Microsoft Windows NT, 2000, XP, Vista, and 7Overview
On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States.Description
Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.Impact
Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets. Solution
Users and administrators are recommended to take the following preventive measures to protect their computer networks:
The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.
Stage 1 files, 32 bit:
Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:
Stage 1, 64-bit system infection:
Stage 2, 32 bit:
Stage 2, 64 bit:
Stage 3, 32 bit:
Stage 4, 32 bit:
Stage 4, 64 bit:
Note: Stages 2, 3, and 4 do not appear on infected systems as real files on disk. Hashes are provided for research purposes only.
Registry branches used to store malware stages 2 and 3:
IP IOCs :
A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. Description
The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.
At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.Impact
A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. Solution
A vulnerability in Microsoft Windows Object Linking and Embedding (OLE) could allow remote code execution if a user views a specially-crafted web page in Internet Explorer.Description
The Microsoft Windows OLE OleAut32.dll library provides the SafeArrayRedim function that allows resizing of SAFEARRAY objects in memory. In certain circumstances, this library does not properly check sizes of arrays when an error occurs. The improper size allows an attacker to manipulate memory in a way that can bypass the Internet Explorer Enhanced Protected Mode (EPM) sandbox as well as the Enhanced Mitigation Experience Toolkit (EMET).
This vulnerability can be exploited using a specially-crafted web page utilizing VBscript in Internet Explorer. However, it may impact other software that makes use of OleAut32.dll and VBscript.
Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#158647.Impact
Arbitrary code can be run on the computer with user privileges. If the user is an administrator, the attacker may run arbitrary code as an administrator, fully compromising the system.Solution
An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-064 for more details and mitigation guidance, and apply the necessary updates.References
Microsoft Windows XP and 2000 may also be affected.Overview
A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.Description
Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.
It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.
Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks. An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.Impact
This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.Solution
Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.References
iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.Overview
A technique labeled “Masque Attack” allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.Description
Masque Attack was described by FireEye mobile security researchers , Stefan Esser of SektionEins, and Jonathan Zdziarski. This attack works by luring users to install an app from a source other than the iOS App Store or their organizations’ provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.
This technique takes advantage of a security weakness that allows an untrusted app—with the same “bundle identifier” as that of a legitimate app—to replace the legitimate app on an affected device, while keeping all of the user’s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.Impact
An app installed on an iOS device using this technique may:
iOS users can protect themselves from Masque Attacks by following three steps:
Further details on Masque Attack and mitigation guidance can be found on FireEye’s blog . US-CERT does not endorse or support any particular product or vendor.References
Microsoft Windows Server 2003 operating systemOverview
Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015. After this date, this product will no longer receive:
All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance. As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.Impact
Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.
Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.
Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.Solution
Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets.
The Microsoft "Microsoft Support Lifecycle Policy FAQ" page offers additional details.
Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4,5] US-CERT does not endorse or support any particular product or vendor.References
Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s). Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.Description
The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors. Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader. After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.
Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.
Phishing Email Characteristics:
System Level Indicators (upon successful exploitation):
A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.Solution
Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:
US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.
You can report phishing to us by sending email to email@example.com.References
Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to:
Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.
Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.WHY IS IT SO EFFECTIVE?
The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:
In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.
This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.
Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.LINKS TO OTHER TYPES OF MALWARE
Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.
The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.Impact
Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.Solution
Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.
US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC .References
All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.
Some Transport Layer Security (TLS) implementations are also vulnerable to the POODLE attack.Overview
US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.Description
The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.
While SSL 3.0 is an old encryption standard and has generally been replaced by TLS, most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. 
Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.
These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.
The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).Solution
There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.
Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: 
Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.
Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566  or in CERT Vulnerability Note VU#577193.
Vulnerable TLS implementations need to be updated. CVE ID assignments and vendor information are also available in the NVD.References
A critical vulnerability has been reported in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system . The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.Description
GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]
This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers who can provide specially crafted environment variables containing arbitrary commands to execute on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.Solution
Initial solutions for Shellshock do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278. Red Hat has provided a support article  with updated information.
Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 .
US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summaries for CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 to mitigate damage caused by the exploit.References