Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Activity Bulletin

Apache Darkleech Malware Hijacking Activity

 
Threat Type:IntelliShield: Security Activity Bulletin
IntelliShield ID:28804
Version:1
First Published:2013 April 03 21:18 GMT
Last Published:2013 April 03 21:18 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
Related Resources:
View related Blog
 
 
Version Summary:Darkleech is an exploitation toolkit that could aid an unauthenticated, remote attacker to inject malicious software on a targeted system.
 

Description
 
Darkleech is an exploitation toolkit that could aid an unauthenticated, remote attacker to inject malicious software on a targeted system.

Darkleech targets end users by injecting crafted HTML iframes into the user's browser session in real time when an affected page is accessed. Darkleech can be elusive and difficult to detect because of a sophisticated array of conditional criteria the toolkit uses to determine when to inject malicious iframes to the user.

Successful installation of the Darkleech toolkit could allow the attacker to compromise the SSH binaries, allowing the attacker to implement backdoor access to the affected system. In addition, the attacker could access all SSH authentication credentials on the targeted system and use the stolen credentials to access and compromise additional systems.

The attacker may exploit multiple attack vectors to install Darkleech on a targeted system; however, reports have identified vulnerabilities in Parallels Plesk Panel or cPanel in which successful exploitation could allow an attacker to gain root access to a targeted system and install the toolkit. One such vulnerability, CVE-2012-1557, is documented in IntelliShield Alert 25288.

Reports indicate that Darkleech attacks have been ongoing since at least August 2012. Further research by Cisco Senior Security Researcher Mary Landesman and Security Engineer Gregg Conklin, available at the Cisco Security blog post Apache Darkleech Compromises, indicates that the ongoing Darkleech attacks have successfully targeted an estimated 20,000 websites running the Apache web server in the past few weeks, including prominent websites such as the Los Angeles Times in February and a blog for the hard drive manufacturer Seagate in March.

Administrators are advised to investigate websites that deliver iframes to the user that are not visible in the HTML source code. These iframes could be an indicator of compromise.
 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldSecurity Activity Bulletin Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield