Juniper signatures

Subscribe to Juniper signatures hírcsatorna Juniper signatures
Juniper RSS Feed
Frissítve: 39 perc 16 másodperc
5 óra 59 perc

Media Advisory: Juniper Networks to Discuss the Automation and Security of Private, Public and Hybrid Clouds at AWS re:Invent

SUNNYVALE, CA--(Marketwired - November 22, 2017) - Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, today announced details regarding its upcoming participation at AWS re:Invent, Amazon Web Services' annual user conference, as well as the availability of AppFormix software on the AWS Marketplace, enabling users to instantly access Juniper's intent-driven solution to simplify the operation and automation of dynamic cloud environments. At AWS re:In... -->

                   
2017. november 21.

Signature Update #3007

Signature Update #3007

Signature Update #3007 contains new detector engine builds for the Junos OS, IDP OS, and ISG OS. Complete details can be found in the official IDP Detector Engine Release Notes: http://www.juniper.net/techpubs/software/management/idp/de/index.html

18 new signatures:

MEDIUMSMB: Microsoft Windows Search with SMBv1 and SMBv2 Information DisclosureMEDIUMHTTP: Adobe Acrobat Reader CVE-2017-16384 Information DisclosureHIGHHTTP: Adobe Flash Player CVE-2017-11213 Remote Code ExecutionHIGHHTTP: Adobe Flash CVE-2017-3112 Remote Code ExecutionHIGHHTTP: Adobe Acrobat CVE-2017-16399 Remote Code ExecutionHIGHHTTP: Adobe CVE-2017-16381 Remote Code ExecutionHIGHHTTP: Adobe Exe CVE-2017-16409 Remote Code ExecutionHIGHHTTP: Adobe Reader CVE-2017-16420 Information DisclosureHIGHHTTP: Adobe Reader CVE-2017-16410 Memory CorruptionHIGHHTTP: Adobe Reader CVE-2017-16391 Remote Code ExecutionHIGHHTTP: Adobe Reader CVE-2017-16402 Remote Code ExecutionHIGHHTTP: Adobe Acrobat CVE-2017-16407 Remote Code ExecutionHIGHHTTP: Adobe CVE-2017-16385 Remote Code ExecutionHIGHHTTP: Adobe Reader CVE-2017-16370 Remote Code ExecutionHIGHHTTP: Adobe Reader CVE-2017-16374 Remote Code ExecutionMEDIUMSMB: Microsoft Windows SMBv1 CVE-2017-11815 Information DisclosureHIGHHTTP: Acrobat Reader CVE-2017-16400 Remote Code ExecutionHIGHHTTP: Adobe Reader CVE-2017-16388 Remote Code Execution

2 updated signatures.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 21.

Effective Microsegmentation in VMware NSX deployments with Juniper SDSN

Effective Microsegmentation in VMware NSX deployments with Juniper SDSN

Data centers using Juniper Networks vSRX Virtual Firewall and Junos Space Security Director with Policy Enforcer in combination with VMware’s NSX platform can microsegment intra-data center traffic to effectively defend applications and systems against threat propagation in both north-south and east-west traffic.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 21.

Effective Microsegmentation in VmWare NSX deployments with Juniper SDSN

Effective Microsegmentation in VmWare NSX deployments with Juniper SDSN

Data centers using Juniper Networks vSRX Virtual Firewall and Junos Space Security Director with Policy Enforcer in combination with VMware’s NSX platform can microsegment intra-data center traffic to effectively defend applications and systems against threat propagation in both north-south and east-west traffic.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 20.

How Juniper Is Helping Make A Self-Driving Network A Reality

How Juniper Is Helping Make A Self-Driving Network A Reality

Think back—way back—to the days when, if you had to get from point A to point B, you simply walked. Then along came the bicycle, and the journey got a little easier.  Next came the horse and buggy, followed by the automobile.  There you have it: the history of transportation in less than 200 words. 

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 20.

No More Commuting on Dinosaurs

No More Commuting on Dinosaurs

Think back—way back—to the days when, if you had to get from point A to point B, you simply walked. Then along came the bicycle, and the journey got a little easier.  Next came the horse and buggy, followed by the automobile.  There you have it: the history of transportation in less than 200 words. 

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 18.

Facebook, Open/R, Juniper, and Open Networking

Facebook, Open/R, Juniper, and Open Networking

Facebook made waves earlier this week when they announced that they were open-sourcing their Open/R platform. In the latest push towards disaggregated networking components and open source software, Facebook outlined how they are working with Juniper Networks and others as they transform their backbone and data center networks.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 16.

Signature Update #3006

Signature Update #3006

1 renamed signature.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 15.

Juniper Networks Announces Date and Webcast Information for Upcoming Investor Conferences in December 2017

SUNNYVALE, CA--(Marketwired - November 15, 2017) - Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, today announced the Company will present at the following investor conferences in December:Ken Miller, Chief Financial Officer at Juniper Networks, will present at the Wells Fargo Technology Summit, Tuesday, December 5, 2017 at 8:30am MT, in Park City.Kevin Hutchins, Senior Vice President, Strategy and Product Line Management, at Juniper Networks, w... -->

                   
2017. november 14.

Signature Update #3005

Signature Update #3005

22 new signatures:

HIGHHTTP: Adobe Acrobat Reader CVE-2017-16395 Remote Code ExecutionHIGHHTTP: Adobe Acrobat CVE-2017-16387 Remote Code ExecutionHIGHHTTP: Adobe Acrobat CVE-2017-16383 Remote Code ExecutionMEDIUMHTTP: Adobe Pdf CVE-2017-16371 Sensitive Information LeakHIGHHTTP: Microsoft Edge CVE-2017-11837 Scripting Engine Memory CorruptionHIGHHTTP: Microsoft Excel CVE-2017-11878 Memory CorruptionHIGHHTTP: Microsoft Edge CVE-2017-11861 Scripting Engine Memory CorruptionHIGHHTTP: Microsoft Edge CVE-2017-11858 Scripting Engine Memory CorruptionHIGHHTTP: Microsoft IE CVE-2017-11869 Scripting Engine Memory CorruptionHIGHHTTP: Microsoft Edge CVE-2017-11873 Scripting Engine Memory CorruptionMEDIUMHTTP: Adobe Emf CVE-2017-16403 Information DisclosureHIGHHTTP: Microsoft Edge JIT JavaScript Memory CorruptionHIGHHTTP: Microsoft Internet Explorer CVE-2017-11856 Memory CorruptionHIGHHTTP: Microsoft Edge CVE-2017-11846 Scripting Engine Memory CorruptionMEDIUMHTTP: Microsoft Edge CVE-2017-11791 Scripting Engine Information DisclosureHIGHHTTP: Microsoft browsers CVE-2017-11843 Memory CorruptionHIGHHTTP: Microsoft Edge CVE-2017-11840 Remote Code ExecutionHIGHHTTP: Microsoft Windows CVE-2017-11847 Kernel Privilege EscalationHIGHHTTP: Microsoft Edge CVE-2017-11841 Memory CorruptionHIGHHTTP: Microsoft Word CVE-2017-11854 Remote Code ExecutionHIGHHTTP: Microsoft Edge CVE-2017-11845 Memory CorruptionHIGHHTTP: Microsoft Internet Explorer CVE-2017-11855 Memory Corruption

5 updated signatures.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 14.

Juniper supports young female students with scholarships

Juniper supports young female students with scholarships

 

Juniper Networks is committed to helping women in technology. This blog discusses our  partnership with The Institute of International Education (IIE) Women Enhancing Technology (WeTech)

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 14.

The Changing Nature of Data Center Networking

The Changing Nature of Data Center Networking

The role of IT is changing. As IT used to be viewed as primarily a services organization, modern enterprises of even moderate size and sophistication are relying on IT as a key strategic contributor. With the shift in responsibility, there is a commensurate shift in IT leadership priorities. This shift is the focus of recent research led by PwC.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 11.

AT&T and Juniper Networks Showcase Live Upgrade of OpenContrail and OpenStack On Stage at OpenStack Summit

AT&T and Juniper Networks Showcase Live Upgrade of OpenContrail and OpenStack On Stage at OpenStack Summit

Performing live upgrades, with live network traffic, in front of thousands of industry peers, is extremely risky—it’s the networking version of working without a net. But AT&T pulled it off at the OpenStack Summit in Sydney earlier this month.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 9.

Signature Update #3004

Signature Update #3004

There were no updates in this release.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 9.

GDPR and the Information Lifecycle

GDPR and the Information Lifecycle

 

 

 

 

 

I’m keen to change the perception that GDPR (General Data Protection Regulation) will act as a drag on organizations. I also want to avoid others falling into the trap of thinking the only inducement for an organization to comply is to avoid a fine. But before I attempt this, I’m going to briefly stray into another passion of mine; cars – just to make a point.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 9.

A look into LokiBot infostealer

A look into LokiBot infostealer

Introduction

We recently detected a Lokibot sample that was delivered as an email attachment to one of our customers in the healthcare vertical. Below is the technical analysis of the sample.

 

LokiBot is an infostealer that is known to steal various kinds of data like ftp credentials, email clients passwords, passwords stored in the browser, etc. Lokibot is distributed in phishing emails and known to exfiltrate data using the POST method over http.

 

Indicators of Compromise

  • iso file :
    • Md5: 17c9e6f0df7557962d6bc90a891693d9
    • Sha1: 2ee42a051823b4e1bc0ed643c0b15843cce7c056
  • filename: Proforma Invoice pdf.exe

    • Md5: 66837f4f5ee989a119eb7dcd8c5425b3
    • Sha1: 76a5919be86a7035fa6766d01a26094c49a30078
  • Unpacked:
    • Md5: 9335ce514bbdd9d146f30970569be44f
    • Sha1: 06aacbc54f93afcf29e3ee7966e236d7d9b98e60
  • .hdb file found in appdata
  • Connects to URLs that end with fre.php

Technical Analysis

The file is packed with a VB-compiled packer which usually makes the reversing tougher.

Additionally,  this sample uses anti-debug techniques and runpe which makes it harder to reverse engineer.

 

The obfuscated code decrypts to a virtually allocated memory by pushing to stack and then popping and xoring the data:

Fig: Obfuscated code in the file

 

The obfuscated code is copied to memory using a sequence of push and pop created in reverse order.The content can be decrypted with the xor key  0x5BD09268.

Fig: Decryption loop

 

Anti-debugging

The malware then jumps to the decrypted code. First it checks for anti-debug techniques. If a debugger present it jumps to a code which throws an exception.

Fig:Checks BeingDebugged falg in PEB

 

Sandbox detection code:

The above code detects a sandbox by saving the CurCursorPos then sleeping for a second and then comparing the cursor position to its previously known location. If it is the same, the malware throws an exception.

Fig: sandbox Detection

 

Other anti-debug checks

Fig: Checks for NtGlobalFlag in PEB for debugger detection

 

When satisfied it is not being monitored, the malware uses process hollowing to inject a payload into its own newly created suspended process.

 

Unpacked sample:

After unpacking, we can identify a lot of strings in the malware. The malware strings look similar to the strings observed in LokiBot.

 

The malware checks for the presence for various configs, settings files for ftp, browsers, email clients with hopes it can steal their credentials.

 Fig:Reads config files of of various softwares in loop

 

Fig:config files of various softwares

 

Fig:List of FTP files

 

Fig: malware reads config files of Secure FTP Expert

  

A .hdb is created in appdata folder which indicates the presence of lokiBot . This file seems to be some kind of database used by the malware. This can be used as IOC for LokiBot.

 

LokiBot is known to compress this data before sending it to the CnC server.

The malware uses an http POST method to send the stolen data to the CnC server.

Fig: LokiBot sends data to CnC server

 

CnC:

The sample connects to following URL and sends the stolen data:

http://newpanelme.info/042/fre[.]php

These C&C URLs usually end with fre.php

Here are a few more URLs used for the same purpose, discovered by other security vendors

  • southeasterncontractingco.com/AM/G00gle/fre[.]php     
  • axpired.xyz/013/fre[.]php  
  • 154.16.49.153/loved/know/fre[.]php
  • toopolex.com/controllers/user/fre[.]php  

Detection

Both Juniper Sky ATP and Cyphort(now a Juniper company) on-prem solutions detect this threat as seen in the screenshots below:

 

 

 

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 9.

Leverage the Entire Network for Lateral Threat Remediation

Leverage the Entire Network for Lateral Threat Remediation

Today’s dynamic business environment requires organizations to defend themselves against increasingly sophisticated cybersecurity attacks powered by advanced threat intelligence and enforcement capabilities. That demands a comprehensive security platform that ties together and coordinates various threat analytics platforms, as well as a simpler policy mechanism.  Most important, you must be able to leverage the entire network—not just the perimeter—as a threat detection and enforcement tool.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 8.

So many things, so little security

So many things, so little security

As the "Internet of Things (IoT)" phenomenon is catching on in a big way, I wanted to quickly capture the state of affairs of IoT in the context of security and how different Juniper technologies can help provide security to IoT infrastructure as well as protect other enterprise infrastructure from IoT devices

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 8.

A look into LokiBot infoatealer

A look into LokiBot infoatealer

Introduction

We recently detected a Lokibot sample that was delivered as an email attachment to one of our customers in the healthcare vertical. Below is the technical analysis of the sample.

 

LokiBot is an infostealer that is known to steal various kinds of data like ftp credentials, email clients passwords, passwords stored in the browser, etc. Lokibot is distributed in phishing emails and known to exfiltrate data using the POST method over http.

 

Indicators of Compromise

  • iso file :
    • Md5: 17c9e6f0df7557962d6bc90a891693d9
    • Sha1: 2ee42a051823b4e1bc0ed643c0b15843cce7c056
  • filename: Proforma Invoice pdf.exe

    • Md5: 66837f4f5ee989a119eb7dcd8c5425b3
    • Sha1: 76a5919be86a7035fa6766d01a26094c49a30078
  • Unpacked:
    • Md5: 9335ce514bbdd9d146f30970569be44f
    • Sha1: 06aacbc54f93afcf29e3ee7966e236d7d9b98e60
  • .hdb file found in appdata
  • Connects to URLs that end with fre.php

Technical Analysis

The file is packed with a VB-compiled packer which usually makes the reversing tougher.

Additionally,  this sample uses anti-debug techniques and runpe which makes it harder to reverse engineer.

 

The obfuscated code decrypts to a virtually allocated memory by pushing to stack and then popping and xoring the data:

Fig: Obfuscated code in the file

 

The obfuscated code is copied to memory using a sequence of push and pop created in reverse order.The content can be decrypted with the xor key  0x5BD09268.

Fig: Decryption loop

 

Anti-debugging

The malware then jumps to the decrypted code. First it checks for anti-debug techniques. If a debugger present it jumps to a code which throws an exception.

Fig:Checks BeingDebugged falg in PEB

 

Sandbox detection code:

The above code detects a sandbox by saving the CurCursorPos then sleeping for a second and then comparing the cursor position to its previously known location. If it is the same, the malware throws an exception.

Fig: sandbox Detection

 

Other anti-debug checks

Fig: Checks for NtGlobalFlag in PEB for debugger detection

 

When satisfied it is not being monitored, the malware uses process hollowing to inject a payload into its own newly created suspended process.

 

Unpacked sample:

After unpacking, we can identify a lot of strings in the malware. The malware strings look similar to the strings observed in LokiBot.

 

The malware checks for the presence for various configs, settings files for ftp, browsers, email clients with hopes it can steal their credentials.

 Fig:Reads config files of of various softwares in loop

 

Fig:config files of various softwares

 

Fig:List of FTP files

 

Fig: malware reads config files of Secure FTP Expert

  

A .hdb is created in appdata folder which indicates the presence of lokiBot . This file seems to be some kind of database used by the malware. This can be used as IOC for LokiBot.

 

LokiBot is known to compress this data before sending it to the CnC server.

The malware uses an http POST method to send the stolen data to the CnC server.

Fig: LokiBot sends data to CnC server

 

CnC:

The sample connects to following URL and sends the stolen data:

http://newpanelme.info/042/fre[.]php

These C&C URLs usually end with fre.php

Here are a few more URLs used for the same purpose, discovered by other security vendors

  • southeasterncontractingco.com/AM/G00gle/fre[.]php     
  • axpired.xyz/013/fre[.]php  
  • 154.16.49.153/loved/know/fre[.]php
  • toopolex.com/controllers/user/fre[.]php  

Detection

Both Juniper Sky ATP and Cyphort on-prem solutions detect this threat as seen in the screenshots below:

 

 

 

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences

                   
2017. november 7.

Signature Update #3003

Signature Update #3003

5 new signatures:

HIGHSMB: Microsoft Windows SMB Server SMBv1 Out Of Bound ReadHIGHHTTP: Microsoft Edge Java Script Memory CorruptionMEDIUMDHCP: Dnsmasq DHCPv6 Information DisclosureHIGHAPP: Adobe ColdFusion RMI Registry Insecure Deserialization Remote Code ExecutionHIGHHTTP: Microsoft Edge DoLoopBodyStart Out of Bounds Read

18 updated signatures.

Copyright © 1996-2016 Juniper Networks, Inc.     All rights reserved                                                                                      Update preferences