TippingPoint Threat Intelligence and Zero-Day Coverage – Week of February 20, 2017
Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 24 Feb 2017 18:45:55 +0000
I’ve been fascinated with the rise and fall of exploit kits, especially the ones that are really popular that disappear seemingly overnight. Angler was one that at one point, contributed 59.5% in the total exploit kit activity for 2015. But now it’s presumed dead as of June 2016 after the arrest of a hacker gang. After Angler, there was a big move to Neutrino, but even Neutrino activity is down to a trickle. A lot of factors can contribute to the demise of an exploit kit – the authors may get caught, or competition from other exploit kits.
Earlier this month, we announced our machine learning capabilities using our TippingPoint solutions. We collect statistical information about web pages and other protocols and make decisions based on models we’ve created using machine learning to determine what is good and what is bad. This can be applied to our Digital Vaccine® (DV) filters to block exploit kits, obfuscated content (e.g. JavaScript, HTML), polymorphic malware, and other malicious content. In this week’s ThreatDV package, we have added a new filter that uses our machine learning intelligence to protect against the Rig/Sundown exploit kits, which have gained in popularity after the fall of Angler and Neutrino.
| |
Zero Day Initiative Filters Settings Adjustment
Starting with this week’s Digital Vaccine® (DV) package, all newly added pre-disclosed Zero Day Initiative (ZDI) filters which would typically be configured to Block / Notify as a Recommended Setting will instead be set to Block / Notify / Trace. This is done in an effort to ensure network traces are always available for customers who wish to contact TippingPoint in the event of a ZDI pre-disclosed filter firing. In addition, over the next few weeks, all ZDI pre-disclosed filters shipped in previous DV packages that match these criteria will be modified to add the trace setting as well. This change will not impact any filter which has been manually overridden. Customers can contact the TippingPoint Technical Assistance Center (TAC) for additional information.
Adobe Updates
This week’s Digital Vaccine (DV) package includes coverage for the Adobe Security Bulletins released on or before February 21, 2017. The following table maps Digital Vaccine filters to the Adobe Security Bulletins. Filters designated with an asterisk (*) shipped prior to this week’s package, providing zero-day protection for our customers:
| Bulletin # | CVE # | Digital Vaccine Filter # | Status |
| APSB17-04 | CVE-2017-2982 | 27144 | |
| APSB17-04 | CVE-2017-2984 | 27145 | |
| APSB17-04 | CVE-2017-2985 | 27146 | |
| APSB17-04 | CVE-2017-2986 | 27154 | |
| APSB17-04 | CVE-2017-2987 | – | Insufficient Vendor Information |
| APSB17-04 | CVE-2017-2988 | 27147 | |
| APSB17-04 | CVE-2017-2990 | 27153 | |
| APSB17-04 | CVE-2017-2992 | 27213 | |
| APSB17-04 | CVE-2017-2991 | 27155 | |
| APSB17-04 | CVE-2017-2993 | 27148 | |
| APSB17-04 | CVE-2017-2994 | 27149 | |
| APSB17-04 | CVE-2017-2995 | 27150 | |
| APSB17-04 | CVE-2017-2996 | 27151 |
Zero-Day Filters
There are 10 new zero-day filters covering five vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.
Adobe (5)
| |
Apple (1)
| |
Delta (1)
| |
Hewlett Packard Enterprise (1)
| |
SpiderControl (2)
| |
Missed Last Week’s News?
Catch up on last week’s news in my weekly recap.