Tuesday, December 12, 2017

Microsoft Patch Tuesday - December 2017

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 34 new vulnerabilities with 21 of them rated critical and 13 of them rated important. These vulnerabilities impact Edge, Exchange, Internet Explorer, Office, Scripting Engine, Windows, and more.

In addition to the 33 vulnerabilities addressed, Microsoft has also released an update for Microsoft Office which improves security by disabling the Dynamic Data Exchange (DDE) protocol. This update is detailed in ADV170021 and impacts all supported versions of Office. Organizations who are unable to install this update should consult the advisory for workaround that help mitigate DDE exploitation attempts.

Friday, December 8, 2017

Threat Round Up for Dec 01 - Dec 08

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between December 01 and December 08. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: TALOS-2017-0393 / CVE-2017-2886 - ACDSee Ultimate 10 Remote Code Execution Vulnerability

Vulnerability discovered by Piotr Bania of Cisco Talos.


Talos has discovered a remote code execution vulnerability in the ACDSee Ultimate 10 application from ACD Systems International Inc. Exploiting this vulnerabilities can potentially allow an attacker to gain full control over the victim's machine. If an attacker builds a specially crafted .PSD (Photoshop) file and the victim opens it with the ACDSee Ultimate 10 application, the attackers code could potentially be executed with the privileges of the local user.

Thursday, December 7, 2017

The Mutiny Fuzzing Framework and Decept Proxy

This blog post is authored by James Spadaro of Cisco ASIG and Lilith Wyatt of Cisco Talos.

Imagine a scenario where you, as a vulnerability researcher, are tasked with auditing a network application to identify vulnerabilities. By itself, the task may not seem too daunting until you learn of a couple conditions and constraints: you have very little information to work off of on how the network applications operates, how the protocols work, and you have a limited amount of time to conduct your evaluation. What do you do?

In these scenarios, searching for and identifying vulnerabilities in network applications can be a monumental task. Fuzzing is one testing method that researchers may use in these cases to test software and find vulnerabilities in an efficient manner. However, the question that then comes up is how does one fuzz quickly and effectively?

Enter the Mutiny Fuzzing Framework and the Decept Proxy.

Wednesday, December 6, 2017

Recam Redux - DeConfusing ConfuserEx

This post is authored by Holger Unterbrink and Christopher Marczewski


This report shows how to deobfuscate a custom .NET ConfuserEx protected malware. We identified this recent malware campaign in our Advanced Malware Protection (AMP) telemetry. Initial infection is via a malicious Word document, the malware ultimately executes in memory an embedded payload from the Recam family. Recam is an information stealer. Although the malware has been around for the past few years, there's a reason you won't see a significant amount of documentation concerning its internals. The authors have gone the extra mile to delay analysis of the sample, including multiple layers of data encryption, string obfuscation, piecewise nulling, and data buffer constructors. It also relies on its own C2 binary protocol which is heavily encrypted along with any relevant data before transmission.

Thursday, November 30, 2017

Vulnerability Walkthrough: 7zip CVE-2016-2334 HFS+ Code Execution Vulnerability

This blog post was authored by Marcin Noga of Cisco Talos.


In 2016 Talos released an advisory for CVE-2016-2334, which was a remote code execution vulnerability affecting certain versions of 7zip, a popular compression utility. In this blog post we will walk through the process of weaponizing this vulnerability and creating a fully working exploit that leverages it on Windows 7 x86 with the affected version of 7zip (x86 15.05 beta) installed.

Tuesday, November 28, 2017

ROKRAT Reloaded

This post was authored by Warren Mercer, Paul Rascagneres and with contributions from Jungsoo An.

Executive Summary

Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case "Evil New Years". The second one was about the analysis and discovery of the ROKRAT malware.

This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:

  • It contains the same reconnaissance code used;
  • Similar PDB pattern that the "Evil New Years" samples used;
  • it contains the same cloud features and similar copy-paste methods that ROKRAT used;
  • It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.

Wednesday, November 22, 2017

Talos Wins The 5th Volatility Plugin Contest With Pyrebox

Talos has won this year's 5th Volatility plugin contest with Pyrebox. Volatility is a well-known open-source framework designed to analyze operating system memory. The framework has existed since 2007. For the previous 5 years they have run a plugin contest to find the most innovative, interesting, and useful extensions for the Volatility framework. Pyrebox is an open-source Python scriptable Reverse Engineering sandbox developed by Talos. Based on QEMU, its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. In this context, Pyrebox is able to interact with Volatility in order to collect information from the memory of the analysed system.

Tuesday, November 21, 2017

Beers with Talos EP 17: Greek Gods, Trojans, and the Spice Girls as Spirit Animals

Beers with Talos (BWT) Podcast Episode 17 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP17 Show Notes: 

Matt hijacks the Roundtable to tell us which Spice Girl each host is, because where else does a PR gimmick from KFC lead? Also, what’s worse than clicking a search result and getting a slideshow listicle? Getting a trojan payload when searching for banking forms (but that is the only thing that is worse - ARE YOU LISTENING BUZZFEED?). We also discuss the misnaming of troll farms and how patching and proper network segmentation are your friends - unlike anyone who publishes clickbait slideshows - STILL LOOKING AT YOU, BUZZFEED)

For your consideration - Did Joel intentionally break the uploader to delay the episode by several days? Why would he do such a thing?  Discuss.
Make sure to subscribe on iTunes, Google Play, or Stitcher to make sure you don't miss an episode!

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Find all episodes:

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog:

Subscribe to the Threat Source newsletter:

Follow Talos on Twitter:

Give us your feedback and suggestions for topics:
[email protected]

Monday, November 20, 2017

This Holiday Season - Buy One IoT Device, Get Free CVEs

As the Internet of Things gains steam and continues to develop, so are adversaries and the threats affecting these systems. Companies throughout the world are busy deploying low cost Internet-connected computing devices (aka the Internet of Things) to solve business problems and improve our lives. In tandem, criminals are developing their methods for abusing and compromising vulnerable and poorly defended IoT devices.