Friday, 24. February 2017

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of February 20, 2017

I’ve been fascinated with the rise and fall of exploit kits, especially the ones that are really popular that disappear seemingly overnight. Angler was one that at one point, contributed 59.5% in the total exploit kit activity for 2015. But now it’s presumed dead as of June 2016 after the arrest of a hacker gang. After Angler, there was a big move to Neutrino, but even Neutrino activity is down to a trickle. A lot of factors can contribute to the demise of an exploit kit – the authors may get caught, or competition from other exploit kits.

Earlier this month, we announced our machine learning capabilities using our TippingPoint solutions. We collect statistical information about web pages and other protocols and make decisions based on models we’ve created using machine learning to determine what is good and what is bad. This can be applied to our Digital Vaccine® (DV) filters to block exploit kits, obfuscated content (e.g. JavaScript, HTML), polymorphic malware, and other malicious content. In this week’s ThreatDV package, we have added a new filter that uses our machine learning intelligence to protect against the Rig/Sundown exploit kits, which have gained in popularity after the fall of Angler and Neutrino.

•  26901: HTTP: Obfuscated HTML Usage in Exploit Kits (Rig/Sundown)

Zero Day Initiative Filters Settings Adjustment

Starting with this week’s Digital Vaccine® (DV) package, all newly added pre-disclosed Zero Day Initiative (ZDI) filters which would typically be configured to Block / Notify as a Recommended Setting will instead be set to Block / Notify / Trace. This is done in an effort to ensure network traces are always available for customers who wish to contact TippingPoint in the event of a ZDI pre-disclosed filter firing. In addition, over the next few weeks, all ZDI pre-disclosed filters shipped in previous DV packages that match these criteria will be modified to add the trace setting as well. This change will not impact any filter which has been manually overridden. Customers can contact the TippingPoint Technical Assistance Center (TAC) for additional information.

Adobe Updates

This week’s Digital Vaccine (DV) package includes coverage for the Adobe Security Bulletins released on or before February 21, 2017. The following table maps Digital Vaccine filters to the Adobe Security Bulletins. Filters designated with an asterisk (*) shipped prior to this week’s package, providing zero-day protection for our customers:

Bulletin # CVE # Digital Vaccine Filter # Status APSB17-04 CVE-2017-2982 27144 APSB17-04 CVE-2017-2984 27145 APSB17-04 CVE-2017-2985 27146 APSB17-04 CVE-2017-2986 27154 APSB17-04 CVE-2017-2987 – Insufficient Vendor Information APSB17-04 CVE-2017-2988 27147 APSB17-04 CVE-2017-2990 27153 APSB17-04 CVE-2017-2992 27213 APSB17-04 CVE-2017-2991 27155 APSB17-04 CVE-2017-2993 27148 APSB17-04 CVE-2017-2994 27149 APSB17-04 CVE-2017-2995 27150 APSB17-04 CVE-2017-2996 27151  

Zero-Day Filters

There are 10 new zero-day filters covering five vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (5)

•  27149: HTTP: Adobe Flash removeEventListener Use-After-Free Vulnerability (ZDI-17-110)
•  27150: HTTP: Adobe Flash MessageChannel Type Confusion Vulnerability (ZDI-17-109)
•  27158: ZDI-CAN-4334: Zero Day Initiative Vulnerability (Adobe Reader DC)
•  27159: ZDI-CAN-4335: Zero Day Initiative Vulnerability (Adobe Reader DC)
•  27160: ZDI-CAN-4336: Zero Day Initiative Vulnerability (Adobe Reader DC) 

Apple (1)

•  27157: ZDI-CAN-4329: Zero Day Initiative Vulnerability (Apple Mac OS) 

Delta (1)

•  27215: ZDI-CAN-4045: Zero Day Initiative Vulnerability (Delta Industrial Automation PMSoft) 

Hewlett Packard Enterprise (1)

•  26815: HTTP: HPE Operations Orchestration Backwards Compatibility Deserialization Vulnerability(ZDI-17-001) 

SpiderControl (2)

•  27216: ZDI-CAN-4174: Zero Day Initiative Vulnerability (SpiderControl SCADA)
•  27217: ZDI-CAN-4194: Zero Day Initiative Vulnerability (SpiderControl SCADA) 

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.