Underminer Exploit Kit: How Tenable Can Help

Tenable Research

The “Underminer” exploit kit is having widespread impact in Asian countries, particularly Japan. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices.

Contrary to popular belief, the exploit kit is not dead yet. “Underminer,” an exploit kit named and discovered by Trend Micro, is having widespread impact in Asian countries, particularly Japan. Its nefarious bootkit affects the system’s boot sectors and delivers the coin mining payload named Hidden Mellifera.

While the continued decline of Adobe Flash has led to a reduction in the prevalence of Exploit Kits, enterprises need to remember this attack vector remains a real problem. Underminer is quite sophisticated and has many of the capabilities utilized by other problematic exploit kits, including user-agent/browser profiling to determine Flash Player version and cookie detection to prevent repeated exploit site visits. In addition, RSA encryption of traffic is utilized prior to exploitation.

The following diagram from Trend Micro provides a useful high-level view of the stages and vectors of Underminer:

Source: Trend Micro, https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/07/underminer-exploit-kit-4.png.

As of 4:45 am EDT on July 27, the antivirus (AV) programs tested by VirusTotal have very limited coverage of the provided SHA-256 checksums (3/40). However, that’s bound to change with time and is likely due to the localized exploitation. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices, such as preventing unnecessary browser plugins, good firewall hygiene, antivirus updates, user awareness and so on.

Antivirus programs tested by VirusTotal

VirusTotal Underminer

Source: VirusTotal, https://www.virustotal.com/#/file/a795deaa2d1c1f2d9426a8c28791111e0192ffad14d086b51bc61c8e16008b63/detection.

Tenable’s Coverage for Underminer Exploit Kit

CVE

Plugin ID

Description

CVE-2015-5119

84641

Adobe AIR

CVE-2015-5119

84642

Adobe Flash Player

CVE-2015-5119

84667

Google Chrome

CVE-2015-5119

84645

MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer

CVE-2016-0189

91001

MS16-051: Cumulative Security Update for Internet Explorer (3155533)

CVE-2016-0189

91003

MS16-053: Cumulative Security Update for JScript and VBScript (3156764)

CVE-2018-4878

106606

Adobe Flash Player

CVE-2018-4878

106655

KB4074595: Security update for Adobe Flash Player (February 2018)

Additional Information:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Jul 31, 2018

People also viewed

Customer Success Manager - ANZ

North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Customer Success Sales
Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

Field and Channel Marketing Manager, Nordics and Benelux

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Field & Channel Marketing Marketing
Your Role:Tenable seeks an experienced field and channel marketing manager to generate demand for Tenable products and solutions across our Scandinavia and Benelux territories.  The successful candidate will have demonstrated experience creating, ...

Finance & Investor Relations Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Internships
Your Role:Tenable has a Finance and Investor Relations Intern opportunity for college students entering their senior year or actively enrolled in an MBA program. If you're looking for a chance to apply what you're learning in your degree program, ...

Senior Data Engineer

Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Research Engineering
Your Role:Data Engineers here are involved in designing, developing and maintaining systems for data analysis, transformation, modelling and visualisation. We work directly with the data scientists to develop cutting edge uses of the data we colle...

Technical Support Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
Your Role:Tenable is seeking a high energy, results oriented customer advocate capable of motivating an already exceptional support team to even higher levels of customer satisfaction. Our current global rating is over 93% satisfaction and we expe...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security Internships
Your Role: The Cloud Security Intern will help the Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for cloud that assess risk, keep Tenable data safe and bake in secu...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.