Underminer Exploit Kit: How Tenable Can Help

Tenable Research

The “Underminer” exploit kit is having widespread impact in Asian countries, particularly Japan. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices.

Contrary to popular belief, the exploit kit is not dead yet. “Underminer,” an exploit kit named and discovered by Trend Micro, is having widespread impact in Asian countries, particularly Japan. Its nefarious bootkit affects the system’s boot sectors and delivers the coin mining payload named Hidden Mellifera.

While the continued decline of Adobe Flash has led to a reduction in the prevalence of Exploit Kits, enterprises need to remember this attack vector remains a real problem. Underminer is quite sophisticated and has many of the capabilities utilized by other problematic exploit kits, including user-agent/browser profiling to determine Flash Player version and cookie detection to prevent repeated exploit site visits. In addition, RSA encryption of traffic is utilized prior to exploitation.

The following diagram from Trend Micro provides a useful high-level view of the stages and vectors of Underminer:

Source: Trend Micro, https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/07/underminer-exploit-kit-4.png.

As of 4:45 am EDT on July 27, the antivirus (AV) programs tested by VirusTotal have very limited coverage of the provided SHA-256 checksums (3/40). However, that’s bound to change with time and is likely due to the localized exploitation. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices, such as preventing unnecessary browser plugins, good firewall hygiene, antivirus updates, user awareness and so on.

Antivirus programs tested by VirusTotal

VirusTotal Underminer

Source: VirusTotal, https://www.virustotal.com/#/file/a795deaa2d1c1f2d9426a8c28791111e0192ffad14d086b51bc61c8e16008b63/detection.

Tenable’s Coverage for Underminer Exploit Kit

CVE

Plugin ID

Description

CVE-2015-5119

84641

Adobe AIR

CVE-2015-5119

84642

Adobe Flash Player

CVE-2015-5119

84667

Google Chrome

CVE-2015-5119

84645

MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer

CVE-2016-0189

91001

MS16-051: Cumulative Security Update for Internet Explorer (3155533)

CVE-2016-0189

91003

MS16-053: Cumulative Security Update for JScript and VBScript (3156764)

CVE-2018-4878

106606

Adobe Flash Player

CVE-2018-4878

106655

KB4074595: Security update for Adobe Flash Player (February 2018)

Additional Information:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Jul 31, 2018

People also viewed

Sr. Site Reliability Engineer

San Jose California United States San Jose, California, United States Research Research & Development
Your Opportunity:Does automating global infrastructure excite you? Do you consider infrastructure as code the only way to do infrastructure? We are taking our Tenable.io platform to the next level as we expand our global reach and help our custome...

Commercial Territory Manager

Columbia Maryland United States Columbia, Maryland, United States Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Sr. Site Reliability Engineer

Los Angeles California United States Los Angeles, California, United States Research Research & Development
Your Opportunity:Does automating global infrastructure excite you? Do you consider infrastructure as code the only way to do infrastructure? We are taking our Tenable.io platform to the next level as we expand our global reach and help our custome...

Program Manager

San Jose California United States San Jose, California, United States Product Management Research & Development
Tenable is seeking a Program Manager to lead complex, multi-disciplinary engineering projects using precision, finesse, and attention to detail. Program Managers are at the heart of our development lifecycle and are responsible for ensuring produc...

Accounts Receivable Associate

Columbia Maryland United States Columbia, Maryland, United States Finance Finance
Your Role:We are currently seeking to hire an Account Receivables Associate who will be charged with performing a variety of accounting functions to provide support to the Receivables Manager. This is an excellent opportunity for an ambitious, har...

Globalization Engineer

Dublin Dublin Ireland Dublin, Ireland Cloud Platforms Research & Development
Your Role:As a Globalization Engineer, you will help drive our mission forward to deliver market-ready global products and content to Tenable customers. You will enable the Globalization team to efficiently scale localization to more products and ...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.