US-CERT Warns All About Phishing Campaigns

Infosecurity-magazine.com reported on 10th August, 2015 stating that the U.S. Computer Emergency Readiness Team or US-CERT is notifying about a use-after-free (UAF) flaw in Adobe Flash (CVE-2015-5119); it was revealed due to hacking and ensuing dumping of Hacking Team's email and source code and is now being exploited in a new round of phishing attacks.

The advisory stated that campaigns target agencies of US government and private sector organisations across various sectors. All three campaigns exploited links of website contained in phishing emails; two websites exploited with the flaw while the third included the download of a ZIP file containing a maligned executable file. Most of the websites caught up are genuine business or organizational sites which were compromised and are hosting maligned content.

Systems tainted through targeted phishing scams act as an entry point for scammers to distribute throughout an entire enterprise of an organization, embezzle sensitive business or personal information or disturb business operation.

Newblog.easyol.net published news on 3rd August, 2015 quoting Dan Ingevaldson, CTO of security firm Easy Solutions, as saying "the Hacking Team exploit was already "weaponized" which was completely productized, tested and documented. There is a huge dissimilarity between normal proof-of-concept (PoC) exploit code and completely weaponized exploit code- apparently as per the order of several man-weeks to guarantee stability across multiple OSs, evasions, browsers and cash-free execution. Hacking team was hacked on 5th July and the exploit was "found" in the archive which was published on 7th July and immediately added to hacking kits such as Nuclear and Angler."

It is still almost impossible to avert abuse by zero-day attacks through email but it is much more reasonable to stop the higher likelihood of successful attacks during the period instantly after revelation when exploit code is in the wild and fixes have not yet been installed-in this time, just immediately after 5th July.

The team advises organisations to implement email server and security gateway filters, firewall, web proxy and DNS server blocks in trying to address the threat.

US-CERT also calls agencies to scan email server logs for applicable sender, attachments and subject; DNS check web proxy, firewall and IDS logs for malicious activity; and assess anti-virus logs for malware alerts.

» SPAMfighter News - 8/21/2015