FortiGuard Threat Intelligence Brief

A Fortinet Lançou um novo serviço que traz informações sobre as ameaças mais ativas da ultima semana, proporcionando assim uma visão de quais são as principais preocupações em nosso ambiente.

Segue o relatório desta semana

Activity Summary – Week Ending July 29, 2016

We’ve reached peak summertime (in the Northern Hemisphere, at least), and with that a large portion of workers around the world have left for extended summer vacations. With that, global malware detections among customers have decreased sharply over previous weeks. If cybercriminals can’t get people to open emails or click on links, it becomes difficult for them to find new victims.


We discussed in previous briefs a spike in attempts to exploit the CVE-2014-6271 Bash vulnerability. This week we continue to see similar results, suggesting to us that a campaign to discover and exploit vulnerable Unix and Unix-like systems continue. Ensuring you have a robust and agile vulnerability management program is critical to mitigating these largely automated attacks.


A unique HTML-based threat emerged this week, and quickly ramped up volume to the top of our lists. We will discuss more on this in the coming paragraphs.


Malware Activity

Rank Name Volume
1 HTML/Refresh.BC!tr 1,306,781
2 WM/Agent.BJC!tr.dldr 1,159,850
3 JS/FLoader.DRY!tr.dldr 1,113,100
4 JS/Nemucod.0971!tr 710,695
5 W32/BackDoor.Prosiak.65 476,399

Locky ransomware continues to attack – while volumes compared to previous weeks have declined, the evil Locky ransomware continues to attempt to extort unwitting victims. Admittedly it is a testament to Locky’s effectiveness that criminals have latched on so completely to it, leaving most other ransomware families behind. We are seeing new WM/Agent variants (especially .BJC!tr.dldr) as well as new variants of Nemucod (.0971!tr, among others) that are all being used to distribute Locky.

It is critical to ensure endpoint devices have recent and regular offline backups. Most modern ransomware will also seek remote drives and network shares and encrypt any content it can overwrite. Limiting access to these shares and doing regular access and permission reviews can also help localize damages.


“Refresh” appears – HTML/Refresh.BC!tr and some variants appeared on our radar this week. These variants are designed to trick a victim’s Internet browser into redirecting to a specific site of the attacker’s choosing, where they will attempt to use drive-by-download techniques (as well as others) to serve additional malware to the victim.


Application Vulnerabilities / IPS

Rank Name Volume
1 Netcore.Netis.Devices.Hardcoded.Password.Security.Bypass 8,673,249,847
2 MS.DNS.WINS.Server.Information.Spoofing 2,435,693,216
3 NTP.Monlist.Command.DoS 236,878,192
4 IPv4.Invalid.Datagram.Size 188,139,345
5 SNMP.Spec.Violation 183,619,882

Neutrino exploit kit use continues to supplant Angler – Since early June, FortiGuard Labs has noticed a large contingent of cybercriminals have switched from using Angler to the Neutrino Exploit Kit. Angler first appeared in late 2013 and has been dominating the exploit kit market since 2015. Some of our researchers who monitor popular underground groups have found evidence that strongly points to many members belonging to the Angler group have been apprehended by authorities.


ASUS Routers continue to be targets – FortiGuard Labs again saw a spike in detections of ASUS.Router.infosvr.UDP.Broadcast.Command.Execution this week. This was a vulnerability originally discovered in many of the ubiquitous routers sold by ASUS for home and SMB/SOHO use. A bug in infosvr allowed an unauthenticated user to execute arbitrary commands. These devices provide ideal targets for attackers as they are usually unmonitored and often stuffed in the back of a closet somewhere, making time to detection substantial.


Attacks against Windows Server DNS exploit persist – Originally reported in December 2015, the MS.DNS.WINS.Server.Information.Spoofing attack has been prevalent since the beginning of 2016. This vulnerability allows remote code execution if specially crafted requests are sent to an unpatched Windows Server 2008/2012 DNS host. DNS makes for an ideal entry point if the exploit is found – FortiGuard Labs continues to detect a massive amount of these requests moving across corporate networks.


Web Filtering

Ransomware attackers move fast – One piece of information we noticed in the past week or two was a seemingly innocuous site with virtually no traffic to speak of suddenly spike over a period of a few days. At its peak, this small site was attempting to deliver literally hundreds of thousands of variants of the Locky ransomware to victims per day. But within a week, the traffic from that site returned to normal levels. This is likely due to many factors: ransomware attackers move through domains quickly to attempt to evade the inevitable shutdown of their subverted sites, site owners being quick to respond to malicious takeover of a sit, and cooperation among security vendors to share information to prevent further damage.


Nymaim bots employ fast flux – Fast fluxing is a specialized DNS method among malware authors which is designed to rapidly pivot through domains and IP addresses with the goal of doing so faster than most security products can keep up. This can make it hard for traditional defenses to keep up – by the time a defender has filtered out the malicious IP, the attackers have long since moved on to another. In one recent case, gafbqvx dot com was used to host a final payload of Nymaim. Nymaim is primarily a ransomware program designed to lock a victim out of their computer. In recent months Nymaim has also been seen delivering other malicious programs, especially financial Trojans.