

Finally we detected several redirections to another malicious server located at www[.]sellagreement[.]com (198.96.92.107) that was serving parts of the malicious payloads found on dol[.]ns01[.]us.

We recommend you to search your logs for connections to those domains and IP addresses.

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

New year, new Java zeroday!

January 10th, 2013 | Posted by jaime.blasco in Advisory | Attacks | Exploits - (Comments Off)

Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.

The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681 .

Right now the only way to protect your machine against this exploit is disabling the Java browser plugin. Let’s see how long does it take for Oracle to release a patch.

On the other hand we expect a Metasploit module in the upcoming days as it has been happening during the last year as well as most of the exploit kits adopting this new zeroday sooner than later.

We will keep you updated as we obtain more information.

Be safe!

Update: It seems both Blackhole and Nuclear Pack exploit kits are using this vulnerability in the wild

jaime.blasco

Advisory: Cisco IOS HTTP client DoS

October 18th, 2011 | Posted by jaime.blasco in Advisory | Blog | Vulnerability Management - (1 Comments)

DESCRIPTION:
There is a problem with the HTTP client implementation on Cisco IOS. If an administrator loads an application service via these commands:

router#config
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#application
router(config-app)#service name http://ip_address/
router(config-app-param)#end

and the HTTP server responds with a special crafted HTTP response, the device will crash.

AFFECTED VERSIONS:
The vulnerability has been detected in a wide branch of Cisco IOS.

VENDOR RESPONSE:
http://tools.cisco.com/security/center/viewAlert.x?alertId=24436

CREDITS:
Jaime Blasco, Alienvault Labs

New Internet Explorer zeroday was used in the DoL Watering Hole campaign

jaime.blasco

New year, new Java zeroday!

jaime.blasco

Advisory: Cisco IOS HTTP client DoS

jaime.blasco

Navigation

Search IP in reputation database

Labs in Your Email

Labs on twitter

Tags

Recent Discussions

People Online