MapleSoft Customers Targeted By Attackers Following Data Breach

Contributor: Jeet Morparia

Over the last few weeks, there have been reports of various websites that have had their databases breached and customer data stolen by attackers through various means. A lot of the focus has been on how password dumps have been appearing online. There has always been the concern that attackers who obtain access to customer information would leverage the information in a malicious campaign.

A few days ago, MapleSoft, makers of mathematical and analytical software such as Maple, reported that they have been investigating a database breach. The breach resulted in the attackers obtaining customer information such as email addresses, first and last names, as well as company and institution names. MapleSoft states that no financial information was compromised in this breach.

Unlike previous database breaches, where password hashes were dumped onto the Web, the attackers in this breach decided to up the stakes. MapleSoft customers began to receive emails pretending to be from the “MapleSoft Security Update Team” that claimed Maple software was vulnerable to attack and a patch was available.
 


 

Links in malicious emails are often misleading. For example, they would appear to point to maplesoft.com. However, the attackers merely modify the display text, when in actuality, the real link is hosted elsewhere. Usually, these links are foreign, randomly generated domain names or sites that have been compromised and act as an intermediary, redirecting to the payload. This case was different because the attackers actually registered the maple-soft.com domain on July 17 and used it in their emails to their targets. This coincides with when MapleSoft was alerted to spam messages being sent to their customers.

On top of that, users who received the emails were reportedly addressed by their first names. This was handy because it allowed attackers to gain a level of trust with MapleSoft's customers.

A reddit user posted an example of one of the email messages they received claiming to be from MapleSoft:
 


 

Upon clicking the link, the user is taken to a page on maple-soft.com. This page will then redirect to the Blackhole exploit kit page which determines what exploit to serve to the unsuspecting user. In this particular case, the user is served up the Microsoft Windows Help And Support Center Trusted Document Whitelist Bypass Vulnerability (CVE-2010-1885).
 


 

Once the user’s system is successfully exploited by the vulnerability, two files are dropped onto the target system. These files are detected by Symantec products as Trojan.Zbot (which our behavioral engine detects as Sonar.Zbot!gen1) and Packed.Generic.367 (a heuristic detection for Trojan.ZeroAccess).

Symantec Endpoint Protection and Norton customers are protected against exploitation of vulnerabilities and drive-by downloads from exploit kits like Blackhole. The specific IPS signatures that protect against this version of Blackhole are:

  • Web Attack: Blackhole Toolkit Website 2
  • Web Attack: Malicious Toolkit Website 9
  • Web Attack: Blackhole Exploit Kit Website 8
  • Web Attack: Malicious File Download Request 10

MapleSoft has already notified its customers about the breach and given them a high level overview of the threat. At this time it is unclear how many MapleSoft customers were part of the breach and how many received these malicious spam messages.

While we have seen plenty of database breaches in recent weeks, none have resulted in a crafted campaign such as this. This just goes to show how these types of attacks have evolved from blind phishing to more sophisticated, targeted messages. Having this type of data on-hand is like having an ace up the sleeve.

We encourage users that receive notifications about patches and updates to software through email not to click on links. Instead, we recommend that users visit the actual vendor website to confirm the legitimacy of these types of notifications.

Botnet Owners Feeling “Grum” After Takedown

Contributor: Andrew Watson

A coordinated effort lead by security researchers at FireEye and Spamhaus has resulted in the takedown of one of the largest spam botnets in the threat landscape. The botnet, known as Grum, was reportedly responsible for close to a third of the world’s spam email traffic.

We’ve been watching the developments carefully here at Symantec and have noticed a decided drop in spam traffic coming from the Grum botnet. Around 5:00 p.m. on July 17, the botnet sent a batch of around 40,000 spam emails. The next hour that number dropped to around 30,000. The next hour 16,000, followed by 11,000. The numbers continued to decline to the point where, yesterday afternoon, the botnet sent only a handful of spam messages.

The botnet appears to be dead in the water at this stage. This is good news for all: users may notice a marked drop in spam emails appearing in their inbox, and administrators should also notice lower server loads on their spam filtering systems.

Our congratulations go out to the folks at FireEye, Spamhaus, and the other security researchers involved for their successful takedown campaign.

Nvidia Investigates Claims Of Online Store Compromise During Spate Of Hacking

Just a few days back we posted about Yahoo! Voices Hacked With SQL Injection – Passwords In Plaintext, and most recently it seems someone has been going after Nvidia pretty hard. They have already had a few web properties hacked including their forum, the developer zone and their research site. The latest break in the [...]

Read the full post at darknet.org.uk