Attacks/Breaches
2/20/2014
10:06 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Windows Crash Reports Reveal New APT, POS Attacks

Researchers discover zero-day attacks after studying the contents of various "Dr. Watson" error reports.

You never know what you'll glean from a Windows crash report. Security researchers recently unearthed a previously unknown advanced persistent threat (APT) campaign, as well as a new point-of-sale system attack, by perusing and analyzing those crash reports also known as Dr. Watson.

Researchers at Websense -- who recently exposed weaknesses in Microsoft's Windows crash reports that could be abused by attackers or spies -- on Wednesday released free source code online for enterprises to use the crash reports to catch potential security breaches in their organizations. Next week at the RSA Conference in San Francisco, the researchers will release indicators of compromise for the two attack campaigns that can be incorporated into intrusion prevention systems.

Alex Watson, director of security research for Websense, says his team spotted a targeted attack waged against a mobile network provider and a government agency, both outside the US, as well as a Zeus-based attack aimed at the point-of-sale system of wholesale retailers. In both cases, the attacks have been suspended and the command-and-control infrastructures disrupted.

"We wanted to prove that we can detect zero-day or unknown [attacks] by a little information in crash reports," Watson says. So he and his team created crash "fingerprints" to filter and search for real-world attack intelligence in Dr. Watson reports.

Read the rest of this story on Dark Reading.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.