TA18-331A: 3ve – Major Online Ad Fraud Operation

This post was originally published on this site

Original release date: November 27, 2018

Systems Affected

Microsoft Windows


This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as “3ve”—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.


Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Protocol-hijacked IP addresses. 

Boaxxe/Miuref Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter Malware

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.


For the indicators of compromise (IOCs) below, keep in mind that any one indicator on its own may not necessarily mean that a machine is infected. Some IOCs may be present for legitimate applications and network traffic as well, but are included here for completeness.

Boaxxe/Miuref Malware

Boaxxe malware leaves several executables on the infected machine. They may be found in one or more of the following locations:

  • %UserProfile%AppDataLocalVirtualStorelsass.aaa
  • %UserProfile%AppDataLocalTemp<RANDOM>.exe
  • %UserProfile%AppDataLocal<Random eight-character folder name><original file name>.exe

The HKEY_CURRENT_USER (HKCU) “Run” key is set to the path to one of the executables created above.

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun<Above path to executable>

Kovter Malware

Kovter malware is found mostly in the registry, but the following files may be found on the infected machine:

  • %UserProfileAppDataLocalTemp<RANDOM> .exe/.bat
  • %UserProfile%AppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5<RANDOM><RANDOM FILENAME>.exe
  • %UserProfile%AppDataLocal<RANDOM><RANDOM>.lnk
  • %UserProfile%AppDataLocal<RANDOM><RANDOM>.bat

Kovter is known to hide in the registry under:


The customized CEF browser is dropped to:

  • %UserProfile%AppDataLocal<RANDOM>

The keys will look like random values and contain scripts. In some values, a User-Agent string can be clearly identified. An additional key containing a link to a batch script on the hard drive may be placed within registry key:

  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun

There are several patterns in the network requests that are made by Kovter malware when visiting the counterfeit websites. The following are regex rules for these URL patterns:

  • /?ptrackp=d{5,8}
  • /feedrsd/click?feed_id=d{1,5}&sub_id=d{1,5}&cid=[a-f0-9-]*&spoof_domain=[w.d-_]*&land_ip=d{1,3}.d{1,3}.d{1,3}.d{1,3}
  • /feedrsd/vast_track?a=impression&feed_id=d{5}&sub_id=d{1,5}&sub2_id=d{1,5}&cid=[a-fd-]

The following is a YARA rule for detecting Kovter:

rule KovterUnpacked {
    desc = "Encoded strings in unpacked Kovter samples."
    $ = "7562@3B45E129B93"
    $ = "@ouhKndCny"
    $ = "@ouh@mmEdctffdsr"
    $ = "@ouhSGQ"
    all of them


If you believe you may be a victim of 3ve and its associated malware or hijacked IPs, and have information that may be useful to investigators, submit your complaint to www.ic3.gov and use the hashtag 3ve (#3ve) in the body of your complaint.

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

  • Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
  • Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
  • Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
  • Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
  • Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.


Revision History

  • November 27, 2018: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Is there a recommended value on QFullSampleSize,QFullThreshold on vSAN??

This post was originally published on this site


 ・ESXi 6.5 U2

 ・HPE 3PAR StoreServ is connected with iSCSI

 ・vSAN is also connected



・We are doing troubleshooting on performance and we are trying to change the value of QFullSampleSize
and QFullThreshold (default is 0,8) to 32,4

・Do we need to reboot before we set up all these stuff


Thank you



HPE Custom Image for ESXi 6.7 + Proliant Microserver Gen10 No IPMI capabilities

This post was originally published on this site

Hi there,

I’m really a newbie, so I may be asking something stupid, but I hope you can help me.

I downloaded and installed the HPE Custom Image for ESXi 6.7 GA Install CD on a HPE Proliant Microserver Gen 10 and everything went smoothly.

The thing now is about monitoring.

On the web client I go to Host > Monitor and the system says: This system has no IPMI capabilities, you may need to install a driver to enable sensor data to be retrieved.

Since here https://www.hpe.com/it/it/servers/hpe-esxi.html you can read (in Italian) “it supports Gen 9 and newer servers”

My understanding was that using this image I would not need to install anything else to monitor stuff like the RAID controller status.


Can you help me?


The final goal is to get to know ESXi, in order to make a step forward and offer our customers a better service but I am moving my first steps in this V-world and everything is really interesting but overwhelming.


Thanks in advance.

Phone Call Attacks

This post was originally published on this site

More and more scams and attacks are happening over the phone. Whenever you get an urgent phone call on the phone pressuring you to do something (such as a caller pretending to be the tax department or Microsoft Tech Support) be very suspicious. It’s most likely a scammer trying to trick you out of money or pressure you into making a mistake. Protect yourself, simply hang up the phone. You are not being rude, the person on the other line is trying to take advantage of you.

Email and Emotions

This post was originally published on this site

Never send an email when you are angry; you will most likely regret it later. Instead, when you are emotional and want to reply to someone, open up an email and write everything you feel, but do not send it. (Be sure there is no name in the TO field so that you do not accidently send it.) After you have vented, save the email and come back an hour later. You only want to reply to any type of emotional situation after you have had time to cool down.

Website Security

This post was originally published on this site

Original release date: November 1, 2018

What is website security?

Website security refers to the protection of personal and organizational public-facing websites from cyberattacks.

Why should I care about website security?

Cyberattacks against public-facing websites—regardless of size—are common. An attack to your website could

  • Cause defacement,
  • Cause a denial-of-service (DoS) condition,
  • Enable the attacker to obtain sensitive information, or
  • Enable the attacker to take control of the affected website.

Organization and personal websites that fall victim to defacement or DoS may experience financial loss due to eroded user trust or a decrease in website visitors.

A cyberattack that causes a data breach places your company’s intellectual property and your users’ personally identifiable information (PII) at risk of theft.

Cyber criminals may attack websites because of financial incentives such as the theft and sale of intellectual property and PII, ransomware payouts, and cryptocurrency mining (see Defending Against Illicit Cryptocurrency Mining Activity). Cyber criminals may also be motivated to attack websites for ideological reasons, e.g., to gain publicity and notoriety for a terrorist organization through defacing a government website.

What security threats are associated with websites?

Possible cyberattacks against your website include those commonly reported in the media, such as website defacement and DoS—which make the information services provided by the website unavailable for users (see Understanding Denial-of-Service Attacks). An even more severe website attack scenario may result in the compromise of customer data (e.g., PII). These threats affect all aspects of security—confidentiality, integrity, and availability—and can gravely damage the reputation of the website and its owner.

A more subtle attack—one that may not be immediately evident to the website’s owner or user—occurs when an attacker pivots from a compromised web server to the website owner’s corporate network, which contains an abundance of sensitive information that may be at risk of exposure, modification, or destruction. Once an attacker uses a compromised website to enter a corporate network, other assets may be available to the attacker, including user credentials, PII, administrative information, and technical vulnerabilities. Additionally, by compromising the website platform, an attacker may be able to repurpose the website infrastructure as a platform from which they can launch attacks against other systems.

How can I improve my cybersecurity protection against website attacks?

Organizations and individuals can protect their websites by applying the following the best practices to their web servers:

  • Implement the principle of least privilege. Ensure that all users have the least amount of privilege necessary on the web server (including interactive end users and service accounts).
  • Use multifactor authentication. Implement multifactor authentication for user logins to web applications and the underlying website infrastructure.
  • Change default vendor usernames and passwords. Default vendor credentials are not secure—they are usually readily available on the internet. Changing default usernames and passwords will prevent an attack that leverages default credentials.
  • Disable unnecessary accounts. Disable accounts that are no longer necessary, such as guest accounts or individual user accounts that are no longer in use.
  • Use security checklists. Audit and harden configurations based on security checklists specific to each application (e.g., Apache, MySQL) on the system.
  • Use application whitelisting. Use application whitelisting and disable modules or features that provide capabilities that are not necessary for business needs.
  • Use network segmentation and segregation. Network segmentation and segregation makes it more difficult for attackers to move laterally within connected networks. For example, placing the web server in a properly configured demilitarized zone (DMZ) limits the type of network traffic permitted between systems in the DMZ and systems in the internal corporate network.
  • Know where your assets are. You must know where your assets are in order to protect them. For example, if you have data that does not need to be on the web server, remove it to protect it from public access.
  • Protect the assets on the web server. Protect assets on the web server with multiple layers of defense (e.g., limited user access, encryption at rest).
  • Practice healthy cyber hygiene.
    • Patch systems at all levels—from web applications and backend database applications, to operating systems and hypervisors.
    • Perform routine backups, and test disaster recovery scenarios.
    • Configure extended logging and send the logs to a centralized log server.

What are some additional steps I can take to protect against website attacks?

  • Sanitize all user input. Sanitize user input, such as special characters and null characters, at both the client end and the server end. Sanitizing user input is especially critical when it is incorporated into scripts or structured query language statements.
  • Increase resource availability. Configure your website caching to optimize resource availability. Optimizing your website’s resource availability increases the chance that your website will withstand unexpectedly high amounts of traffic during DoS attacks.
  • Implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections. Protect your website system, as well as visitors to your website, by implementing XSS and XSRF protections.
  • Implement a Content Security Policy (CSP). Website owners should also consider implementing a CSP. Implementing a CSP lessens the chances of an attacker successfully loading and running malicious JavaScript on the end user machine.
  • Audit third-party code. Audit third-party services (e.g., ads, analytics) to validate that no unexpected code is being delivered to the end user. Website owners should weigh the pros and cons of vetting the third-party code and hosting it on the web server (as opposed to loading the code from the third party).
  • Implement hypertext transfer protocol secure (HTTPS) and HTTP strict transport security (HSTS). Website visitors expect their privacy to be protected. To ensure communications between the website and user are encrypted, always enforce the use of HTTPS, and enforce the use of HSTS where possible. For further information and guidance, see the U.S. Chief Information Officer (CIO) and the Federal CIO Council’s webpage on the HTTPS-Only Standard.
  • Implement additional security measures. Additional measures include
    • Running static and dynamic security scans against the website code and system,
    • Deploying web application firewalls,
    • Leveraging content delivery networks to protect against malicious web traffic, and
    • Providing load balancing and resilience against high amounts of traffic.

For additional guidance, visit the Open Web Application Security Project Top 10 Cheat Sheet on common critical risks to web applications, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-44: Guidelines on Securing Public Web Servers, and NIST SP 800-95: Guide to Secure Web Services. Subscribe to NCCIC Current Activities to stay current on the latest website technology vulnerabilities.

This product is provided subject to this Notification and this Privacy & Use policy.