{"id":6773,"date":"2017-02-24T11:00:32","date_gmt":"2017-02-24T19:00:32","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/24\/news-564\/"},"modified":"2017-02-24T11:00:32","modified_gmt":"2017-02-24T19:00:32","slug":"news-564","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/24\/news-564\/","title":{"rendered":"TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of February 20, 2017"},"content":{"rendered":"

Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 24 Feb 2017 18:45:55 +0000<\/strong><\/p>\n

\"\"<\/p>\n

I\u2019ve been fascinated with the rise and fall of exploit kits, especially the ones that are really popular that disappear seemingly overnight. Angler was one that at one point, contributed 59.5% in the total exploit kit activity for 2015. But now it\u2019s presumed dead as of June 2016 after the arrest of a hacker gang. After Angler, there was a big move to Neutrino, but even Neutrino activity is down to a trickle. A lot of factors can contribute to the demise of an exploit kit \u2013 the authors may get caught, or competition from other exploit kits.<\/p>\n

Earlier this month, we announced<\/a> our machine learning capabilities using our TippingPoint solutions. We collect statistical information about web pages and other protocols and make decisions based on models we\u2019ve created using machine learning to determine what is good and what is bad. This can be applied to our Digital Vaccine\u00ae (DV) filters to block exploit kits, obfuscated content (e.g. JavaScript, HTML), polymorphic malware, and other malicious content. In this week\u2019s ThreatDV package, we have added a new filter that uses our machine learning intelligence to protect against the Rig\/Sundown exploit kits, which have gained in popularity after the fall of Angler and Neutrino.<\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  • 26901: HTTP: Obfuscated HTML Usage in Exploit Kits (Rig\/Sundown)<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Zero Day Initiative Filters Settings Adjustment<\/strong><\/p>\n

Starting with this week\u2019s Digital Vaccine\u00ae (DV) package, all newly added pre-disclosed Zero Day Initiative (ZDI) filters which would typically be configured to Block \/ Notify as a Recommended Setting will instead be set to Block \/ Notify \/ Trace. This is done in an effort to ensure network traces are always available for customers who wish to contact TippingPoint in the event of a ZDI pre-disclosed filter firing. In addition, over the next few weeks, all ZDI pre-disclosed filters shipped in previous DV packages that match these criteria will be modified to add the trace setting as well. This change will not impact any filter which has been manually overridden. Customers can contact the TippingPoint Technical Assistance Center (TAC) for additional information.<\/p>\n

Adobe Updates<\/strong><\/p>\n

This week\u2019s Digital Vaccine (DV) package includes coverage for the Adobe Security Bulletins released on or before February 21, 2017. The following table maps Digital Vaccine filters to the Adobe Security Bulletins. Filters designated with an asterisk (*) shipped prior to this week\u2019s package, providing zero-day protection for our customers:<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Bulletin #<\/strong><\/td>\nCVE #<\/strong><\/td>\nDigital Vaccine Filter #<\/strong><\/td>\nStatus<\/strong><\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2982<\/td>\n27144<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2984<\/td>\n27145<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2985<\/td>\n27146<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2986<\/td>\n27154<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2987<\/td>\n–<\/td>\nInsufficient Vendor Information<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2988<\/td>\n27147<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2990<\/td>\n27153<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2992<\/td>\n27213<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2991<\/td>\n27155<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2993<\/td>\n27148<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2994<\/td>\n27149<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2995<\/td>\n27150<\/td>\n<\/td>\n<\/tr>\n
APSB17-04<\/td>\nCVE-2017-2996<\/td>\n27151<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n

 <\/p>\n

Zero-Day Filters<\/strong><\/p>\n

There are 10 new zero-day filters covering five vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and\/or optimize performance. You can browse the list of published advisories<\/a> and upcoming advisories<\/a> on the Zero Day Initiative<\/a> website.<\/p>\n

Adobe (5)<\/em><\/strong><\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  • 27149: HTTP: Adobe Flash removeEventListener Use-After-Free Vulnerability (ZDI-17-110)<\/li>\n
  • 27150: HTTP: Adobe Flash MessageChannel Type Confusion Vulnerability (ZDI-17-109)<\/li>\n
  • 27158: ZDI-CAN-4334: Zero Day Initiative Vulnerability (Adobe Reader DC)<\/li>\n
  • 27159: ZDI-CAN-4335: Zero Day Initiative Vulnerability (Adobe Reader DC)<\/li>\n
  • 27160: ZDI-CAN-4336: Zero Day Initiative Vulnerability (Adobe Reader DC)\u00a0<\/em><\/strong><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Apple (1)<\/em><\/strong><\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  • 27157: ZDI-CAN-4329: Zero Day Initiative Vulnerability (Apple Mac OS)\u00a0<\/em><\/strong><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Delta (1)<\/em><\/strong><\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  • 27215: ZDI-CAN-4045: Zero Day Initiative Vulnerability (Delta Industrial Automation PMSoft)\u00a0<\/em><\/strong><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Hewlett Packard Enterprise (1)<\/em><\/strong><\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  • 26815: HTTP: HPE Operations Orchestration Backwards Compatibility Deserialization Vulnerability(ZDI-17-001)\u00a0<\/em><\/strong><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

SpiderControl (2)<\/em><\/strong><\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  • 27216: ZDI-CAN-4174: Zero Day Initiative Vulnerability (SpiderControl SCADA)<\/li>\n
  • 27217: ZDI-CAN-4194: Zero Day Initiative Vulnerability (SpiderControl SCADA)\u00a0<\/em><\/strong><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Missed Last Week\u2019s News?<\/strong><\/p>\n

Catch up on last week\u2019s news in my weekly recap<\/a>.<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 24 Feb 2017 18:45:55 +0000<\/strong><\/p>\n

\"\"I\u2019ve been fascinated with the rise and fall of exploit kits, especially the ones that are really popular that disappear seemingly overnight. Angler was one that at one point, contributed 59.5% in the total exploit kit activity for 2015. But now it\u2019s presumed dead as of June 2016 after the arrest of a hacker gang….<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[10384,714,10415],"class_list":["post-6773","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-network","tag-security","tag-zero-day-initiative"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6773","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6773"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6773\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6773"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}