(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Sometime within the past month, Rig exploit kit (EK) changed URL structure." />

Notice the PHPSSESID and ?req= patterns in the above example." />

Now, we dont see the PHPSSESID and ?req= patterns. Lets take a closer look at the more recent example of Rig EK." />

The data is gzip compressed, so you have to extract the file to see what it looks like." />

Finally, the exploit kit sends the malware payload. It" />

A copy of the decrypted malware payload can be found at: https://malwr.com/analysis/NzIwYjgwYTcyODhiNGUwNGIxOTRjMzllNjkwMGViMzc/

The malware payload didn" />

Keep in mind malware payloads differ among the criminal organizations that rent these exploit kits, and the payload can also change from day-to-day.

I havent heard too much yet about this recent change in URL patterns for Rig EK, but its certainly happening.

Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Researchers have uncovered an ongoing espionage campaign that uses custom-developed malware to siphon confidential data out of energy companies around the world.

Trojan.Laziok, as the malware has been dubbed, acts as a reconnaissance tool that scours infected computers for data including machine name, installed software, RAM size, hard disk size, GPU details, CPU details, and installed antivirus software, according to a blog post published Monday by researchers from security firm Symantec. The attackers then use the data to decide how to infect the computer with additional malware, including versions of Backdoor.Cyberat and Trojan.Zbot that are tailored for the a specific compromised computer.

"The detailed information enables the attacker to make crucial decisions about how to proceed further with the attack, or to halt the attack," Symantec researcher Christian Tripputi wrote. "During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected."

Read 2 remaining paragraphs | Comments

[SECURITY] [DSA 3210-1] wireshark security update
The National Institute of Standards and Technology (NIST) is soliciting applications for funding pilot privacy-enhancing technologies that embrace and advance the National Strategy for Trusted Identities in Cyberspace. NSTIC seeks to ...

The massive denial-of-service attacks that have intermittently shut down GitHub for more than five days is the work of hackers with control over China's Internet backbone, according to two technical reports published Tuesday that build a strong case that government authorities are at least indirectly responsible.

GitHub officials have said the torrent of junk data pummeling their servers is the biggest they have ever seen. As previously reported, the two GitHub pages are constantly loaded and reloaded by millions of computer users inside and outside of China, an endless loop that left unmitigated outages not just on the two targeted pages but throughout GitHub's entire network. Exhibit A in the case in which China is involved are the two specific GitHub pages targeted: one hosts anti-censorship service GreatFire.org while the other hosts a mirror site of The New York Times' Chinese edition. The targets suggest the attackers are sympathetic to the vast censorship apparatus known as the Great Firewall of China.

Now researchers have unearthed additional evidence implicating China that goes beyond motive. Specifically, the computers hammering GitHub servers are all running a piece of malicious code that surreptitiously makes them soldiers in a massive DDoS army. The JavaScript gets silently injected into the traffic of sites that use an analytics service that China-based search engine Baidu makes available so website operators can track visitor statistics. About one percent of people visiting such sites don't receive the true Baidu analytics JavaScript but instead get code that forces their browser to constantly reload the two targeted GitHub pages.

Read 5 remaining paragraphs | Comments

[ MDVSA-2015:186 ] phpmyadmin
[ MDVSA-2015:185 ] dokuwiki

Survey: Security Pros Have 'Critical' Concerns About Infosec
Dark Reading
“Digital transformation means data center transformation and change is hard, especially when it comes to Information security,” said Demetrios “Laz” Lazarikos, two-time former CISO, former PCI QSA, and Founder of Blue Lava Consulting. “From the results ...
Third Annual Information Security Survey Finds Major Concerns Among Security ...Marketwired (press release)

all 3 news articles »
[security bulletin] HPSBGN03270 rev.1 - HP Operations Analytics, Remote Execution of Code
[SECURITY] [DSA 3209-1] openldap security update
[security bulletin] HPSBHF03271 rev.1 - HP PCs and Workstations Running Windows 7 with NVidia Graphics Driver, Elevation of Privileges

Third Annual Information Security Survey Finds Major Concerns Among Security ...
Marketwired (press release)
MOUNTAIN VIEW, CA and CHICAGO, IL--(Marketwired - Mar 31, 2015) - Blue Lava, a strategic consulting group that helps Fortune 1,000 enterprises assess IT risks and develop internal Information Security (InfoSec) programs, today released findings from ...

and more »

Posted by InfoSec News on Mar 31


The Star Online
March 31, 2015

TAIPEI: Taiwan wants to join a major anti-hacking drill conducted by the
United States to strengthen cybersecurity ties with its staunchest ally,
its vice premier said on Monday, a move which would help safeguard against
constant targeting by hackers in rival China.

Many hacks into...

Posted by InfoSec News on Mar 31


By Claire Bushey
Crain's Chicago Business
March 30, 2015

Alarmed by their vulnerability to everything from sophisticated hacking to
the hapless attorney who attaches the wrong spreadsheet to an email, law
firms are turning to new must-have coverage: cyber insurance.

In the past few years, the biggest firms have purchased policies to cover
the costs of a data breach:...

Posted by InfoSec News on Mar 31


The New York Times
MARCH 29, 2015

SAN FRANCISCO — For years, Lulu Zezza has played one of the toughest roles
in Hollywood.

Ms. Zezza, who has managed physical production on movies like “The Reader”
and “Nine,” also oversees the digital security of everything that goes
into the making of a film on set,...

Posted by InfoSec News on Mar 31


By Kim Zetter
March 30, 2015

AROUND THE SAME time the US and Israel were already developing and
unleashing Stuxnet on computers in Iran, using five zero-day exploits to
get the digital weapon onto machines there, the government realized it
needed a policy for how it should handle zero-day vulnerabilities,
according to a new document obtained by the...

Posted by InfoSec News on Mar 31


By Aliya Sternstein
March 30, 2015

The Defense Department has rolled out supersecret smartphones for work and
maybe play, made by anti-government-surveillance firm Silent Circle,
according to company officials.

Silent Circle, founded by a former Navy Seal and the inventor of
privacy-minded PGP encryption, is known for...
Internet Storm Center Infocon Status