NCCIC / US-CERT

National Cyber Awareness System:

TA15-195A: Adobe Flash and Microsoft Windows Vulnerabilities
07/14/2015 07:13 PM EDT


Original release date: July 14, 2015

Systems Affected
Microsoft Windows systems with Adobe Flash Player installed.

Overview
Used in conjunction, recently disclosed vulnerabilities in Adobe Flash and Microsoft Windows may allow a remote attacker to execute arbitrary code with system privileges. Since attackers continue to target and find new vulnerabilities in popular, Internet-facing software, updating is not sufficient, and it is important to use exploit mitigation and other defensive techniques.

Description
The following vulnerabilities illustrate the need for ongoing mitigation techniques and prioritization of updates for highly targeted software:

Adobe Flash use-after-free and memory corruption vulnerabilities (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123) Adobe Flash Player contains critical vulnerabilities within the ActionScript 3 ByteArray, opaqueBackground and BitmapData classes. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on a vulnerable system.
Microsoft Windows Adobe Type Manager privilege escalation vulnerability (CVE-2015-2387)
The Adobe Type Manager module contains a memory corruption vulnerability, which
can allow an attacker to obtain system privileges on an affected Windows system. The Adobe Type Manager is a Microsoft Windows component present in every version since NT 4.0. The primary impact of exploiting this vulnerability
is local privilege escalation.
Vulnerability Chaining
By convincing a user to visit a website or open a file containing specially crafted Flash content, an attacker could combine any one of the three Adobe Flash vulnerabilities with the Microsoft Windows vulnerability to take full control of an affected system.

A common attack vector for exploiting a Flash vulnerability is to entice a user
to load Flash content in a web browser, and most web browsers have Flash installed and enabled. A second attack vector for Flash vulnerabilities is through a file (such as an email attachment) that embeds Flash content. Another
technique leverages Object Linking and Embedding (OLE) capabilities in Microsoft Office documents to automatically download Flash content from a remote server.

An attacker who is able to execute arbitrary code through the Flash vulnerability could exploit the Adobe Type Manager vulnerability to gain elevated system privileges. The Adobe Type Manager vulnerability allows the attacker to bypass sandbox defenses (such as those found in Adobe Reader and Google Chrome) and low integrity protections (such as Protected Mode Internet Explorer and Protected View for Microsoft Office).

Impact
The Adobe Flash vulnerabilities can allow a remote attacker to execute arbitrary code. Exploitation of the Adobe Type Manager vulnerability could then
allow the attacker to execute code with system https://www.microsoft.com/en-us/download/details.aspx?id=46366privileges.

Solution
Since attackers regularly target widely deployed, Internet-accessible software such as Adobe Flash and Microsoft Windows, it is important to prioritize updates for these products to defend against known vulnerabilities.

Since attackers regularly discover new vulnerabilities for which updates do not
exist, it is important to enable exploit mitigation and other defensive techniques.

Apply Security Updates
The Adobe Flash vulnerabilities (CVE-2015-5119, CVE-2015-5122, CVE-2015-5123) are addressed in Adobe Security Bulletins APSB15-16 and APSB15-18. Users are encouraged to review the Bulletins and apply the necessary updates.

The Microsoft Windows Adobe Type Manager vulnerability (CVE-2015-2387) is addressed in Microsoft security Bulletin MS15-077. Users are encouraged to review the Bulletin and apply the necessary updates.

Additional information regarding the vulnerabilities can be found in Vulnerability Notes VU#561288, VU#338736, VU#918568, and VU#103336.

Limit Flash Content
Do not run untrusted Flash content. Most web browsers have Flash enabled by default, however, it may be possible to enable click-to-play features. For information see http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-we b-browser/

Use the Microsoft Enhanced Mitigation Experience Toolkit (EMET)
EMET can be used to help prevent exploitation of the Flash vulnerabilities. In particular, Attack Surface Reduction (ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control. See the following link for additional information: http://www.microsoft.com/en-us/download/details.aspx?id=46366

References
[1] http://www.kb.cert.org/vuls/id/561288
[2] http://www.kb.cert.org/vuls/id/103336
[3] http://www.kb.cert.org/vuls/id/338736
[4] http://www.kb.cert.org/vuls/id/918568
[5] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119
[6] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119
[7] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5123
[8] http://helpx.adobe.com/security/products/flash-player/apsb15-16.html
[9] https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
[10] http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-we b-browser
[11] https://www.microsoft.com/en-us/download/details.aspx?id=46366
Revision History
July 14, 2015: Initial Release

-------------------------------------------------------------------------------
-

This product is provided subject to this Notification and this Privacy & Use policy.


-------------------------------------------------------------------------------
-
A copy of this publication is available at www.us-cert.gov. If you need help or
have questions, please send an email to info@us-cert.gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help


-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) 245 Murray Lane SW Bldg 410 Washington, DC 20598 (888) 282-0870 Powered by GovDelivery



--
Guardien Fide :^)

Ben aka cMech Web: http://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)

NCCIC / US-CERT

National Cyber Awareness System:

TA15-213A: Recent Email Phishing Campaigns û Mitigation and Response Recommendations
08/01/2015 06:01 PM EDT


Original release date: August 01, 2015

Systems Affected
Microsoft Windows Systems, Adobe Flash Player, and Linux

Overview
Between June and July 2015, the United States Computer Emergency Readiness Team
(US-CERT) received reports of multiple, ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures.

Description
US-CERT is aware of three phishing campaigns targeting U.S. Government agencies
and private organizations across multiple sectors. All three campaigns leveraged website links contained in emails; two sites exploited a recent Adobe
Flash vulnerability (CVE-2015-5119) while the third involved the download of a compressed (i.e., ZIP) file containing a malicious executable file. Most of the
websites involved are legitimate corporate or organizational sites that were compromised and are hosting malicious content.

Impact
Systems infected through targeted phishing campaigns act as an entry point for attackers to spread throughout an organizationÆs entire enterprise, steal sensitive business or personal information, or disrupt business operations.

Solution
Phishing Mitigation and Response Recommendations

Implement perimeter blocks for known threat indicators:
Email server or email security gateway filters for email indicators
Web proxy and firewall filters for websites or Internet Protocol (IP) addresses
linked in the emails or used by related malware
DNS server blocks (blackhole) or redirects (sinkhole) for known related domains
and hostnames
Remove malicious emails from targeted user mailboxes based on email indicators (e.g., using Microsoft ExMerge).
Identify recipients and possible infected systems:
Search email server logs for applicable sender, subject, attachments, etc. (to identify users that may have deleted the email and were not identified in purge
of mailboxes)
Search applicable web proxy, DNS, firewall or IDS logs for activity the malicious link clicked.
Search applicable web proxy, DNS, firewall or IDS logs for activity to any associated command and control (C2) domains or IP addresses associated with the
malware.
Review anti-virus (AV) logs for alerts associated with the malware. AV products should be configured to be in quarantine mode. It is important to note
that the absence of AV alerts or a clean AV scan should not be taken as conclusive evidence a system is not infected.
Scan systems for host-level indicators of the related malware (e.g., YARA signatures)
For systems that may be infected:
Capture live memory of potentially infected systems for analysis
Take forensic images of potentially infected systems for analysis
Isolate systems to a virtual local area network (VLAN) segmented form the production agency network (e.g., an Internet-only segment)
Report incidents, with as much detail as possible, to the NCCIC.
Educate Your Users

Organizations should remind users that they play a critical role in protecting their organizations form cyber threats. Users should:

Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. Be particularly wary of compressed or ZIP file attachments.
Avoid clicking directly on website links in emails; attempts to verify web addresses independently (e.g., contact your organizationÆs helpdesk or sear the
Internet for the main website of the organization or topic mentioned in the email).
Report any suspicious emails to the information technology (IT) helpdesk or security office immediately.
Basic Cyber Hygiene

Practicing basic cyber hygiene would address or mitigate the vast majority of security breaches handled by todayÆs security practitioners:

Privilege control (i.e., minimize administrative or superuser privileges) Application whitelisting / software execution control (by file or location) System application patching (e.g., operating system vulnerabilities, third-party vendor applications)
Security software updating (e.g., AV definitions, IDS/IPS signatures and filters)
Network segmentation (e.g., separate administrative networks from business-critical networks with physical controls and virtual local area networks)
Multi-factor authentication (e.g., one-time password tokens, personal identity verification (PIV cards)
Further Information

For more information on cybersecurity best practices, users and administrators are encouraged to review US-CERT Security Tip: Handling Destructive Malware to evaluate their capabilities encompassing planning, preparation, detection, and response. Another resource is ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.

References
Executive Order 13636: Cybersecurity Framework
US-CERT Security Tip: Handling Destructive Malware
ICS-CERT Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
Revision History
August 1, 2015: Initial Release

-------------------------------------------------------------------------------
-

This product is provided subject to this Notification and this Privacy & Use policy.


-------------------------------------------------------------------------------
-
A copy of this publication is available at www.us-cert.gov. If you need help or
have questions, please send an email to info@us-cert.gov. Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help


-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery

=== Cut ===

--
Guardien Fide :^)

Ben aka cMech Web: http://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)

NCCIC / US-CERT

National Cyber Awareness System:

Alert (TA14-017A) UDP-Based Amplification Attacks

Original release date: January 17, 2014 | Last revised: August 19, 2015
Systems Affected
Certain UDP protocols have been identified as potential attack vectors:

DNS
NTP
SNMPv2
NetBIOS
SSDP
CharGEN
QOTD
BitTorrent
Kad
Quake Network Protocol
Steam Protocol
RIPv1
Multicast DNS (mDNS)
Portmap
Overview
A Distributed Reflective Denial of Service (DRDoS) attack is a form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible UDP servers, as well as bandwidth amplification factors, to overwhelm a victim system with UDP traffic.

Description
UDP, by design, is a connection-less protocol that does not validate source IP addresses. Unless the application-layer protocol uses countermeasures such as session initiation, it is very easy to forge the IP packet datagram to include an arbitrary source IP address [1]. When many UDP packets have their source IP address forged to a single address, the server responds to that victim, creating a reflected Denial of Service (DoS) Attack.

Recently, certain UDP protocols have been found to have particular responses to
certain commands that are much larger than the initial request. Previously, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack; now a single packet can generate tens or hundreds of times the bandwidth in its response. This is called an amplification attack, and when combined with a reflective DoS attack on a large
scale, DDoS attacks can be conducted with relative ease.

To measure the potential effect of an amplification attack, a metric called the
bandwidth amplification factor (BAF) is used. BAF can be calculated as the number of UDP payload bytes that an amplifier sends to answer a request, compared to the number of UDP payload bytes of the request [2] [3].

The list of known protocolsùand their associated bandwidth amplification factorsùare listed below. US-CERT offers thanks to Christian Rossow for providing this information. For more information on bandwith amplificatication factors, please see Christian's blog and associated research paper.

Protocol Bandwidth Amplification Factor Vulnerable Command
DNS 28 to 54 see: TA13-088A [4]
NTP 556.9 see: TA14-013A [5]
SNMPv2 6.3 GetBulk request
NetBIOS 3.8 Name resolution
SSDP 30.8 SEARCH request
CharGEN 358.8 Character generation request
QOTD 140.3 Quote request
BitTorrent 3.8 File search
Kad 16.3 Peer list exchange
Quake Network Protocol 63.9 Server info exchange
Steam Protocol 5.5 Server info exchange
Multicast DNS (mDNS) 2 to 10 Unicast query
RIPv1 131.24 Malformed request
Portmap (RPCbind) 7 to 28 Malformed request

In March 2015, Software Engineering Institute CERT issued Vulnerabilty Note (VU#550620) describing the use of mDNS in DRDoS attacks. Attackers can leverage
mDNS by sending more information than can be handled by the device, thereby causing a DoS. [6]

In July 2015, Akamai Technologies' Prolexic Security Engineering and Research Team (PLXsert) issued a threat advisory describing a surge in DRDoS attacks using the Routing Information Protocol version one (RIPv1). Malicious actors are leveraging the behavior of RIPv1 for DDoS reflection through specially crafted request queries [7].

In August 2015, Level 3 Threat Research Labs reported a new form of DRDoS attack that uses portmap. Attackers leverage the behavior of the portmap service through spoofed requests and flood a victimÆs network with UDP traffic.
[8]

Impact
Attackers can utilize the bandwidth and relative trust of large servers that provide the above UDP protocols to flood victims with unwanted traffic, a DDoS attack.

Solution
DETECTION
Detection of DRDoS attacks is not easy because of their use of large, trusted servers that provide UDP services. Network operators of these exploitable services may apply traditional DoS mitigation techniques. In addition, watch out for abnormally large responses to a particular IP address, which may indicate that an attacker is using the service to conduct a DRDoS attack.

MITIGATION
Source IP Verification

Because the UDP requests being sent by the attacker-controlled clients must have a source IP address spoofed to appear as the victimÆs IP, the first step to reducing the effectiveness of UDP amplification is for Internet service providers (ISPs) to reject any UDP traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force (IETF) released Best Current Practice 38 in May 2000 and Best Current Practice 84 in March 2004. These documents describe how an ISP can filter network traffic on their network
to reject packets with source addresses not reachable via the actual packetÆs path [9] [10]. Recommended changes would cause a routing device to evaluate whether it is possible to reach the source IP address of the packet via the interface that transmitted the packet. If it is not possible, then the packet most likely has a spoofed source IP address. This configuration change would substantially reduce the potential for many popular types of DDoS attacks. As such, we highly recommend that all network operators perform network ingress filtering if possible. Note that such filtering will not explicitly protect a UDP service provider from being exploited in a DRDoS because all network providers must use ingress filtering to eliminate the threat completely.

To verify your network has implemented ingress filtering, download the open source tools from the Spoofer Project [11].

Traffic Shaping

Limiting responses to UDP requests is another potential mitigation to this issue. This may require testing to discover the optimal limit that does not interfere with legitimate traffic. The IETF released Request for Comment 2475 and Request for Comment 3260 that describe some methods to shape and control traffic [12] [13]. Most network devices today provide these functions in their software.

References
[1] SIP: Session Initiation Protocol
[2] Amplification Hell: Abusing Network Protocols for DDoS (link is external) [3] Ampli?cation Hell: Revisiting Network Protocols for DDoS Abuse (link is external)
[4] DNS Amplification Attacks
[5] NTP Amplification Attacks Using CVE-2013-5211
[6] VU#550620: Multicast DNS (mDNS) implementations may respond to unicast queries originating outside the local link
[7] RIPv1 Reflection DDoS [Medium Risk] (link is external)
[8] A New New DDoS Reflection Attack: Portmapper; An Early Warning to the Industry (link is external)
[9] Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ
IP Source Address Spoofing
[10] Ingress Filtering for Multihomed Networks
[11] The Spoofer Project
[12] An Architecture for Differentiated Services
[13] New Terminology and Clarifications for Diffserv
Revisions
February 09, 2014 û Initial Release
March 07, 2014 û Updated page to include research links
July 13, 2015 û Added RIPv1 as an attack vector
August 19, 2015 - Added Multicast DNS (mDNS) and Portmap (RPCbind) as attack vectors

-------------------------------------------------------------------------------
-
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences | Unsubscribe | Help


-------------------------------------------------------------------------------
-
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf of:
United States Computer Emergency Readiness Team (US-CERT) ╖ 245 Murray Lane SW Bldg 410 ╖ Washington, DC 20598 ╖ (888) 282-0870 Powered by GovDelivery

=== Cut ===


--
Guardien Fide :^)

Ben aka cMech Web: http://cmech.dynip.com
Email: fido4cmech(at)lusfiber.net
Home page: http://cmech.dynip.com/homepage/
WildCat! Board 24/7 +1-337-984-4794 any BAUD 8,N,1

--- GoldED+/W32-MSVC
* Origin: FIDONet - The Positronium Repository (1:393/68)