Underminer Exploit Kit: How Tenable Can Help
The “Underminer” exploit kit is having widespread impact in Asian countries, particularly Japan. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices.
Contrary to popular belief, the exploit kit is not dead yet. “Underminer,” an exploit kit named and discovered by Trend Micro, is having widespread impact in Asian countries, particularly Japan. Its nefarious bootkit affects the system’s boot sectors and delivers the coin mining payload named Hidden Mellifera.
While the continued decline of Adobe Flash has led to a reduction in the prevalence of Exploit Kits, enterprises need to remember this attack vector remains a real problem. Underminer is quite sophisticated and has many of the capabilities utilized by other problematic exploit kits, including user-agent/browser profiling to determine Flash Player version and cookie detection to prevent repeated exploit site visits. In addition, RSA encryption of traffic is utilized prior to exploitation.
The following diagram from Trend Micro provides a useful high-level view of the stages and vectors of Underminer:
Source: Trend Micro, https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/07/underminer-exploit-kit-4.png.
As of 4:45 am EDT on July 27, the antivirus (AV) programs tested by VirusTotal have very limited coverage of the provided SHA-256 checksums (3/40). However, that’s bound to change with time and is likely due to the localized exploitation. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices, such as preventing unnecessary browser plugins, good firewall hygiene, antivirus updates, user awareness and so on.
Antivirus programs tested by VirusTotal
Source: VirusTotal, https://www.virustotal.com/#/file/a795deaa2d1c1f2d9426a8c28791111e0192ffad14d086b51bc61c8e16008b63/detection.
Tenable’s Coverage for Underminer Exploit Kit
|
CVE |
Plugin ID |
Description |
|
CVE-2015-5119 |
Adobe AIR |
|
|
CVE-2015-5119 |
Adobe Flash Player |
|
|
CVE-2015-5119 |
Google Chrome |
|
|
CVE-2015-5119 |
MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer |
|
|
CVE-2016-0189 |
MS16-051: Cumulative Security Update for Internet Explorer (3155533) |
|
|
CVE-2016-0189 |
MS16-053: Cumulative Security Update for JScript and VBScript (3156764) |
|
|
CVE-2018-4878 |
Adobe Flash Player |
|
|
CVE-2018-4878 |
KB4074595: Security update for Adobe Flash Player (February 2018) |
Additional Information:
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Related Articles
The Role of Open Source in Cloud Security: A Case Study with Terrascan by Tenable
May 11, 2023Open source software and cloud-native infrastructure are inextricably linked and can play a key role in helping to manage security. Open source security tools like Terrascan by Tenable are easy to scale, cost-effective and benefit from an agile community of contributors. Let’s take a look at how you can implement it today.
Microsoft’s May 2023 Patch Tuesday Addresses 38 CVEs (CVE-2023-29336)
May 9, 2023Microsoft addresses 38 CVEs including three zero-day vulnerabilities, two of which were exploited in the wild.
Tenable Security Center Integration into Tenable One Delivers Full Exposure Management for On-Prem Customers
May 9, 2023With the integration of Tenable Security Center into Tenable One, Tenable becomes the only vendor to offer exposure management for both on-premises and hybrid deployment models. Here’s what you need to know.
Cybersecurity Snapshot: How Enterprise Cyber Leaders Can Tame the ChatGPT Beast
May 26, 2023Check out a guide written for CISOs by CISOs on how to manage the risks of using generative AI in your organization. Plus, the White House unveils an updated national AI strategy. Also, a warning about a China-backed attacker targeting U.S. critical infrastructure. And much more!
Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor
May 25, 2023Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor Several international cybersecurity authorities from the United States, Unit...
Tenable Announces Support for Microsoft Azure Linux: A New Way to Achieve Secure Container Development
May 24, 2023With the launch of Azure Linux container host for Azure Kubernetes Service, Microsoft enters the open-source Linux distribution container sphere with enhanced security Kubernetes experience. In this blog, we explain key features of Azure Linux and how Tenable can support the security needs of Microsoft customers.
- Vulnerability Management