exploit


A Windows 2003 RDP Zero Day Exploit In this blog, the FortiGuard team takes a look at Esteemaudit, which is an exploit that was included in the set of cybertools leaked by the hacker group known as "Shadow Brokers." They claim that they collected this set of cybertools from the compromised data of "Equation Group," a threat actor alleged to be tied to the United States National Security Agency (NSA). Esteemaudit is a Remote Desktop Protocol (RDP) exploit that targets Microsoft Windows Server 2003 / Windows XP. The vulnerability... [Read More]
by RSS Dehui Yin  |  May 11, 2017  |  Filed in: Security Research
Because of the recent outbreak of the Locky ransomware, Dridex has become synonymous with the distribution of ransomware more generally. However, Dridex is still taking good care of its notorious original business– banking Trojans. While preparing the materials for my upcoming HITBAMS2016 talk on Kernel Exploit hunting and mitigation, I came across this new variant of Dridex (SHA1: 455817A04F9D0A7094038D006518C85BE3892C99), which is rather interesting. The Master of Antivirus Killers Based on some simple string checks, we assumed... [Read More]
by RSS Wayne Chin Yick Low  |  Mar 23, 2016  |  Filed in: Security Research
A few days ago, Oracle announced on their blog that they plan to kill the Java browser plugin in their next major version of JDK, scheduled for release in Q1 2017. What does this mean? Should we worry about our browsing experience? This really just means that it won’t be possible to run Java applets in the browser anymore. The infamous “applet” is a technology that was developed by Sun Microsystems in the 90’s and went on to be acquired by Oracle. This technology was still popular in many exploit kits over the... [Read More]
by RSS David Maciejak  |  Feb 05, 2016  |  Filed in: Industry Trends & News
RIG Exploit Kit was upgraded to v3.0 a while back. While RIG EK was never as active as other exploit kits such as Angler or Nuclear, it is one of the more 'stable' EKs in terms of its near constant presence on the Internet. We will talk about a recent RIG EK sample. Here is the landing page information captured by our automated system in FortiGuard Labs. Type Exploit Kit Name RIG.Exploit.Kit Attack ID 52114 Referrer... [Read More]
by RSS Tim Lau  |  Sep 30, 2015  |  Filed in: Industry Trends & News
Update Aug 28, 2015: Typos in the final table: CVE-2015-3864 does not concern covr but tx3g. CVE-2015-3828 does not occur for yrrc. Detecting the PoCs published by Zimperium is not difficult: you can fingerprint the PoCs, for example. Detecting variants of the PoCs, i.e., MP4s that use one of the discovered vulnerabilities, is far more difficult. I'll explain why in a moment. First, apart from here (in Chinese), there hasn't been so much in the way of technical details. Getting into the guts of StageFright... [Read More]
by RSS Axelle Apvrille  |  Aug 25, 2015  |  Filed in: Security Research
Previously my colleague Wayne talked about an interesting document exploit targeting CVE-2015-1641. In this post, we will talk about who might be behind the attack. We start our correlation with the analysis of the exploit payload - a remote administration tool (RAT) with MD5 6bde5462f45a230edc7e7641dd711505 (detected as MSIL/Agent.QOO!tr). This RAT looks new to us; hence we suspected that it may either be a new RAT family or a custom RAT that was developed for a specific attacker (hacker). It is compiled with Microsoft Visual Basic .NET with... [Read More]
by RSS Roland Dela Paz  |  Aug 24, 2015  |  Filed in: Security Research
Introduction Recently, we came across an unknown document exploit which was mentioned in a blogpost by the researcher @ropchain. As part of our daily routines, we decided to take a look to see if there was something interesting about the document exploit. The sample’s SHA1 used in the analysis is FB434BA4F1EAF9F7F20FE6F49C4375E90FA98069. The file we’re investigating is a Word document called amendment.doc. Understanding the vulnerability In fact, the exploit is not widely covered by AV vendors. Thus it becomes more challenging... [Read More]
by RSS Wayne Chin Yick Low  |  Aug 20, 2015  |  Filed in: Security Research
Researchers at FortiGuard Labs recently discovered another heap overflow vulnerability in the Adobe Flash Player. The vulnerability, CVE-2015-5129, is similar to a larger group of security issues found in Flash Player, all of which could be exploited to allow remote code execution on the host system. Although FortiGuard has not observed active exploits for this particular vulnerability in the wild, we did find multiple products that incorporate Flash with the vulnerability. This includes the Google Chrome browser. Additionally,... [Read More]
by RSS Aamir Lakhani  |  Aug 18, 2015  |  Filed in: Security Research
  [Updated 22 July 2015 to add the CVE information] Fortinet’s FortiGuard Labs has detected a new attack (MD5:db5df99de775af285e7f1b5355a6bee5) that exploits CVE-2015-3077 in Adobe Flash Player. This exploit uses the classic Flash Player Vector corruption technique as shown in the image below.  It then loads the layer 2 Flash to corrupt the vector length after the spray as shown in the image below. A GlowFilter object is created and stored at address 0x974A0C0 which is a memory hole made by the spray code.... [Read More]
by RSS Bin Liu  |  Jul 02, 2015  |  Filed in: Security Research
FortiGuard researchers discovered a heap overflow vulnerability in Apple QuickTime that could lead to arbitrary code execution and severe system crashes on both Windows and OS X versions of the popular multimedia software. This vulnerability (CVE-2015-3668 isolated and identified by FortiGuard Labs) follows on the heels of CVE-2015-3667, (disclosed yesterday by Cisco and simultaneously discovered by FortiGuard Labs), leaves unpatched versions of Quicktime open to multiple exploits. Quicktime relies on special containers for movie data called... [Read More]
by RSS Aamir Lakhani  |  Jul 01, 2015  |  Filed in: Industry Trends & News