TippingPoint Threat Intelligence and Zero-Day Coverage – Week of February 20, 2017

Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 24 Feb 2017 18:45:55 +0000

I’ve been fascinated with the rise and fall of exploit kits, especially the ones that are really popular that disappear seemingly overnight. Angler was one that at one point, contributed 59.5% in the total exploit kit activity for 2015. But now it’s presumed dead as of June 2016 after the arrest of a hacker gang. After Angler, there was a big move to Neutrino, but even Neutrino activity is down to a trickle. A lot of factors can contribute to the demise of an exploit kit – the authors may get caught, or competition from other exploit kits.

Earlier this month, we announced our machine learning capabilities using our TippingPoint solutions. We collect statistical information about web pages and other protocols and make decisions based on models we’ve created using machine learning to determine what is good and what is bad. This can be applied to our Digital Vaccine® (DV) filters to block exploit kits, obfuscated content (e.g. JavaScript, HTML), polymorphic malware, and other malicious content. In this week’s ThreatDV package, we have added a new filter that uses our machine learning intelligence to protect against the Rig/Sundown exploit kits, which have gained in popularity after the fall of Angler and Neutrino.

  • 26901: HTTP: Obfuscated HTML Usage in Exploit Kits (Rig/Sundown)

Zero Day Initiative Filters Settings Adjustment

Starting with this week’s Digital Vaccine® (DV) package, all newly added pre-disclosed Zero Day Initiative (ZDI) filters which would typically be configured to Block / Notify as a Recommended Setting will instead be set to Block / Notify / Trace. This is done in an effort to ensure network traces are always available for customers who wish to contact TippingPoint in the event of a ZDI pre-disclosed filter firing. In addition, over the next few weeks, all ZDI pre-disclosed filters shipped in previous DV packages that match these criteria will be modified to add the trace setting as well. This change will not impact any filter which has been manually overridden. Customers can contact the TippingPoint Technical Assistance Center (TAC) for additional information.

Adobe Updates

This week’s Digital Vaccine (DV) package includes coverage for the Adobe Security Bulletins released on or before February 21, 2017. The following table maps Digital Vaccine filters to the Adobe Security Bulletins. Filters designated with an asterisk (*) shipped prior to this week’s package, providing zero-day protection for our customers:

Bulletin #CVE #Digital Vaccine Filter #Status
APSB17-04CVE-2017-298227144
APSB17-04CVE-2017-298427145
APSB17-04CVE-2017-298527146
APSB17-04CVE-2017-298627154
APSB17-04CVE-2017-2987Insufficient Vendor Information
APSB17-04CVE-2017-298827147
APSB17-04CVE-2017-299027153
APSB17-04CVE-2017-299227213
APSB17-04CVE-2017-299127155
APSB17-04CVE-2017-299327148
APSB17-04CVE-2017-299427149
APSB17-04CVE-2017-299527150
APSB17-04CVE-2017-299627151

 

Zero-Day Filters

There are 10 new zero-day filters covering five vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (5)

  • 27149: HTTP: Adobe Flash removeEventListener Use-After-Free Vulnerability (ZDI-17-110)
  • 27150: HTTP: Adobe Flash MessageChannel Type Confusion Vulnerability (ZDI-17-109)
  • 27158: ZDI-CAN-4334: Zero Day Initiative Vulnerability (Adobe Reader DC)
  • 27159: ZDI-CAN-4335: Zero Day Initiative Vulnerability (Adobe Reader DC)
  • 27160: ZDI-CAN-4336: Zero Day Initiative Vulnerability (Adobe Reader DC) 

Apple (1)

  • 27157: ZDI-CAN-4329: Zero Day Initiative Vulnerability (Apple Mac OS) 

Delta (1)

  • 27215: ZDI-CAN-4045: Zero Day Initiative Vulnerability (Delta Industrial Automation PMSoft) 

Hewlett Packard Enterprise (1)

  • 26815: HTTP: HPE Operations Orchestration Backwards Compatibility Deserialization Vulnerability(ZDI-17-001) 

SpiderControl (2)

  • 27216: ZDI-CAN-4174: Zero Day Initiative Vulnerability (SpiderControl SCADA)
  • 27217: ZDI-CAN-4194: Zero Day Initiative Vulnerability (SpiderControl SCADA) 

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

http://feeds.trendmicro.com/TrendMicroSimplySecurity