U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts published IE Exploit code and crooks added it to Neutrino EK

Operators behind the Neutrino EK have added the code to exploit an Internet Explorer flaw that  was recently patched with the release of the MS16-053. Operators behind the infamous Neutrino EK have recently added the code to exploit an Internet Explorer vulnerability that was patched with the release of the MS16-053 security bulletin. The MS16-053 bulletin patched […]

Experts published IE Exploit code and crooks added it to Neutrino EK

Operators behind the Neutrino EK have added the code to exploit an Internet Explorer flaw that  was recently patched with the release of the MS16-053.

Operators behind the infamous Neutrino EK have recently added the code to exploit an Internet Explorer vulnerability that was patched with the release of the MS16-053 security bulletin.

The MS16-053 bulletin patched two remote code execution vulnerabilities in the JScript (CVE-2016-0187) and VBScript (CVE-2016-0189) scripting engines

The security vulnerabilities can be exploited through the Internet Explorer web browser, unfortunately, the CVE-2016-0189 had been exploited in targeted attacks against Windows users in South Korea before Microsoft fixed it.

In order to trigger the vulnerability, victims have to visit a compromised website or open a spear-phishing email containing a malicious link.

Experts from startup Theori have made a reverse engineering of the MS16-053 and published a PoC exploit for the CVE-2016-0189 vulnerability.

Neutrino EK PoC

The PoC code works on Internet Explorer 11 running on Windows 10, a great gift for fraudsters that included it in the Neutrino EK as confirmed by FireEye.

Researchers from FireEye noticed that last version of the Neutrino EK included exploits for a total of five vulnerabilities, three Flash Player flaws (CVE-2016-1019, CVE-2016-4117 and CVE-2015-8651) and two Internet Explorer (CVE-2014-6332 and CVE-2016-0189).

“CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.” states FireEye. “In this example, Neutrino embedded exploits for five patched vulnerabilities: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino’s arsenal.”

The experts compared the code used in the Neutrino EK and the one released by the researchers. Researchers from FireEye speculate that crooks might be able to adapt the exploit for older versions of the operating system as well.

In January, experts from Heimdal Security warned a spike in cyber attacks leveraging the popular Neutrino and RIG exploit kit, the crimeware kits have become the most popular exploit kits after Angler and Nuclear disappeared.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Neutrino EK, cybercrime)