Friday, June 23, 2017

Threat Round-up for June 16 - June 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 16 and June 23. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center,, or

Thursday, June 22, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in InsideSecure MatrixSSL

These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos


MatrixSSL is a TLS/SSL stack offered in the form of a Software Development Kit (SDK) that is geared towards application in Internet of Things (IOT) devices and other embedded systems. It features low resource overhead and supports many different embedded platforms. It also features FIPS 140-2 compliant cryptography making it suitable for use in high security environments. Talos recently discovered multiple vulnerabilities in MatrixSSL version 3.8.7b including two remote code execution (RCE) vulnerabilities as well as an information disclosure vulnerability.

Wednesday, June 21, 2017

Player 1 Limps Back Into the Ring - Hello again, Locky!

This post was authored by Alex Chiu, Warren Mercer, and Jaeson SchultzSean Baird and Matthew Molyett contributed to this post.

Back in May, the Necurs spam botnet jettisoned Locky ransomware in favor of the new Jaff ransomware variant. However, earlier this month Kaspersky discovered a vulnerability within Jaff which allowed them to create a decryptor. This turn of events seems to have caused the miscreants behind Necurs to scramble to distribute a different ransomware payload. Falling back on their old tricks, they have selected to re-distribute Locky ransomware. The malware is being transmitted via email using an .exe file encapsulated within two compressed .zip archives.

The Spam Campaign

The spam that is distributing this ransomware campaign is not significantly different from other ransomware spam campaigns that we have seen from Necurs. Ransomware-oriented spam campaigns from Necurs typically involve order confirmations, payment receipts, business documents, and so on -- all with the common goal of social engineering victims into opening the attachment. The messages Talos observed in this particular campaign are disguised as fake invoices.
An example spam message propagating Locky ransomware

Tuesday, June 20, 2017

Talos Targets Disinformation with Fake News Challenge Victory

This post was authored by Sean Baird with contributions by Doug Sibley and Yuxi Pan

Executive Summary

For the past several months, the problem of “fake news” has been abuzz in news headlines, tweets, and social media posts across the web. With historical roots in information warfare and disinformation, “fake news” is a different kind of cyber-threat affecting people all around the globe. Using advanced machine learning and artificial intelligence technology, Talos researchers set their sights on this different kind of cyber-threat and beat out over 80 registered teams worldwide to claim first place in the Fake News Challenge.

Monday, June 19, 2017

Delphi Used To Score Against Palestine

This blog was authored by Paul Rascagneres and Warren Mercer with contributions from Emmanuel TacheauVanja Svajcer and Martin Lee.

Executive Summary

Talos continuously monitors malicious emails campaigns. We identified one specific spear phishing campaign launched against targets within Palestine, and specifically against Palestinian law enforcement agencies. This campaign started in April 2017, using a spear phishing campaign to deliver the MICROPSIA payload in order to remotely control infected systems. Although this technique is not new, it remains an effective technique for attackers.

The malware itself was developed in Delphi; in this article, we describe the features and the network communication to the command and control server used by the attackers. The threat actor has chosen to reference TV show characters and include German language words within the attack. Most significantly, the attacker has appeared to have used genuine documents stolen from Palestinian sources as well as a controversial music video as part of the attack.

Vulnerability Spotlight: Multiple Foscam C1 Vulnerabilities Come in to Focus

Executive Summary

The Foscam C1 is a webcam that is marketed for use in a variety of applications including home security monitoring. As an indoor webcam, it is designed to be set up inside of a building and features the ability to be accessed remotely via a web interface or from within a mobile application. Talos recently identified several vulnerabilities in the Foscam C1 camera that could be used by attackers for a variety of purposes including access and retrieval of sensitive information stored on the camera, execution of arbitrary commands within the camera's operating system, and in several cases, completely compromise the device. As these cameras are commonly deployed in sensitive locations and used as baby monitors, security cameras, etc. it is recommended that affected devices be updated as quickly as possible to ensure that they are no longer vulnerable.

In accordance with our responsible disclosure policy, Talos has worked with Foscam to resolve these issues, which has resulted in the release of a firmware update addressing them.

Vulnerability Details

BASS - BASS Automated Signature Synthesizer

This blog post was authored by Jonas Zaddach and Mariano Graziano.

Executive Summary

Given the rapid pace of change in the threat landscape with new threats emerging and existing ones evolving, there are bound to be challenges defenders face. These challenges can manifest in multiple ways, such as processing and analyzing millions of new and unknown samples received each day. Other challenges include managing resource constraints for our tools used to automate malware analysis, developing antivirus signatures in an efficient manner that will identify malware families, and ensuring tools are able to scale as the number of samples needing to be analyzed increases. To help address these challenges, Talos is releasing a new open source framework called BASS.

BASS (pronounced "bæs") is a framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters. It is meant to reduce resource usage of ClamAV by producing more pattern-based signatures as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable thanks to Docker.

Please note that this framework is still considered in the Alpha stage and as a result, it will have some rough edges. As this tool is open source and actively maintained by us, we gladly welcome any feedback from the community on improving the functionality of BASS. You can find source code for BASS here:

BASS was announced at REcon 2017 in Montreal, Canada.

Wednesday, June 14, 2017

Deep dive in Lexmark Perceptive Document Filters Exploitation

This post authored by Marcin Noga with contributions from Nick Biasini


Talos discovers and releases software vulnerabilities on a regular basis. We don't always publish a deep technical analysis of how the vulnerability was discovered or its potential impact. This blog will cover these technical aspects including discovery and exploitation. Before we deep dive into the technical aspects of exploitation, let's start with an introduction to Lexmark Perceptive Document Filters and MarkLogic. Specifically, how these products are connected and what their purpose is. There are articles across the Internet discussing these products and their purposes. Additionally, you can read the Perceptive Documents Filters product description directly.

In general Perceptive Document Filters are used in Big Data, eDiscovery, DLP, email archival, content management, business intelligence, and intelligent capture. There are 3 major companies with product offerings in this space. Lexmark is one of them with Oracle and HP being the other two.

Tuesday, June 13, 2017

Microsoft Patch Tuesday - June 2017

Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 92 vulnerabilities with 17 of them rated critical and 75 rated important. Impacted products include Edge, Internet Explorer, Office, Sharepoint, Skype for Business, Lync, and Windows.

BWT EP6: Enter the Talos, But Please Use a Unique Password


Listen via iTunes
Listen directly on the Talos Podcasts page.

Episode Notes: