Eze Castle Integration

Alerts for Eze Castle Integration Clients

January 26, 2015
Source: Eze Castle Integration

The Northeast is expecting a major winter storm today (1/26/15) and tomorrow (1/27/15). At Eze Castle Integration, we are undertaking many steps to ensure our operations run smoothly in order to continue providing support to our clients. 

We will be open for business during the duration of the storm. Please note, Eze Castle Integration employees within the affected areas may be working remotely and in preparation we have increased support from our other regional offices. 

December 3, 2014: FIN4
Source: eSentire

On December 1, 2014, a blog regarding activity by a threat actor classified as “FIN4” was published by the Wall Street Journal. This article describes an active targeted phishing campaign with a focus specifically targeted at the emails of C-level executives, legal counsels, regulatory, risk, and compliance personnel, and other individuals who discuss confidential and potentially market effecting matters.

What We Know

The technique uses spear phishing emails to gather credentials from users and return them back to the Command and Control servers (CnC) where the login credentials are then used to log into the users webmail remotely through TOR to escalate the attack.

Further Protection

The following recommended actions are effective security controls that you can implement locally to help protect your networks from this threat:

  • Educate users on email security best practices.
  • Enable two-factor authentication for email logins.
  • Implement a group policy control to disable VBA macros in Microsoft Office.


November 20, 2014: Microsoft Windows Exploits
Source: eSentire

We are aware of recent activity in the form of specific exploits in the wild targeting Microsoft Windows Vulnerabilities and the potential to exploit the vast majority of Microsoft operating systems. The first vulnerability (CVE-2014-6352) allows threat actors to execute code on a victim’s machine after visiting a maliciously crafted webpage. The second actively targeted vulnerability (CVE-2014-6324) may allow domain users to elevate their privileges to Domain Administrator. The third vulnerability (CVE-2014-6321) has not been actively seen in the wild but has the potential for greatest impact. Patches for all three of these vulnerabilities should be applied as soon as possible with verification that they have been applied successfully.

What We Know

CVE-2014-6321 AKA WinShock:

  • Affects major Windows operating systems (all, up to and including Win 8)
  • PoC has been released no public exploits are available yet
  • Completely remote attack vector
  • Remote code execution exploits are expected
  • PoC released for IIS, RDP, AD
  • No known workarounds


  • Actively attacked in the wild
  • Requires user intervention to visit a malicious site
  • Affects most major Windows operating systems
  • Exploits are available to the public
  • Workaround is possible with the Enhanced Mitigation Toolkit (EMET)


  • Actively attacked in the wild
  • Requires domain user access
  • Privilege escalation to domain admin possible
  • No known workarounds

Further Protection

How to further protect yourself from these emerging threats:

  • EMET can help further prevent memory protection bypasses (http://www.microsoft.com/emet).
  • User awareness: infections are occurring from users visiting malicious websites.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users to be cautious when clicking on links in emails coming from trusted sources.


October 16, 2014: Cisco Adaptive Security Appliance (ASA) Software Vulnerabilities
Source: Eze Castle Integration

Cisco has announced that its Cisco Adaptive Security Appliance (ASA) Software is affected by a number of vulnerabilities that could result in a denial of service (DoS) condition. Eze Castle Integration has identified the affected products at our clients and established an upgrade procedure to patch client environments.

Reference: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa

October 15, 2014: SSL 3.0 “POODLE” Vulnerability
Source: eSentire

The POODLE vulnerability recently exposed in SSL version 3.0 is potentially serious; though it can be avoided by disabling SSL 3.0 from either the client or server. Due to the execution of this vulnerability, we [eSentire] do not currently have signatures for detecting an exploit attempt in progress. However, we [eSentire] are actively researching methods of detection that can be rolled out to our [eSentire] sensors.

The mechanics of this exploit require Man-in-the-Middle access to the network between the client and server, which makes the largest potential threat either internal users or outside users accessing an insecure network.

The below post on the POODLE vulnerability outlines the configuration changes needed to disable SSL 3.0 on common servers and clients.

hxxps://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client+/18837 (Site experiencing heavy load)

Should disabling SSL 3.0 not be an option due to legacy system requirements, www.openssl.org/~bodo/ssl-poodle.pdf provides recommendations for using TLS_FALLBACK_SCSV to prevent SSL 3.0 from being used in a fallback scenario. Due to the age of SSL 3.0 there will be no patch, and disabling it may cause issues with older servers, so thorough testing is advised before fully disabling SSL 3.0 across all machines and servers.


September/October 2014: Hong Kong Protest Update
Source: Eze Castle Integration

The Hong Kong protest may continue for a period of time and the Hong Kong Stock Market is expected to be open unless the safety risk in the Central area increases. Therefore, Eze Castle Integration’s Hong Kong office will be open as usual. All Hong Kong staff are expected to report to the office or client site as scheduled. We are encouraging employees to check travel routes and allow extra time for commuting. Eze Castle Integration’s priority is the safety of our employees and being able to provide support to our clients. We will monitor the situation continuously and if we feel there is a safety risk, we could make further communication to release employees from the office. If you have any questions, contact your customer relationship manager, Richard Jowett 852 (3189) 0111.

September 25, 2014: "Bash Bug"/"Shell Shock" Exploit In-the-Wild
Source: eSentire

eSentire currently has visibility into considerable activity regarding the “shell shock” exploit (CVE-2014-6271 & CVE-2014-7169).

What You Should Know

  • “Bash” is a shell scripting language installed by default on most UNIX variants (including Linux and Mac OS).
  • The “Shell Shock” exploit exploits an extremely severe vulnerability affecting all bash versions under Linux and Mac OS, and can potentially be exploited through any service that interacts with bash.  This exploit has been deemed to be more dangerous than Heartbleed.
  • For Linux systems, there is a patch available for bash that mitigates against this exploit, but there is currently no patch available for Mac OS.
  • Additional security testing is still happening against bash, and it is likely that more patches for this will be released soon.

Major Vectors for this Exploit Observed so Far

  • HTTP Requests & CGI Scripts (usually against Linux WWW Servers)

Essential Action

Actions you must take to protect yourself from this emerging threat:

  • We recommend upgrading bash immediately on any Linux machines in your environment to mitigate against this.
  • If you have services that are using bash and expose a service to the Internet, (especially MacOS), we recommend taking those machines offline if possible until they can be patched.
  • If you have servers hosted by a third-party vendor running a UNIX variant, they will require updates. 


August 24, 2014: San Francisco Earthquake Update
Source: Eze Castle Integration

A 6.0 magnitude earthquake struck Northern California Sunday morning.  There was no damage reported to the business office in San Francisco and no damage reported at Sacramento colocation facility.  We do expect it will be business as usual for our San Francisco business operations on Monday morning.  If you have any questions, pleasehttp://eci.com/support/index.html contact our Global Support Help Desk.

July 31, 2014:  Phishing Campaign
Source: eSentire

Recently, eSentire became aware of a new phishing campaign utilizing Google drive to obfuscate the redirect to the malicious content.  This delivery mechanism has been detected across our client base and as such we are releasing this update to provide further information on this social engineering trend. Please be advised that any site that allows someone to host a file may be used for malicious purposes.

Examples of content seen in wild:

Fax Example:
“FAX” <fax@qcom.co.uk>
You have received fax from EPS76185555 at victimdomain
Scan date: Thu, 31 Jul 2014 16:53:10 +0700
Number of page(s): 2
Resolution: 400x400 DPI

Malicious Link: (goo[.]gl/t8jteIxx – hxxp://autoescuelajoaquinp[.]com/images/Document-95722[.]zip)

ADP Example:
"ADP Payroll" <Luis_Carlton@adp.com>

Attached is a summary of Origination activity for 07/31/2014
Download it from Google Disk Drive Inc.:
Malicious link (goo[.]gl/1rBYjxx – hxxp://pinkfeatherproductions[.]com/wp-content/uploads/2014/06/Document-95722[.]zip)

Examples of links that are malicious in email:
Displayed Link - Real destination of link
goo[.]gl/1rBYjxx – hxxp://pinkfeatherproductions[.]com/wp-content/uploads/2014/06/Document-95722[.]zip
goo[.]gl/t8jteIxx – hxxp://autoescuelajoaquinp[.]com/images/Document-95722[.]zip
goo[.]gl/RmGnbxx – hxxp://esys-comm[.]ro/images/Document-95722[.]zip

eSentire as always recommends that you communicate with your users to not open attachments or click on links within emails of any type from an unknown source. Even if the email appears to be legitimate, encourage your users to scrutinize the content.
We will continue to monitor for changes in the malware that is being used and will adjust our blacklist in AMP as appropriate.  As well, the second phase of this attack (downloading executables) is blocked when the EXEcutioner functionality is enabled. This will block the infection from ever happening.

July 29, 2014: Social Engineering Campaign Related to Symantec Issues
Source: eSentire

Symantec Corporation recently released a bulletin regarding a previous virus definition update that generates false positives for Trojan detection. Symantec has confirmed that they are currently preparing Rapid Release definitions which will remove this detection.

In parallel to this update from Symantec, eSentire is now aware of activity where by threat actors are using this as an attack vector to try and social engineer clicking on malicious content. This content is being delivered via email and contains an attachment and links to the content of concern. Symantec does not email patches for their software; it will be patched using Symantec’s repository and the update manager built into the application.

Emails that we’ve seen in the wild use the following title:
Symantec Notification: Download and install security patch
If you receive any such email do not open it and delete it.

What We Know:
Symantec released a virus definition update that contains false positive detection:

  • Threat actors are trying to leverage this flaw in Symantec Endpoint Protection
  • Trojan variants are likely of a hybrid of Zeus
  • Symantec has also released a public statement identifying the problem and are working to resolve it

How to further protect yourself from this emerging threat:

  • eSentire offers protection
  • EMET can help further prevent memory protection bypasses (http://www.microsoft.com/emet)
  • Ensure the use of proper user privileges

User education and awareness (infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments)

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
  • Remind users to be cautious when clicking on links in emails coming from trusted sources


June 10, 2014: Vulnerability in Remote Desktop Could Allow Tampering (MS14-030)
Source: eSentire

On June 10, 2014, Microsoft released updates for the Windows Remote Desktop Protocol (MS14-030). The security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow tampering if an attacker gains access to the same network segment as the targeted system during an active Remote Desktop Protocol (RDP) session, and then sends specially crafted RDP packets to the targeted system. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

An attacker who successfully exploits this vulnerability could not only disclose information by reading RDP information during an active session, but also modify the information as well. The security update addresses the vulnerability by strengthening the encryption used by the Remote Desktop Protocol.

This security update is rated Important for all supported editions of Windows 7, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

As always, eSentire recommends that you update any systems running Windows RDP to the latest patch level. If automatic updates are enabled then make sure to restart your computer after installation.

Additional Information:



June 10, 2014: Microsoft IE Critical Patch
Source: eSentire

On June 10, 2014, Microsoft released updates for Internet Explorer (MS14-035). The security update resolves two publicly disclosed vulnerabilities and fifty-seven privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates permissions, and handles negotiation of certificates during a TLS session.

Rated Critical for:
IE 6, 7, 8, 9, 10, 11 on affected Windows clients

Rated Important for:
IE 6, 7, 8, 9, 10, 11 on affected Windows servers

As always, eSentire recommends that you update any systems running Internet Explorer to the latest patch level. If automatic updates are enabled then make sure to restart your computer after installation.

Additional Information:



June 6, 2014: New Open SSL Vulnerability
Source: eSentire

On June 5, 2014, the OpenSSL Development Team issued an OpenSSL Security Advisory identifying seven vulnerabilities. Of these seven vulnerabilities, one being of particular importance: “SSL/TLS MITM vulnerability [CVE-2014-0224]”.

The SSL/TLS MITM vulnerability [CVE-2014-0224] affects an individual session. An attacker can use this vulnerability to force a handshake to use weak keying material in OpenSSL SSL/TLS clients and servers. Once this handshake has been made, the attacker can use a Man-In-The-Middle (MITM) attack to weaken the SSL encryption to decrypt traffic between the attacked client and server. For this attack to be successful, both the Server and Client must be running affected versions of OpenSSL. This attack is of particular concern on public Wi-Fi networks as attackers will have very easy access to eavesdrop and potentially modify communications while detection of this for the end users will be very difficult.

Note that any previous patching for the Heartbleed vulnerability did not cover these latest vulnerabilities.
The versions of OpenSSL that are affected are as follows:

For Clients: All versions of OpenSSL  
Note that clients using Internet Explorer, Firefox, Safari, and Chrome (desktop and iOS) are not affected.

For Servers: versions 1.0.1 and 1.0.2-beta1

As always, eSentire recommends that you update any systems running OpenSSL with the latest patch level. OpenSSL has released patches as outlined below:
Patches from OpenSSL are available now at https://www.openssl.org/:

OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h.

OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m.

OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za.

Additional Information:
One positive note is that this vulnerability does not affect your certificate private keys, meaning you do not need to re-key or re-issue your certificates.

May 28, 2014: Dropbox Phishing Exploit
Source: eSentire

The exploit is being driven by an email where the subject line appears to be of the form:  “eFax message from “unknown” – 1 page(s), Caller-ID: 1-<number redacted by eSentire>”. The malware is hosted on dl.dropboxusercontent.com, a load-balancer for Dropbox content (hosted within Amazon), which ultimately attempts to download a file from soleilberbere<dot>com.

eSentire is recommending that you communicate with your users to not “blindly” open attachments of this type.

Additionally, having Dropbox broadly accessible poses some risk.  If it is necessary for your users to have this functionality for their regular business functions, then you need to evaluate the value of that functionality compared to the risk of potentially downloading malware.

May 26, 2014: eBay Inc. asking all users to change passwords
Source: eSentire

On May 21st eBay Inc. (eBay) issued a news release (http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords) stating that it would be asking all eBay users to change their passwords because of a cyberattack that occurred in late February and early March. 

The attack was made possible by a small number of compromised employee log-in credentials and was detected about two weeks ago.  The attackers targeted a database that contained encrypted passwords and other non-financial data.  eBay has stated that they are working with law enforcement and leading security experts to aggressively investigate the matter.  eBay also stated that “it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted”.

Though eBay may not be part of your corporate purchasing methods, eSentire recommends that your employees should be informed of this breach in order to properly protect their own accounts by changing their eBay passwords as per the company’s request.  It is also highly recommended that employees be reminded that passwords should not utilized for multiple services, websites, or other log-ins.

eBay has stated that their users will be notified via email, site communications and other marketing channels to change their password. Additionally, eBay is encouraging any eBay user who utilized the same password on other sites to change those passwords also.

May 1, 2014: Vulnerability in Internet Explorer Could Allow Remote Code Execution
Source: Eze Castle Integration

On May 1, 2014, Microsoft released a security update that resolves the publicly disclosed vulnerability that allows targeted attacks against Internet Explorer versions 6, 7, 8, 9, 10, and 11. The security update addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory. 

This security update is rated Critical for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

RECOMMENDED ACTION: Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. As an added precaution, customers should check for updates using the the Microsoft Update service

Reference: https://technet.microsoft.com/en-US/library/security/2963983

April 28, 2014: Microsoft IE Exploit
Source: eSentire

On April 26th Microsoft issued a new Advisory (https://technet.microsoft.com/en-us/library/security/2963983.aspx) for a  limited and targeted set of attacks that attempt to exploit a vulnerability in Internet Explorer (IE) versions 6 through 11 inclusive.  At present, a Microsoft patch does not exist.  We recognize that it is likely not possible to wholly exclude the use of IE within your environment.  eSentire suggests a review of a blend of mitigation factors and techniques:

Mitigating Factors:
IE on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode (known as Enhanced Security Configuration) which mitigates this vulnerability.

All supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone by default. This zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code.  If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.  Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability.  In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.  An attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

Workarounds Include:

  • Deploy the Enhanced Mitigation Experience Toolkit 4.1 from the following link -http://www.microsoft.com/en-us/download/details.aspx?id=41138.
  • Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zone
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Unregister VGX.DLL Modify the Access Control List on VGX.DLL to be more restrictive
  • Enable Enhanced Protected Mode For Internet Explorer 11
  • Enable 64-bit Processes for Enhanced Protected Mode

eSentire will continue to block malicious content and sites (including IP’s and websites) identified through a variety of means including EXEcutioner, shared client analysis, honeypots, and the reporting infrastructure of various Information Sharing and Analysis Centers (ISAC’s).  We also recommend that all end-users are warned about being especially careful in opening “odd-looking” attachments and clicking websites in email.

April 28, 2014: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
Source: Eze Castle Integration

On April 28, 2014, Microsoft announced the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11. Read the complete Microsoft Security Advisory HERE.

RECOMMENDED ACTION: Microsoft recommends that customers apply the current update immediately using update management software, or by checking for updates using the Microsoft Update service. Alternatively, you can directly download with the links below:

Also, Eze Castle Integration advises clients to be careful when browsing websites for personal use and to be wary of links sent via Instant Messaging and email. Read guidance for Safe Internet Use HERE.

April 10, 2014: OpenSSL Vulnerability (Heartbleed Bug – CVE-2014-0160)
Source: eSentire

An OpenSSL vulnerability disclosed earlier this week (colloquially named HeartBleed) could make it possible for unauthenticated parties to mine server memory for data including private encryption keys, passwords, and other credentials. 

An excellent overview of the vulnerability may be found at: 


This is the vector of highest concern. If you are hosting externally-accessible infrastructure using a vulnerable version of OpenSSL (including most variants of Linux), it is recommended that:

* Patch the OpenSSL vulnerability (after testing said patch as appropriate – this may require a full test process cycle through your QA team to ensure continued operation).
* Revoke and re-issue certificates 
* Credentials that *could* have been compromised should be changed
* Enable Perfect Forward Secrecy (PFS) if possible 

If you use a third-party provider to host your SSL-enabled website, they may need to patch the vulnerability on your behalf, inform you, and then permit you to renew the certificate process.  

NOTE: In addition to most web server software running on Linux operating systems, OpenSSL is incorporated into many devices (including network devices, load balancers, VPN equipment, Videoconferencing equipment). The OpenSSL patch that has been released can not generally be used to remedy this equipment, as the vendors themselves usually will need to incorporate the patch into their firmware release process (including their own QA cycle). If you have Internet-facing equipment that you suspect may be susceptible to this vulnerability (and you are unable to patch it), we recommend the following:

  1. Test your infrastructure yourself (via the tools/websites listed below) or arrange with the ESOC to query your externally-facing infrastructure (via esoc@esentire.com).

  2. If we identify that there is infrastructure susceptible to the HeartBleed vulnerability (and it cannot be patched readily), we can effect a sensor rule change in an attempt to mitigate it.  The ESOC has been fielding these requests since the discovery of this vulnerability.  

  3. If sensor mitigation is not possible (due to the location of the device), you may wish to consider an access control list/block rule of HTTPS on the device to block access from the Internet.  This is an excellent opportunity to further restrict unneeded inbound traffic from the Internet. 

You can test the stance of your externally-facing infrastructure by visiting (among other sites):


An excellent source (regularly updated) for vendor information may be found at:



While the primary concern (and risk vector) is from the external perspective, it is important to also realize that internal systems may be affected by this vulnerability. Possible vectors may include Network equipment, VMware implementations, firewalls, and niche systems (DNS, DHCP). Once external risks and concerns have been mitigated appropriately, it is critical to identify these systems and prepare a similar measured remediation response. 

There is a great deal of hyperbole surrounding this vulnerability. Rest assured that eSentire is dedicating significant effort to ensure that the vulnerability is resolved with the least amount of disruption. We recommend that you address these issues with similar rigor.

March 25, 2014: CryptoLocker Variant (CryptoDefense)
Source: eSentire

We have seen a recent increase in ransomware (malware) activity of CryptoDefense and would like to provide additional information upon what has been discovered at this time. Please find below a more detailed investigation into the behavior and mitigation methods applicable to the CryptoDefense malware.

What We Know

Behavior of CryptoDefense:

  • Infections are occurring through spam emails (especially disguised as apparent sensation videos such as “Breaking News: Flight MH370 Footage”), programs that pretend to be flash updates or video players required to view an online video. You could expect a social engineering campaign as part of this infection vector.
  • After the infection occurs there might be a 24 hour period before the malware actually starts to encrypt files. In some cases, the program appears to lie dormant for a time (perhaps to foil some malware analysis methodologies).
  • Connects to the Command and Control server and downloads the public key for encryption.
  • Deletes all Shadow Volume Copies so that you cannot restore your files form the Shadow Volumes. This means you will only be able to restore your files by restoring from backup or paying the ransom.
  • Scans your computer and encrypts data files such as text files, image files, video files, and office documents.
  • Creates a screenshot of your active Windows screen and uploads it their Command & Control server.
  • Creates a How_Decrypt.txt and How_Decrypt.html file in every folder that a file was encrypted. The HTML and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom.
  • Creates a HKCU\Software\<unique ID>\ registry key and stores various configuration information in it. It will also list all the encrypted files under the HKCU\Software\<unique ID>\PROTECTED key.

Associated CryptoDefense Files:

  • %UserProfile%\Desktop\HOW_DECRYPT.HTML
  • %UserProfile%\Desktop\HOW_DECRYPT.TXT
  • %UserProfile%\Desktop\HOW_DECRYPT.URL

Associated CryptoDefense Windows Registry Information:

  • HKEY_CURRENT_USER\Software\<unique id>
  • HKEY_CURRENT_USER\Software\<unique id>\PROTECTED
  • HKEY_CURRENT_USER\Software\<unique id> “finish” = “1″

Additional Information:

  • The files are encrypted with an RSA-2048 public key.
  • New malware similar to CryptoLocker or CryptorBit. (There does not appear to be a direct connection between Cryptlocker/CryptorBit).
  • The decryptor costs $500 USD, and after 4 days it is $1000 USD (If not paid within a month the key is deleted and the files cannot be retrieved.)
  • Since this is a new variant some information is not known. We do not know if paying the ransom will actually decrypt your files. Please be cautious as some variants did not actually decrypt the files properly.
  • Potential victims infected with the Zeus botnet may have CryptoDefense installed onto their system via the pre-existing backdoor.
  • Pay attention to emails that claim to be a Xerox copier, delivering a PDF of an image, or from a major delivery service like UPS or FedEx offering tracking information. Another common form of phishing is via a bank letter confirming a wire or money transfer. [Phishing emails]

eSentire Defenses

eSentire features that help protect you:

  • Executioner can stop the download of malicious payloads over HTTP if you have instructed ESOC to enable it.
  • AMP can stop the communication to known command and control servers.
  • Behavioral analysis tools can detect anomalous network behavior.
  • The ESOC can quarantine suspected systems at your direction or based on established policy.

Further Protection

How to further protect yourself from this emerging threat:

  • The variants eSentire have analyzed are caught by most updated endpoint anti-virus systems
  • Ensure the use of proper user privileges
  • Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files).
  • User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments).
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
  • Remind users to be cautious when clicking on links in emails coming from trusted sources

eSentire recommends blocking .zip and .exe file extensions on your SMTP server


March 25, 2014: Microsoft Office RTF Exploit
Sources: eSentire

We are aware of recent activity in the form of a specific exploit in the wild targeting Microsoft Office 2010. The vulnerability allows threat actors to execute code on a victim’s machine after a victim opens a document with a specially crafted RTF. If you are using Microsoft Word as the mail viewer in Microsoft Outlook then previewing files can also execute the exploit. Please find below more details on the investigation into the behavior and mitigation methods applicable to CVE-2014-1761.

What We Know
Current variants of CVE-2014-1761 (RTF Exploit):

  • Malicious document created to trigger a vulnerability in Microsoft Office 2010 (Doesn’t affect 2013)
  • Bypasses current Microsoft Windows Memory Protections (ASLR and DEP)
  • Drops a backdoor onto the system to maintain external access to the system
  • Disguises itself as svchost.exe
  • Communicates over HTTPS

Further Protection

How to further protect yourself from this emerging threat:

  • EMET can help further prevent memory protection bypasses (http://www.microsoft.com/emet)
  • Disable opening of RTF files
  • Enforce Word to open RTF files always in Protected View in Trust Center Settings
  • Avoid using Microsoft Word as your Microsoft Outlook mail previewer
  • Admins can choose to enforce Trust Center features via custom GPOs
  • Ensure the use of proper user privileges
  • User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments).
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
  • Remind users to be cautious when clicking on links in emails coming from trusted sources





March 17, 2014: Security Advisory: Google
Source: eSentire

Quite recently, Google has been hit hard by malicious attackers.

First Case in Point: Yesterday, Google’s DNS server ( was hijacked for 22 minutes (affecting networks in Brazil and Venezuela) through a BGP Man-In-The-Middle Attack.

Second Case in Point: Google’s Code repository site continues to be an increasingly attractive distribution vector for malware.  

Note: the *.googlecode.com domain is NOT whitelisted by default within the eSentire EXEcutioner.

Examples of recent malware:
hXXp://dk1234[dot]googlecode.com/svn/trunk/SuMoCF[dot]zip  (obviously obfuscated)

We recommend that:

  1. End-users are informed that not all Google domains are “clean”.

  2. All downloads from *.googlecode.com be analyzed, and NOT permitted by default.

This advisory is meant to inform you that while Google may be trusted within your organization, it is evident that not all code hosted by Google should be considered safe (and to give you an idea of what a malicious URL hosted by Google Code would appear as).

March 12, 2014: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Source: eSentire

Wireless LAN or Wi-Fi plays a critical role in many of our customers ongoing business operations on a day-to-day basis. Cisco® has released a Security Advisory in relation to multiple vulnerabilities including potential unauthenticated access to the devices and DoS conditions in their Wireless LAN Controller product family.  There are six (6) different vulnerabilities that are affecting a variety of the Cisco WLC and WiSMs:

Cisco Wireless LAN Controller Denial of Service Vulnerability
A vulnerability in the WebAuth feature of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause the device to reload.

Cisco Wireless LAN Controller Unauthorized Access to Associated Access Points Vulnerability
A vulnerability in the Cisco IOS code that is pushed to Cisco Aironet 1260, 2600, 3500, and 3600 Series access points (AP) by a Cisco Wireless LAN Controller (WLC) could allow an unauthenticated, remote attacker to gain unauthorized, privileged access to the affected device.

Cisco Wireless LAN Controller IGMP Version 3 Denial of Service Vulnerability
A vulnerability in the IGMP processing subsystem of Cisco Wireless LAN Controllers (WLC) could allow an unauthenticated, remote attacker to cause a DoS condition.

Cisco Wireless LAN Controller MLDv2 Denial of Service Vulnerability
A vulnerability in the multicast listener discovery (MLD) service of a Cisco WLC configured for IPv6 could allow an unauthenticated, remote attacker to cause a denial of service condition.

Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.

Cisco Wireless LAN Controller Crafted Frame Denial of Service Vulnerability
A vulnerability in the Cisco WLC could allow an unauthenticated, remote attacker to trigger a critical error, resulting in a DoS condition while the device restarts.

Successful exploitation of these vulnerabilities could result in an unauthenticated, remote attacker to cause an affected device to reload or take to complete control of the affected device. Repeated exploitation could result in a sustained DoS Condition. Cisco has documented the full impact of these vulnerabilities along with Common Vulnerability Scoring System (CVSS) for each, a full list of the affected products, the software versions, fixes, and workarounds, and where to obtain the necessary fixed software at the following link - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-wlc.  

eSentire recommends that patch hygiene be maintained, wherever possible.

March 5, 2014: TLS Triple Handshake Attack
Source: eSentire

On the heels of Apple’s SSL disclosures earlier this month, a group of researchers (https://secure-resumption.com/ ) have presented a new class of attacks against applications that rely on TLS to secure communications.  Whereas the recent attacks are due to implementation errors, this new class of attacks is based on the unanticipated usage of the protocol (specifically, session resumption followed by client authentication during renegotiation).

In short, if a client connects to a malicious server and presents a client credential, the server can then impersonate the client at any other server that accepts the same credential.  The malicious server can then perform a man-in-the-middle attack on three successive handshakes between the “honest” client and server and then succeeds in impersonating the client on the third handshake.

These renegotiation attacks affect a wide array of TLS implementations, web browsers and servers, HTTPS client libraries, and VPN applications.

The researchers appear to have done an exceedingly good job of documenting the procedure (including a video clip).  They have also appeared to have followed Responsible Vulnerability Disclosure guidelines – they have listed those vendors who have issued product updates in response (including Internet Explorer, Chrome, Opera, Android, Mozilla, Safari, and iOS) at: https://secure-resumption.com/#disclosure  

eSentire recommends that patch hygiene be maintained, wherever possible.

If you are interested in “edge cases” in breaking bedrock encryption protocols, a review of the description of the attacks is detailed at https://secure-resumption.com 

February 25, 2014: Apple SSL (Secure Transfer) Vulnerabilities
Source: eSentire

Regarding the SSL (Secure Transfer) Vulnerability detailed by Apple (affecting both Mavericks and Mountain Lion) Vulnerability/Concern:

In short, the Secure Transport validation mechanism failed to validate the authenticity of the connection. This issue has been addressed for all Apple devices by restoring specific missing validation steps.  The failure of Secure Transport validation could allow full transparent interception of HTTPS traffic and could aid in making Man-In-The-Middle attempts more successful.

Affected Software:
Affected versions include iOS up to version 7.0.5 and OS X before 10.9.2. Apple has issued fixes for iOS in version 7.0.6. and most recently OS X (OSX 10.9.2).

Software Not Affected:
The vulnerability is not present in versions of OS X prior to OS X 10.9 Mavericks or iOS prior to iOS 6.

Corrective Actions for Affected Software:
Current recommendations for affected iOS versions 7.0.5 (or older):

  • update to version 7.0.6 as soon as possible over a trusted transfer medium (ie. not open WiFi networks)

Current recommendations for OS X versions older than 10.9.2 include:

  • Update to OS X 10.9.2 as soon as possible over a trusted transfer medium (i.e. not open WiFi networks)

If it is not possible (for some reason) to update to OS X 10.9.2, we recommend the following mitigation methods:

  • Use a browser other than Safari (currently Firefox and Chrome have been deemed safe as are using own SSL/TLS libraries).  Note however, many other installed applications that use the embedded SSL/TLS libraries should be considered still at risk.
  • Avoid using public and unsecured networks susceptible to MiTM attacks (especially open WiFi networks)

NOTE:  Antivirus or IDP protection mechanisms are not feasible to defend against this vulnerability.

More details regarding the security content of OS X 10.9.2 (and Security Update 2014-001) may be found at: http://support.apple.com/kb/HT6150