Thursday, December 17, 2015

Threat Spotlight: Holiday Greetings from Pro PoS – Is your payment card data someone else’s Christmas present?

The post was authored by Ben Baker and Earl Carter.

Payment cards without an EMV chip have reached their end-of-life. Point of Sale (PoS) malware, such as PoSeidon, has continued to threaten businesses. The news is continually filled with stories of payment card data being stolen through a breach in the company’s PoS system. From high-end hotels to large retail firms, threat actors are attacking PoS systems in the attempt to capture payment card data. PoS Malware is just another threat category that Talos is monitoring and developing defenses against. In this post, we will examine the functionality of Pro PoS so that you can better understand how this malware can be used to exfiltrate payment card information and potentially other valuable information from your network.

Beginning in October, merchants in the United States were required to use PoS terminals that provide support for chip-enabled cards or otherwise risk liability for fraudulent charges. These new chip-enabled readers help minimize the chance for PoS malware to steal payment card information because the chip on the payment card generates a single use token. This transition, however has been bumpy at best because the cost of new chip-enabled readers has made it difficult to upgrade to the newer readers. Another loophole is that gas stations have a different timeline and are not required to move to chip-based readers until October 2017. These two factors mean that many establishments still rely on card readers that are not chip-enabled and sending payment card data that can be duplicated and reused.

Pro PoS is simple-to-use PoS malware that is available for purchase, enabling multiple threat actors to easily take advantage of this malware to target businesses. The functionality of Pro PoS seems fairly extensive according to recent press releases. These claims include the following:

  1. Tor support
  2. Rootkit functionalities
  3. Mechanisms to avoid antivirus detection
  4. Polymorphic engine


In order to analyze the actual capabilities of Pro PoS, Talos collaborated with Flashpoint, a pioneer in threat intelligence from the Deep & Dark Web. Not all of the claims in the press releases seem to be totally accurate given the Pro PoS version 1.1.5b sample that Talos analyzed. For instance we did not identify any significant mechanisms to avoid antivirus detection, other than a trivial packer that seemed to be more for compression than obfuscation. Unless you include tor2web, we did not find support for Tor. We did not find a Polymorphic engine. And finally, we did observe a rootkit being installed but it did not appear to be used by the malware.

Thursday, December 10, 2015

Threat Spotlight: CryptoWall 4 - The Evolution Continues

This post is authored by Andrea Allievi and Holger Unterbrink with contributions from Warren Mercer.


Executive Summary


Over the past year, Talos has devoted a significant amount of time to better understanding how ransomware operates, its relation to other malware, and its economic impact. This research has proven valuable for Talos and led the development of better detection methods within the products we support along with the disruption of adversarial operations. CryptoWall is one ransomware variant that has shown gradual evolution over the past year with CryptoWall 2 and Cryptowall 3. Despite global efforts to detect and disrupt the distribution of CryptoWall, adversaries have continued to innovate and evolve their craft, leading to the release of CryptoWall 4. In order to ensure we have the most effective detection possible, Talos reverse engineered CryptoWall 4 to better understand its execution, behavior, deltas from previous versions and share our research and findings with the community.

For readers that may not be familiar, ransomware is malicious software that is designed to hold users' files (such as photos, documents, and music) for ransom by encrypting their contents and demanding the user pay a fee to decrypt their files. Typically, users are exposed to ransomware via email phishing campaigns and exploit kits. The core functionality of CryptoWall 4 remains the same as it continues to encrypt users’ files and then presents a message demanding the user pay a ransom. However, Talos observed several new developments in CryptoWall 4 from previous versions. For example, several encryption algorithms used for holding users’ file for ransom have changed. Also, CryptoWall 4 includes a new technique to disable and delete all automatic Windows backup mechanisms, making it almost impossible to recover encrypted files without having an external backup. Finally, CryptoWall 4 has been observed using undocumented API calls not previously used to find the local language settings of the compromised host. These are just a few of the new findings Talos observed in the new iteration of CryptoWall that are detailed further in this post. 

For our technically savvy users, we encourage you to continue reading. As always, we strongly encourage users and organizations to follow recommended security practices and to employ multiple layers of detection in order to reduce the risk of compromise. Our in-depth analysis of the latest CryptoWall version gives us a better opportunity to protect our users by allowing us to identify better detection methods. Finally, as a note regarding recent statements by the FBI informing users that they should just pay the ransom if they have no alternative, Talos strongly encourages users to not pay the ransom as doing so directly funds this malicious activity.

Tuesday, December 8, 2015

Microsoft Patch Tuesday - December 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated "Critical" this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated "Important" and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.

Bulletins Rated Critical

MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.

MS15-124 and MS15-125 are this month's Edge and Internet Explorer security bulletin respectively. In total, 34 vulnerabilities were addressed this month between the two browsers with 11 vulnerabilities affecting both Edge and IE. The vast majority of the vulnerabilities addressed this month are memory corruption vulnerabilities along with a couple ASLR and XSS filter bypasses. One special note with this bulletin is that CVE-2015-6135 and CVE-2015-6136 are VBScript engine flaws that affect all supported versions of Internet Explorer. However, this bulletin only addresses these vulnerabilities for IE 8 through 11. Users and organizations who use IE 7, or that do not have IE installed will need to install MS15-126 to address these two vulnerabilities.

Monday, November 23, 2015

Holiday Shopping Threat Avoidance

Executive Summary

The holidays are upon us and the shopping season is kicking into high gear. This year, an estimated 270 million consumers will shop online and, for the first time, more than half of them will use mobile devices to check off their holiday shopping lists.

With consumers searching for holiday discounts through display ads, social media and email, Cisco Talos Security Intelligence and Research Group predict that both malvertising and email spam will be significant vectors for cyber crime this season — especially for mobile shoppers. This is worrisome for the simple reason that most mobile devices do not posses the ability to block many of these threats, leading to increased vulnerabilities as attackers seek profit gain during the busiest time for online commerce.

Through their research, Talos found that Android users are particularly vulnerable. Of the all Apple and Android OS blocks observed on the Cisco's Cloud Web Security (CWS) platform, the Talos team found that nearly 95% were Android-related. At the heart of the problem, many users are running significantly older versions of the Android OS, which lack the security updates for today’s most persistent threats. This holiday season, we advise that our mobile shoppers exercise additional caution.

Keep reading for more on our findings and recommendations.

Tuesday, November 10, 2015

Microsoft Patch Tuesday - November 2015

Microsoft's Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 12 bulletins addressing 53 vulnerabilities. Four bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, Windows Journal, and Windows. The remaining eight bulletins are rated important and address vulnerabilities in .NET, IPsec, Kerberos, Lync/Skype for Business, NDIS, Office, SChannel, and Winsock.

Bulletins Rated Critical

Microsoft bulletins MS15-112 through MS15-115 are rated as critical in this month's release.

MS15-112 and MS15-113 are this month's Internet Explorer and Edge security bulletin respectively. In total, 25 vulnerabilities are addressed with four of them specifically affecting both IE and Edge. The remaining 21 vulnerabilities only affect Internet Explorer. The majority of the vulnerabilities that are resolved in this month's release are memory corruption defects. In addition, an ASLR bypass, an information disclosure vulnerability, and a couple of scripting engine flaws are also addressed.

Thursday, November 5, 2015

Reverse Social Engineering Tech Support Scammers

This post is authored by Jaime Filson and Dave Liebenberg.

Background

A mosaic made up of 1-800 tech support scam websites

The amount of fraudulent actors masquerading as legitimate tech support has been on the rise since 2008. According to David Finn, executive director at the Microsoft Cybercrime Center, tech support scammers have made nearly $1.5 billion off of 3.3 million unwitting victims just this year. These scammers typically convince the victim into allowing them access to his/her computer through remote control applications such as TeamViewer. They then present benign processes as malicious, or at times even spread malware themselves. Afterwards, they charge hundreds of dollars for the service.

There are several avenues through which these scammers reach their victims. One of the most insidious are pop-ups and websites asserting that the user's computer is riddled with viruses, and that the only way to fix the problem is to call a provided tech support number.

Talos has been monitoring the incessant creation of these fake tech support websites in order to better understand the way in which these scams operate. We decided to call a company ourselves for some reverse social engineering. Our experiment provided some interesting insights into the methods these scammers use to fool their victims as well as the infrastructure supporting their operations. In addition, we discovered a broad New Delhi-based scamming network employing multiple websites and VOIP phone numbers to carry out their duplicitous activities.

Thursday, October 29, 2015

Domains of the Living Dead

According to the Centers for Disease Control and Prevention (CDC), “If you’re ready for a zombie apocalypse, then you’re ready for any emergency.” While events haven’t yet risen to the level of “zombie apocalypse”, computer attackers are continuing to use their voodoo to zombify Internet domains, and repurpose them for their own heinous crimes.

Image from the CDC’s Zombie Apocalypse preparedness site

Wednesday, October 21, 2015

Cisco Identifies Multiple Vulnerabilities in Network Time Protocol daemon (ntpd)

Cisco is committed to improving the overall security of the products and services our customers rely on. As part of this commitment, Cisco assesses the security of software components used in our products. Open source software plays a key role in many Cisco products and as a result, ensuring the security of open source software components is vital, especially in the wake of major vulnerabilities such as Heartbleed and Shellshock.

In April 2014, the Linux Foundation spearheaded the creation of the Core Infrastructure Initiative in response to the disclosure of Heartbleed with the goal of securing open source projects that are widely used on the internet. As a member of the Linux Foundation Core Infrastructure Initiative (CII) Steering Group, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. ntpd is a widely deployed software package used to synchronize time between hosts. ntpd ships with a wide variety of network and embedded devices as well as desktop and server operating systems, including Mac OS X, major Linux distributions, and BSDs.

Today, in coordination with the NTP Project, Cisco is releasing 8 advisories for vulnerabilities that have been identified by the Talos Group and the Advanced Security Initiatives Group (ASIG) within Cisco. These vulnerabilities have been reported to the NTP Project in accordance with Cisco vulnerability reporting and disclosure guidelines. The NTP Project has responded by issuing a Security Advisory along with releasing a patched version of ntpd. The following serves as a summary for all the advisories being released. For the full advisories, readers should visit the Vulnerability Reports page on the Talos website.

Tuesday, October 20, 2015

Dangerous Clipboard: Analysis of the MS15-072 Patch

This post was authored by Marcin Noga with contributions from Jaeson Schultz.

Have you ever thought about how security researchers take a patch that has been released, and then reverse it to find the underlying security issue? Well, back In July Microsoft released security bulletin MS15-072, titled: "Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392)”. According to Microsoft, this vulnerability "could allow elevation of privilege if the Windows graphics component fails to properly process bitmap conversions.” Talos decided to have a deeper look at this vulnerability in order to better understand it, and this post describes the details of this process so that our readers may gain a better understanding of how this is done.

Table of Contents

  1. Diffing
  2. GdiConvertBitmapV5 analysis
  3. What does the RtlAllocateHeap "size" value consist of?
  4. Places where buffer overflow /writeAV can appear
  5. Proof of Concept (PoC)
  6. Crash analysis
  7. Where is this API called?
  8. Potential attack scenarios
  9. Summary

Tuesday, October 13, 2015

Project Aspis


One of the hardest jobs on the Internet is to work the abuse desk at a hosting provider.  These teams have to strike a difficult balance between protecting their customers, ensuring that their services aren’t being abused by malicious actors and delivering the service and convenience their customers expect.  They don’t get near enough credit for their work.

Recently, Talos had the privilege to work with the abuse team from Limestone Networks.  In the course of our joint investigation, we learned that Limestone Networks had been working against the same actor abusing their services for months.  Based on our findings, this actor was costing them approximately $10,000 a month in fraudulent charges plus wasted engineering time and the overhead of managing the abuse tickets this actor was causing.  By working together, Talos and Limestone Networks were able to make their network a difficult one for the actor to work in by rapidly identifying and terminating the systems they were trying to use.  As a result, the actor moved off of their network.

The results of this experience were so positive, both for Limestone Networks and Talos, that today Talos is announcing Project Aspis.

What is Project Aspis?
Provided by Talos, Project Aspis assists hosting providers, in certain situations, who are dealing with malicious actors who are persistent in their environment and a threat to others on the Internet.

How does it work?
Working together with the hosting provider -- at no cost -- Talos will share its expertise, resources and capabilities.  Network and systems forensics, reverse engineering, threat intelligence sharing and, in the right circumstances, even a dedicated research engineer to work with.  This collaboration will help the hosting provider maintain a safe and cost-effective environment and assist Talos in its mission of pissing off the bad guys.

What to do if you’re affected?
Any hosting provider can request our help by emailing [email protected].  In the email, please include the following information:

  • Dedicated point of contact with email and phone
  • A description of the situation you are facing
  • Any forensic information you can share up front
  • Any indicators of compromise you’re already leveraging

Project Aspis is Talos’ next step to extend our efforts to protect our customers beyond their perimeter. Collaborations like this create the foundations necessary for quickly identifying and degrading large-scale threat actors, reduce the costs for hosting providers and protect our customers before a packet even reaches their network -- helping build a safer Internet for everyone.

Microsoft Patch Tuesday - October 2015

Microsoft's Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is fairly light with a total of 6 bulletins released addressing 33 vulnerabilities. Half of the bulletins are rated "Critical" and address vulnerabilities in Internet Explorer, JScript/VBScript, and the Windows Shell. The other half of the bulletins are rated "Important" and address vulnerabilities in Edge, Office, and the Windows Kernel.

Bulletins Rated Critical

MS15-106, MS15-108, are MS15-109 are rated Critical in this month's release.

MS15-106 is this month's Internet Explorer security bulletin for versions 7 through 11. In total, 14 vulnerabilities were addressed with most of them being memory corruption conditions that could allow arbitrary code execution. This bulletin also addresses 2 memory corruption flaws and 2 information disclosure flaw in the JScript/VBScript scripting engine for Internet Explorer versions 8 through 11 only. Users and organizations that currently use Internet Explorer 7 or who do not have Internet Explorer installed will need to install MS15-108 to address the vulnerabilities in the VBScript/JScript scripting engine.

Tuesday, October 6, 2015

Threat Spotlight: Cisco Talos Thwarts Access to Massive International Exploit Kit Generating $60M Annually From Ransomware Alone

This post was authored by Nick Biasini with contributions from Joel Esler, Nick Hebert, Warren Mercer, Matt Olney, Melissa Taylor, and Craig Williams.

Executive Summary

Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit. Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high-profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.

In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks ­ -- with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually. This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in-depth visibility into the domain activity associated with the adversaries.

Cisco then took action:
  • Shutting down access for customers by updating products to stop redirects to the Angler proxy servers.
  • Released Snort rules to detect and block checks from the health checks
  • All rules are being released to the community through Snort
  • Publishing communications mechanisms including protocols so others can protect themselves and customers.
  • Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers
This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.

Watch Angler compromise a box and install ransomware at the end of the video.

Wednesday, September 30, 2015

Down the Rabbit Hole: Botnet Analysis for Non-Reverse Engineers

This post is authored by Earl Carter & Holger Unterbrink.

Overview

Talos is often tasked with mapping the backend network for a specific piece of malware. One approach is to first reverse engineer the sample and determine exactly how it operates. But what if there is no time or resources to take the sample apart? This post is going to show how to examine a botnet from the Fareit family, starting with just an IP address. Then, using sandbox communities like Cisco ThreatGRID and open source products like Gephi and VirusTotal, we will track down and visualize the botnet.

Talos recently discovered some activity from the Fareit trojan. This family of malware has a significant history associated with malware distribution. It is mainly an information stealer and malware downloader network which installs other malware on infected machines. In this campaign, it mainly tries to steal Firefox and other credentials. It is possible that this botnet is sold as a pay-per-infection botnet in the underground markets. Pay-per-infection is an underground business model where criminals are paying other criminals to distribute their malware. The analysis below was mainly done in July 2015. Let’s take a walk on the wild side....

AMPs behaviour based detection found suspicious executables that downloaded files by using the following URLs in one of our customer networks.

http://89.144.2.119/cclub02.exe
http://89.144.2.115/cclub02.exe

We began analysing the infrastructure with focus on these two IP addresses and checked what other files they had been distributing. Initial analysis showed that VirusTotal found 25 and 38 files distributed from these two IP addresses. Almost all of the files in VirusTotal had different hashes, but similar or identical filenames. The following list is a sample of some of the files found in VirusTotal.

1197cb2789ef6e29abf83938b8519fd0c56c5f0195fa4cbc7459aa573d9e521b (cclub02.exe)
58f49493aa5d3624dc225ba0a031772805af708b38abd5a620edf79d0d3f7da0 (cclub02.exe)
d1b98b7b0061fbbdfc9c2a5a5f3f3bbb0ad3d03125c5a8ab676df031a9900399 (cclub02.exe)
c054e80e02c923c4314628b5f9e3cb2cad1aa9323cbcd79d34205ad1e3cad6c3 (cclub12.exe)
bd30242996a3689c36008a63d007b982d9de693766d40e43fe13f69d76e61b63 (cclub12.exe)
c609ef45f7ff918cbac24755a3a3becc65d1c06e487acd801b76a1f46e654765 (tarhun1.exe)

Wednesday, September 23, 2015

SYNful Knock Scanner

This post was authored by William McVey.

Update 2015-09-23: We updated the tool to version 1.0.1

Talos is constantly researching the ways in which threat actors are evolving to exploit systems. Recently, a piece of persistent malware coined as “SYNful Knock” was discovered on Cisco routers. While this malware attack is not a vulnerability, as it had to be installed by someone using valid credentials or who had physical access to the device, Cisco has published an Event Response Page for customers to provide the information needed to detect and remediate these types of attacks. We are also working with partners to identify compromised systems.

The most recent addition to the toolkit Cisco is providing customers comes after the Cisco PSIRT worked with internal teams and customers to acquire copies of the malware. Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware. The tool works by scanning devices and networks, looking for routers answering the SYNful Knock malware.

Note: This tool can only detect hosts responding to the malware "knock" as it is known at a particular point in time. This tool can be used to help detect and triage known compromises of infrastructure, but it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.

Tuesday, September 15, 2015

When Does Software Start Becoming Malware?

This post was authored by Earl Carter, Alex Chiu, Joel Esler, Geoff Serrao, and Brandon Stultz.

Defining what is malware relies on determining when undesirable behavior crosses the line from benign to clearly unwanted. The lack of a single standard regarding what is and what is not acceptable behavior has established a murky gray area and vendors have taken advantage of this to push the limits of acceptable behavior. The "Infinity Popup Toolkit" is a prime example of software that falls into this gray area by bypassing browser pop-up blocking, but otherwise exhibits no other unwanted behavior. After analyzing the toolkit, Talos determined that software exhibiting this type of unwanted behavior should be considered malware and this post will provide our reasoning.

Overview


Without a clear standard defining what is and is not acceptable behavior, identifying malware is problematic. In many situations, users are confronted with software that exhibits undesirable behavior such as the Java installer including a default option to install the Ask.com toolbar. Even though many users objected to the inclusion of the Ask.com toolbar, Oracle only recently discontinued including it in Java downloads after Microsoft changed their definition of malware which then classified the Ask.com toolbar as malware.

There is more to unwanted software than just browser toolbars or widgets. Suppose a piece of software exhibits the following characteristics. Would this be considered malware?

  • The user was not given a choice whether or not to execute this piece of software.
  • The software was designed to specifically bypass browser security and privacy controls using clickjacking techniques.
  • The software avoids detection by encrypting portions of its payload.
  • Extensive fingerprinting (browser, plugins, operating system, and device type) takes place and sent to a third party without user consent.

Tuesday, September 8, 2015

Vulnerability Spotlight: Microsoft Windows CDD Font Parsing KernelMemory Corruption

Discovered by Andrea Allievi and Piotr Bania of Cisco Talos.

Talos, in conjunction with Microsoft’s security advisory issued on September 8th, is disclosing the discovery of a memory corruption vulnerability within the Microsoft Windows CDD Font Parsing Kernel Driver. This vulnerability was initially discovered by the Talos and reported in accordance with responsible disclosure policies to Microsoft. Please see Talos's Microsoft Tuesday Blog for coverage information for this vulnerability. Read the full Talos Vulnerability Report via the talosintel.com portal here: TALOS-2015-0007

Details

A specially crafted font file can cause the Microsoft Windows CDD Font Parsing Kernel driver to corrupt internal memory structures. The DrvTextOut routine acquires and locks the associated device and behaves differently based on the surface type. If the type is a bitmap and the Windows DWM is on, the driver will read and write directly to the video frame buffer and calls EngTextOut, then exits. However, the driver behaves in an unexpected manner where a new background rect is generated mixing the "OpaqueRect" rectangle located in the sixth parameter and the rectangle located in the "pStringTextObj" object.


If the ClipObject describes a NON-Trivial clip, even the "rclBounds" of the clip object is merged to the background rectangle. The Font Object is parsed, and finally the routine decides if it should clip the background rect or not.


The final decision is based on the following check:

VulBlog1


Microsoft Patch Tuesday - September 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 55 CVEs. Five bulletins are rated "Critical" this month and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Journal, and Office. The other seven bulletins are rated "Important" and address vulnerabilities in the .NET Framework, Active Directory, Exchange, Hyper-V, Media Center, Skype for Business, and Task Management.

Thursday, September 3, 2015

Cognitive Research: Learning Detectors of Malicious Network Traffic

This post was authored by Karel Bartos, Vojtech Franc, & Michal Sofka.

Malware is constantly evolving and changing. One way to identify malware is by analyzing the communication that the malware performs on the network. Using machine learning, these traffic patterns can be utilized to identify malicious software. Machine learning faces two obstacles: obtaining a sufficient training set of malicious and normal traffic and retraining the system as malware evolves. This post will analyze an approach that overcomes these obstacles by developing a detector that utilizes domains (easily obtained from domain black lists, security reports, and sandboxing analysis) to train the system which can then be used to analyze more detailed proxy logs using statistical and machine learning techniques.

The network traffic analysis relies on extracting communication patterns from HTTP proxy logs (flows) that are distinctive for malware. Behavioral techniques compute features from the proxy log fields and build a detector that generalizes to the particular malware family exhibiting the targeted behavior.

The statistical features calculated from flows of malware samples are used to train a classifier of malicious traffic. This way, the classifier generalizes the information present in the flows and features and learns to recognize a malware behavior. We use features describing URL structures (such as URL length, decomposition, or character distribution), number of bytes transferred from server to client and vice versa, user agent, HTTP status, MIME type, port, etc. In our experimental evaluation, we used 305 features in total for each flow.

Tuesday, August 25, 2015

Malware Meets SysAdmin - Automation Tools Gone Bad

This post was authored by Alex Chiu and Xabier Ugarte Pedrero.

Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen. While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, targeted phishing attacks are more convincing because the format of the message is personalized to the targeted user. This targeted attack was more difficult to detect because adversaries chose to leverage AutoIT, a well known freeware administration tool for automating system management in corporate environments. This notable characteristic made this attack worthy of further analysis.

Utilizing AutoIT within a payload is unique because it is a legitimate management tool. In this attack, AutoIT was utilized to install a Remote Access Trojan (RAT) and maintain persistence on the host in a manner that's similar to normal administration activity. RATs allow adversaries to fully control compromised hosts remotely to conduct malicious operations, such as exfiltrating sensitive information. The use of AutoIT is potentially an extremely effective method of evading detection by traditional anti-virus technologies and remaining hidden on the system if it is used by the target to manage systems. The combination of a legitimate administration tool being used to install a back-door onto a target system is unique and is why this attack caught our attention.

Another characteristic of this attack that was notable is how adversaries went to great lengths to spoof a phishing message that would appear credible to the user. In this attack, an actual business was impersonated, using the logo and physical address of the business, in order to appear legitimate. The bait in this case is a Microsoft Word document containing a macro that downloads and executes a binary from hxxp://frontlinegulf[.]com/tmp/adobefile.exe.

autoit-phish-doc
Figure 1: A screenshot of the Word document, demonstrating how adversaries impersonated a real company to trick the target.

Tuesday, August 18, 2015

Microsoft Internet Explorer Out of Band Advisory


Today an out of band advisory was released by Microsoft to address CVE-2015-2502. This vulnerability is addressed by MS15-093.

MS15-093 address a memory corruption vulnerability in Internet Explorer versions 7, 8, 9, 10, and 11. This affects all currently supported versions of Windows, including Windows 10.

This advisory is rated critical. An attacker can craft a web page designed to exploit this vulnerability and lure a user into visiting it.  The compromise will result in remote code execution at the permission level of the affected user. The use of proper user access controls can limit the severity of the compromise.

As with most out of band releases, it has been reported that this attack is being exploited in the wild. Users should patch immediately.

Thursday, August 13, 2015

Talos Identifies Multiple Memory Corruption Issues in Quicktime

Update 2015-08-21: This post has been updated to reflect an additional advisory released on August 20.

Talos, in conjunction with Apple’s security advisories issued on August 13 and August 20, has released six advisories for vulnerabilities that Talos found in Apple Quicktime. In accordance with our Vendor Vulnerability Reporting and Disclosure policy, these vulnerabilities have been reported to Apple and CERT.  This post serves as a summary for the advisories being released in coordination with Apple and CERT.

Ryan Pentney and Richard Johnson of Talos are credited with the discovery of these vulnerabilities.

Tuesday, August 11, 2015

Microsoft Patch Tuesday - August 2015

Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins released which address 58 CVEs. Four bulletins are rated "Critical" this month and address vulnerabilities in Internet Explorer, Graphics Component, Office, and Edge. The other ten bulletins are rated "Important" and address vulnerabilities within Remote Desktop Protocol (RDP), Server Message Block (SMB), XML Core Services, Mount Manager, System Center Operations Manager, UDDI Services, Command Line, WebDAV, Windows, and the .NET Framework.

Saturday, August 8, 2015

Research Spotlight: Detecting Algorithmically Generated Domains

This post was authored by Mahdi Namazifar and Yuxi Pan

Once a piece of malware has been successfully installed on a vulnerable system one of the first orders of business is for the malware to reach out to the remote command-and-control (C&C) servers in order to receive further instructions, updates and/or to exfiltrate valuable user data. If the rendezvous points with the C&C servers are hardcoded in the malware the communication can be effectively cut off by blacklisting, which limits the malware’s further operation and the extent of their damage.

To avoid such static detection mechanisms recent attackers have been taking advantage of various Domain Generation Algorithms (DGA) in choosing and updating the domain names of their C&C servers. DGA embedded in the malware generate a large amount of pseudo-random domain names within a given period, most of which are nonexistent. With the same random seed, e.g. time of the day or most popular tweets of the day, the attackers can generate exactly the same list of domain names remotely, among which they will only register a few. The malware will contact some or all of the domains generated by the DGA, giving its opportunity to be able to connect to the C&C server. The sheer amount of nonexistent domains produced by the DGA on a daily basis presents a great burden for security specialists if blacklisting is still to be pursued.

Friday, July 31, 2015

Your Files Are Encrypted with a "Windows 10 Upgrade"

This post was authored by Nick Biasini with contributions from Craig Williams & Alex Chiu

Update 8/1: To see a video of this threat in action click here

Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a spam campaign that was taking advantage of a different type of current event.

Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign.

win10_blacked_out


Friday, July 17, 2015

Vulnerability Spotlight: Total Commander FileInfo Plugin Denial of Service

Talos is releasing an advisory for multiple vulnerabilities that have been found within the Total Commander FileInfo Plugin. These vulnerabilities are local denial of service flaws and have been assigned CVE-2015-2869. In accordance with our Vendor Vulnerability Reporting and Disclosure policy, these vulnerabilities have been disclosed to the plugin author(s) and CERT.  This post serves as a summary of the advisory.

Credit for these discoveries belongs to Marcin Noga of Talos.

TALOS-2015-024/CVE-2015-2869

An attacker who controls the content of a COFF Archive Library (.lib) file can can cause an out of bounds read by specifying overly large values for the 'Size' field of the Archive Member Header or the "Number Of Symbols" field in the 1st Linker Member. The second half of the vulnerability concerns an attacker who controls the content of a Linear Executable file can cause an out of bounds read by specifying overly large values for the "Resource Table Count" field of the LE Header or the "Object" field at offset 0x8 from a "Resource Table Entry". An attacker who successfully exploits this vulnerability can cause the Total Commander application to unexpectedly terminate.

These vulnerabilities has been tested against FileInfo 2.21 and FileInfo 2.22.

Product URL

http://www.totalcmd.net/plugring/fileinfo.html

Finding and disclosing zero-day vulnerabilities responsibly helps improve the overall security of the devices and software people use on a day-to-day basis.  Talos is committed to this effort via developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers. These developments help secure the platforms and software customers use and also help provide insight into how Cisco can improve its own processes to develop better products.

For further zero day or vulnerability reports and information visit:
http://talosintel.com/vulnerability-reports/

Tuesday, July 14, 2015

Microsoft Patch Tuesday – July 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 57 CVEs. Four of the bulletins are listed as Critical and address vulnerabilities in Windows Server Hyper-V, VBScript Scripting Engine, Remote Desktop Protocol (RDP) and Internet Explorer. The remaining ten bulletins are marked as Important and address vulnerabilities in SQL Server, Windows DCOM RPC, NETLOGON, Windows Graphic Component, Windows Kernel Mode Driver, Microsoft Office, Windows Installer, Windows, and OLE.

Wednesday, July 8, 2015

Ding! Your RAT has been delivered

This post was authored by Nick Biasini

Talos is constantly observing malicious spam campaigns delivering various different types of payloads. Common payloads include things like Dridex, Upatre, and various versions of Ransomware. One less common payload that Talos analyzes periodically are Remote Access Trojans or RATs. A recently observed spam campaign was using freeware remote access trojan DarkKomet (a.k.a DarkComet). This isn’t a novel approach since threat actors have been leveraging tools like DarkKomet or Hawkeye keylogger for quite sometime.

Some interesting techniques in this campaign were used by the threat actor to bypass simplistic sandbox methods including use of sub folders, right to left override, and excessive process creation. This threat also had surprising longevity and ample variations, used over time, to help ensure the success of the attack.

What is DarkKomet?


dc_panel_controller

Tuesday, June 30, 2015

Vulnerability Spotlight: Apple Quicktime Corrupt stbl Atom Remote CodeExecution

This post was authored by Rich Johnson, William Largent, and Ryan Pentney. Earl Carter contributed to this post.

Cisco Talos, in conjunction with Apple’s security advisory issued on June 30th,  is disclosing the discovery of a remote code execution vulnerability within Apple Quicktime. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple.

There is a remote code execution vulnerability in Apple Quicktime (TALOS-2015-0018/CVE-2015-3667). An attacker who can control the data inside an stbl atom in a .MOV file can cause an undersized allocation which can lead to an out-of-bounds read. An attacker can use this to create a use-after-free scenario that could lead to remote code execution.

There is a function within QuickTime (QuickTimeMPEG4!0x147f0) which is responsible for processing the data in an hdlr atom. There is a 16-byte memory region, allocated near the beginning of the function, if the hdlr subtype field in an mdia atom is set to 'vide', this reference is passed to a set of two functions.

apple-qt-stbl-0

Wednesday, June 24, 2015

Hook, Line & Sinker: Catching Unsuspecting Users Off Guard

This post was authored by Earl Carter.

Attackers are constantly looking for ways to monetize their malicious activity. In many instances this involves targeting user data and accounts. Talos continues to see phishing attacks targeting customers of multiple high profile financial institutions.  In the past couple of months, we have observed phishing attacks against various financial customers including credit card companies, banks, credit unions, and insurance companies, as well as online businesses such as Paypal and Amazon. These phishing attacks have gone old-school in that they either attach an HTML document or include HTML data in the actual email to present the user with official looking pages that appear to be from the actual businesses being targeted.

Tuesday, June 16, 2015

Domain Shadowing Goes Nuclear: A Story in Failed Sophistication

This post was authored by Nick Biasini

Exploit Kits are constantly altering their techniques to compromise additional users while also evading detection. Talos sees various campaigns start and stop for different exploit kits all the time. Lately a lot of focus has been put on Angler, and rightly so since it has been innovating continually. Nuclear is another sophisticated exploit kit that is constantly active. However, over the last several weeks the activity had ramped down considerably to a small trickle. Starting several days ago that activity began ramping up again and Talos has uncovered some interesting findings during its analysis.

There are several large scale concurrent campaigns going on with Nuclear right now, but one in particular stood out. This campaign is using some familiar techniques borrowed from other exploit kits as well as a new layer of sophistication being added with mixed success. Attackers are always trying to work the balance of evasion and effectiveness trying to evade detection while still being effective in compromising systems. This is especially evident in those hacking for monetary gain in non-targeted attacks. Talos has found a Nuclear campaign using both Domain Shadowing and HTTP 302 cushioning prevalent in Angler. The biggest change is that it appears to be so sophisticated that it's not working properly.

Tuesday, June 9, 2015

Microsoft Patch Tuesday - June 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 8 bulletins being released which address 45 CVE. Two of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer and Windows Media Player. The remaining six bulletins are marked as Important and address vulnerabilities in Microsoft Office, Windows Kernel, Active Directory, Microsoft Exchange Server, and Microsoft Common Controls.

Friday, June 5, 2015

My Resume Protects All Your Files

This post was authored by Nick Biasini

Talos has found a new spam campaign that is using multiple layers of obfuscation to attempt to evade detection.  spammers are always evolving to get their messages to the end users by bypassing spam filters while still appearing convincing enough to get a user to complete the actions required to infect the system. The end payload for this campaign is Cryptowall 3.0. Talos has covered this threat repeatedly and this is another example of how the success of Ransomware has pushed it to one of the top threats we are seeing today. Whether its Exploit Kits or spam messages threat actors are pushing as many different variants of Ransomware as possible.

Email Details


The use of resume based spam isn’t anything new.  An analysis of our telemetry has found countless messages in the last 30 days related to Resumes. Threat actors have tried many different techniques associated with these messages including using password protected zip files, word documents with embedded macros, and malicious URLs redirecting back to a malicious sample. This threat combined a series of techniques to try and avoid detection that has been surprisingly successful against some products. Below is a sample of one of the emails that we saw in our telemetry.

Sample Email
Sample Email

Angler EK: More Obfuscation, Fake Extensions, and Other Nonsense

This post was authored by Nick Biasini

Late last week Talos researchers noticed a drastic uptick in Angler Exploit Kit activity. We have covered Angler previously, such as the discussion of domain shadowing. This exploit kit evolves on an almost constant basis. However, the recent activity caught our attention due to  a change to the URL structure of the landing pages. This type of change doesn’t occur often and was coupled with some other interesting tidbits including how the HTTP 302 cushioning has evolved and the payload of another ransomware has changed.

During research Talos identified several active Angler campaigns delivering different payloads via different methods.  The first campaign was delivering Cryptowall, which will be covered in detail here. The second delivered Bedep with click fraud and illustrates the variety with which Angler can be used to deliver different payloads.  The details of Bedep with click fraud has been covered thoroughly and will not be specifically discussed in this article.

Wednesday, May 20, 2015

Little Links, Big Headaches

This post was authored by Earl CarterJaeson Schultz.

Talos is always fascinated by the endless creativity of those who send spam. Miscreants who automate sending spam using botnets are of particular interest. Talos has been tracking a spam botnet that over the past several months that has been spamming weight loss products, male erectile dysfunction medication, and dating/casual sex websites.  These are all typical products one would expect to be purveyed through spam. What interests us about this spam are some of the ways the spam is constructed to try and evade detection (a.k.a. spam filters).

Beginning in March, Talos noted an absolute explosion in the usage of link shortening services in spam. After looking into the cause we found botnet ‘unknown2250’, as it is called by the Composite Block List (CBL), to be one of the primary parties responsible for this massive increase.

Click For Larger Image
Click for Larger Image


Tuesday, May 12, 2015

Microsoft Patch Tuesday - May 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products.  This month’s release sees a total of 13 bulletins being released which address 48 CVEs. Three of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer, GDI+ Font Parsing, and Windows Journal.  The remaining ten bulletins are marked as Important and address vulnerabilities in Microsoft Office, Sharepoint, .NET, Silverlight, Service Control Manager, Windows Kernel, VBScript/JScript, Microsoft Management Console, and Secure Channel.

Monday, May 4, 2015

Threat Spotlight: Rombertik - Gazing Past the Smoke, Mirrors, and Trap Doors

This post was authored by Ben Baker and Alex Chiu.

Executive Summary


Threat actors and security researchers are constantly looking for ways to better detect and evade each other.  As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples.  Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis.

It becomes critical for researchers to reverse engineer evasive samples to find out how attackers are attempting to evade analysis tools. It is also important for researchers to communicate how the threat landscape is evolving to ensure that these same tools remain effective. A recent example of these behaviors is a malware sample Talos has identified as Rombertik. In the process of reverse engineering Rombertik, Talos discovered multiple layers of obfuscation and anti-analysis functionality. This functionality was designed to evade both static and dynamic analysis tools, make debugging difficult. If the sample detected it was being analyzed or debugged it would ultimately destroy the master boot record (MBR).

Talos’ goal is to protect our customer’s networks.  Reverse engineering Romberik helps Talos achieve that goal by better understanding how attackers are evolving to evade detection and make analysis difficult. Identifying these techniques gives Talos new insight and knowledge that can be communicated to Cisco’s product teams.  This knowledge can then be used to harden our security products to ensure these anti-analysis techniques are ineffective and allow detection technologies to accurately identify malware to protect customers.

Monday, April 27, 2015

Threat Spotlight: TeslaCrypt - Decrypt It Yourself

This post was authored by: Andrea Allievi, Earl Carter & Emmanuel Tacheau

Update 4/28: Windows files recompiled with backward compatibility in Visual Studio 2008

Update 5/8: We've made the source code available via Github here

After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.

TeslaCrypt-1


Sunday, April 19, 2015

Threat Spotlight: Upatre - Say No to Drones, Say Yes to Malware

This post was authored by Nick Biasini and Joel Esler

Talos has observed an explosion of malicious downloaders in 2015 which we’ve documented on several occasions on our blog. These downloaders provide a method for attackers to push different types of malware to endpoint systems easily and effectively. Upatre is an example of a malicious downloader Talos has been monitoring since late 2013. However, in the last 24-48 hours, things have shifted dramatically. We’ve monitored at least fifteen different spam campaigns that are active between one and two days.  While the topic associated with the spam message has varied over time, the common attachment provided is a compressed file (.zip or .rar) that contains an executable made to look like a PDF document by changing the icon.

Execution


When Upatre is executed, a PDF document is quickly downloaded and displayed while Upatre is delivered in the background. The document displayed has been either one of two PDFs.  The first PDF, which was used until March 17, contained some information about Viagra:

Figure 1: Sexual Dysfunction, what’s your function?
Figure 1: Sexual Dysfunction, what’s your function?


Tuesday, April 14, 2015

Microsoft Patch Tuesday for April 2015: 11 Bulletins Released

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products.  This month’s release sees a total of 11 bulletins being released which address 26 CVEs.  The first 4 bulletins are rated Critical and address vulnerabilities within Internet Explorer, Office, IIS, and Graphics Component. The remaining 7 bulletins are rated Important and cover vulnerabilities within SharePoint, Task Scheduler, Windows, XML Core Services, Active Directory, .NET, and Hyper-V.

Thursday, April 9, 2015

Threat Spotlight: SSHPsychos

This post was authored by Nick Biasini, Matt Olney, & Craig Williams


Isolate_Image_Export


Introduction


Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. Although our research efforts help inform and protect Cisco customers globally, sometimes it is our relationships that can multiply this impact. Today Cisco and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected.

Graphic Showing SSH Psychos SSH Traffic vs Rest of Internet (Green)

Monday, April 6, 2015

Threat Spotlight: Spam Served With a Side of Dridex

This post was authored by Nick Biasini with contributions from Kevin Brooks.

Overview


The use of macro enabled word documents has exploded over the last year, a primary example payload being Dridex. Last week, Talos researchers identified another short lived spam campaign that was delivering a new variant of Dridex. This particular campaign lasted less than five hours and was successful at mutating the subject and attachments to avoid detection. The five hour campaign actually consisted of two separate emails that both had malicious word documents as attachments. A sample of the two different subject lines are shown below.
Campaign One Subject:
Debit Note [97994] information attached to this email
Campaign Two Subject:
48142 - Your Latest Documents from RS Components 822379272
*Note: Italicized text used to identify mutating portions of email subject
 
Both campaigns centered on invoices being sent as word document attachments. Not only did the attackers use different subjects for every email they also rarely reused an attachment name. Less than five percent of the emails observed contained re-used attachment names.

Thursday, April 2, 2015

Research Spotlight: FreeSentry Mitigating use-after-free Vulnerabilities

This post was authored by Earl Carter & Yves Younan.

Talos is constantly researching the ways in which threat actors take advantage of security weaknesses to exploit systems. Use-after-free vulnerabilities have become an important class of security problems due to the existence of mitigations that protect against other types of vulnerabilities, such as buffer overflows. Today, Talos is releasing FreeSentry, a mitigation for use-after-free vulnerabilities.

FreeSentry works as a plugin for LLVM with an associated runtime library that tracks pointers when they are set to objects and invalidates them when the memory associated with that object is freed. Our initial approach was published at the 2015 Network and Distributed System Security (NDSS) Symposium in February. The paper can be downloaded here. At CanSecWest 2015, Yves Younan of Talos presented an enhanced version of FreeSentry which included further developments, such as porting the original mitigation from C Intermediate Language (CIL) to LLVM. The CanSecWest slides are available here. Note that the LLVM performance numbers in the CanSecWest presentation were preliminary numbers, and have been updated for this post.

Wednesday, April 1, 2015

Research Spotlight: Project FTR


Intro


Historically, networks have always been at risk for new, undiscovered threats. The risk of state sponsored hackers or criminal organizations utilizing 0-day was a constant, and the best defense was simply to keep adding on technologies to maximize the odds of detecting the new threat - like adding more locks to the door if you will. Here at Cisco Talos we’re constantly pushing the envelope. Recently after some thinking juice we started brainstorming ways to better address the constant threat of attacker utilizing unknown 0-day. Today, we’re happy to inform our customer base about our new inspection technology code name project Faster Than Realtime, or FTR. Project FTR is the next generation of detection technology, that which will truly revolutionize the industry.

Project FTR


To mitigate the ever-growing threat of new and unknown attacks we simply decided to add a few options to our existing inspection infrastructure. Snort's new Quantum Pre-Detection (QPD) leverages Predictive Attack Detection (PAD) by putting packets into an Ethereally-Buffered Capture (EBC) file.  Snort then reads the .ebc via PAD so that QPD can tell you that you are under attack before you're even under attack.

Monday, March 30, 2015

Threat Spotlight: Dyre/Dyreza: An Analysis to Discover the DGA

This post was authored by Alex Chiu & Angel Villegas.

Overview


Banking and sensitive financial information is a highly coveted target for attackers because of the high value and obvious financial implications.  In the past year, a large amount of attention has been centered on Point of Sale (PoS) malware due to its major role in the compromise of several retailers.  While PoS malware is a major concern, attackers have also realized that targeting individual end users is an effective method of harvesting other types of financial data.  As a result, banking malware has become a prevalent category of malware that poses a major threat to users and organizations of all sizes.  One of the more well known examples of banking malware is Zeus.
Table of Contents

Overview
Technical Analysis
Domain Generation Algorithm
Other Thoughts
Conclusion
Appendix

Banking malware typically operates by redirecting users to malicious phishing sites where victim’s input their banking credentials thinking they are logging into their bank’s website.  Banking malware can also operate more stealthily by hooking into a browser’s functionality, capturing the victim’s credentials as they are typed in, and exfiltrating them.  Once an attacker has a victim’s banking credentials, attackers can then sell it or use it to perform illicit transactions (such as transferring funds to another account on behalf of the victim).

Tuesday, March 24, 2015

Threat Spotlight: The Imperiosus Curse --A Tool of the Dark Arts

Authors: William Largent, Jaeson Schultz, Craig Williams. Special thanks to Richard Harman for his contributions to this post.

As consumers, we are constantly bombarded by advertising, especially on the World Wide Web. There is a lot of money to be made either pushing Internet traffic, or displaying ads to consumers. Total annual Internet advertising revenue from 2013 was over US $117bn, and will approach US $200bn by the year 2018. The online advertising industry field is already awash with many players, each clamoring for a piece of the Internet advertising pie. In fact, so many ad impressions are bought and sold daily, that it’s nearly impossible to keep track of who is buying and selling what.

On one side of the online advertising spectrum are publishers. These are domains that receive Internet traffic and make money by displaying advertisements. On the other side of the spectrum we find advertisers who wish to sell products. And in the middle are ad-networks/ad-exchanges: marketplaces where publishers and advertisers can come together to wheel-and-deal on ad impressions. The astonishingly large number of online advertising industry middlemen between buyers and sellers creates terrific opportunities for bad actors to hide. The result is malware delivered through the online advertising ecosystem, A.K.A. “malvertising”.

How “bad guys” view the online ad industry.

How do malicious ads actually make it to end users? In our attempt to answer that question, Talos has uncovered a piece of Internet malvertising infrastructure that is both highly robust, and highly anonymized. It has been an Internet fixture for almost a sesquidecade, with redirection domains operating since early 2001. This infrastructure was designed specifically to focus Internet traffic towards advertising endpoints, unfortunately with little regard paid to legitimacy of the final destination.

Friday, March 20, 2015

Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware

This post was authored by Andrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William Largent, Angel Villegas, and Alain Zidouemba


Cisco’s Security Solutions (CSS) consists of information security experts with a unique blend of law enforcement, enterprise security and technology security backgrounds. The team works directly with Cisco’s Talos Security Intelligence & Research Group to identify known and unknown threats, quantify and prioritize risk, and minimize future risk.

When consumers make purchases from a retailer, the transaction is processed through Point-of-Sale (PoS) systems. When a credit or debit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. Once this information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Criminal markets exist for this valuable information because the attackers are able to easily monetize stolen credit card data. Incidents involving PoS malware have been on the rise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of media attention. The presence of large amounts of financial and personal information ensures that these companies and their retail PoS systems will remain attractive targets.

image14

Overview


There is a new malware family targeting PoS systems, infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale. This new malware family, that we’ve nicknamed PoSeidon, has a few components to it, as illustrated by the diagram below:

PoSeidonimage10

At a high level, it starts with a Loader binary that upon being executed will first try to maintain persistence on the target machine in order to survive a possible system reboot. The Loader then contacts a command and control server, retrieving a URL which contains another binary to download and execute. The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers. Upon verifying that the numbers are in fact credit card numbers, keystrokes and credit card numbers are encoded and sent to an exfiltration server.

Tuesday, March 17, 2015

Research Spotlight: Exploiting Use-After-Free Vulnerabilities

This blog post was authored by Earl Carter & Yves Younan.

Talos is constantly researching the ways in which threat actors take advantage of security weaknesses to exploit systems. Yves Younan of Talos will be presenting at CanSecWest on Friday March 20th. The topic of his talk will be FreeSentry, a software-based mitigation technique developed by Talos to protect against exploitation of use-after-free vulnerabilities. Use-after-free vulnerabilities have become an important class of security problems due to the existence of mitigations that protect against other types of vulnerabilities, such as buffer overflows.

Thursday, March 12, 2015

Talos Discovery Spotlight: Hundreds of Thousands of Google AppsDomains’ Private WHOIS Information Disclosed

This post was authored by Nick Biasini, Alex Chiu, Jaeson Schultz, and Craig Williams. Special thanks to William McVey for his contributions to this post.

Overview


In mid-2013, a problem occurred that slowly began unmasking the hidden registration information for owners' domains that had opted into WHOIS privacy protection. These domains all appear to be registered via Google App [1], using eNom as a registrar. At the time of writing this blog, there are 305,925 domains registered via Google’s partnership with eNom. 282,867 domains, or roughly 94% appear have been affected [2]. (Google reports that new domains which have not faced a renewal period are not affected and many businesses do not opt into their privacy service.) The information disclosed included full names, addresses, phone numbers, and email addresses for each domain. The information was leaked in the form of WHOIS records.


The graphic above illustrates the drastic shift in domains utilizing privacy protection (dark green) to those with WHOIS information exposed (light green). At its peak at least 90% of the domains registered were utilizing privacy protection which plummeted to less than 1%. The grey circle indicates the initial shift occurring. The arrow notes when resolution had occurred.
The graphic above illustrates the drastic shift in domains utilizing privacy protection (dark green) to those with WHOIS information exposed (light green). At its peak at least 90% of the domains registered were utilizing privacy protection which plummeted to less than 1%. The grey circle indicates the initial shift occurring. The arrow notes when resolution had occurred.

Tuesday, March 10, 2015

Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK Patched

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products.  This month’s release sees a total of 14 bulletins being released which address 45 CVEs.  The first 5 bulletins are rated critical and address vulnerabilities within Internet Explorer, Office, Windows, and VBScript. The remaining 9 bulletins are rated important and cover vulnerabilities within Windows Kernel Mode Drivers, Exchange, Task Scheduler, Remote Desktop, SChannel, and the Microsoft Graphics component.

Tuesday, March 3, 2015

Threat Spotlight: Angler Lurking in the Domain Shadows

This post was authored by Nick Biasini and edited by Joel Esler.

Overview


Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts of subdomains for both initial redirection and exploitation. This campaign has been largely attributed to Angler Exploit Kit with fileless exploits serving various malicious payloads.

The use of hijacked accounts lead to a larger research project into the use of hijacked registrant accounts. During this research the earliest examples were found from a 2011 campaign with sporadic usage until December 2014. Since December 2014 more than 75% of the subdomain activity has occurred indicating a major shift in approach. This behavior has been covered before which discussed some of the older campaigns as well as the hosting indicators (ASN) of the groups making use of the subdomains.

Monday, March 2, 2015

Talos is Hiring

If you’re an experienced malware reverse engineer, exploit developer, response specialist, intel analyst, or looking to start your career in security, Talos might be the place for you.  We have a number of positions open in Columbia, Maryland; Austin, Texas; San Jose, California; and San Francisco, California.  If you are open to relocation to one of those areas, have the right skills, and share some of our beliefs below then applying for one of our numerous positions might be for you.

For those not familiar with Talos, it is Cisco’s premier Threat Intelligence organization that supports all of Cisco’s security portfolio.  Detecting and preventing threats that target Cisco customers is our job, and given Cisco’s security footprint and breadth of product portfolio we can engage those threats from Cloud to Core.

It does however, take a special type of individual to join Talos, so give the list below a look and see if your beliefs match up with our distinctive culture.

Wednesday, February 25, 2015

Malicious PNGs: What You See Is Not All You Get!

This post was authored by Earl Carter and Nick Randolph.

Threat actors are continually evolving their techniques. One of the latest Graftor variants is delivering a Malware DLL via a PNG file delivery mechanism. Graftor basically indicates some type of trojan hiding in a piece of software. Hiding executables and DLLs in PNG files is yet another attempt to avoid detection and deliver malicious content to user systems. In this instance, the malicious content is placed at the end of the real PNG file data.

Wednesday, February 18, 2015

Tax Time: Let the Phishing Begin

This post was authored by Earl Carter and Craig Williams.

With the April 15th US tax deadline only about 2 months away, a new wave of tax related phishing is underway. In this latest spear-phishing campaign, attackers are attempting to gain access to your system so that they can steal your banking and other online credentials. An interesting twist to this latest campaign is that they seem to be specifically targeting high level security professionals and CTOs in technical companies.

On Tuesday, Talos noticed the beginning of a phishing campaign in our telemetry data. The subject of the emails all revolve around payment confirmation or Federal taxes. Some of the common subjects include:
Payment Confirmation
Federal tax payment received
Federal TAX payment
Payment Service

Equation Coverage

Cisco Talos is aware of the public discourse surrounding the malware family dubbed “The Equation Family”. As of February 17th the following rules (33543 - 33546 MALWARE-CNC Win.Trojan.Equation) were released to detect the Equation Family traffic. These rules may be found in the Cisco FireSIGHT Management Console (Defense Center), or in the Subscriber Ruleset on Snort.org. Talos security researchers have also added the associated IPs, Domains, URLs, and hashes to all Cisco security devices to provide immediate protection across the network. Talos will continue to monitor public information as well as continue to independently research to provide coverage to this malware family.

coveragetable
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

While email has not been observed as an attack vector, ESA is capable of blocking the malware used in this campaign.

Thursday, February 12, 2015

Bad Browser Plug-ins Gone Wild: Malvertising, Data Exfiltration, andMalware, Oh my!

This post was authored by Fred ConcklinWilliam Largent,  Martin Rehak,  Michal Svoboda, and Veronica Valeros.

During an average day of surfing the web via computer, smartphones, and tablets, we are constantly deluged by advertising. Total annual Internet advertising revenue will approach $200bn by the year 2018, making it an extremely lucrative business and in turn an attractive attack vector known as malvertising.

Tuesday, February 10, 2015

Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed

Microsoft’s Patch Tuesday for February 2015 has arrived.  This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs.  3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy.  The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group Policy, and System Center Manager.

Monday, February 9, 2015

Cryptowall 3.0: Back to the Basics

This post was authored by Andrea Allievi  & Earl Carter

Ransomware continues to impact a large number of organizations and the malware continues to evolve. In January, we examined Cryptowall 2.0 and highlighted new features incorporated into the dropper and Cryptowall binary. When Cryptowall 3.0 appeared, we were interested in seeing what new functionality was incorporated into this latest variant in the Cryptowall series.

The latest 3.0 sample that we analyzed was in a zip file. This zip file contains multiple dropper files which are essentially identical in functionality except for the encryption algorithm used to obfuscate the dropper and eventually build the Cryptowall 3.0 binary.

Tuesday, February 3, 2015

Angler Exploit Kit - New Variants

This post was authored by Nick Biasini

On January 27th,  Talos researchers began observing a new Angler Exploit Kit (EK) campaign using new variants associated with (CVE-2015-0311). Based on our telemetry data the campaign lasted from January 26th until January 30th with the majority of the events occurring on January 28th & 29th.

angler_dates

Wednesday, January 28, 2015

CVE-2015-0235: A GHOST in the Machine

This post was authored by Nick BiasiniEarl Carter, Alex Chiu and Jaeson Schultz

On Tuesday January 27, 2015, security researchers from Qualys published information concerning a 0-day vulnerability in the GNU C library. The vulnerability, known as “GHOST” (a.k.a. CVE-2015-0235), is a buffer overflow in the __nss_hostname_digits_dots() function. As a proof-of-concept, Qualys has detailed a remote exploit for the Exim mail server that bypasses all existing protections, and results in arbitrary command execution. Qualys intends to release the exploit as a Metasploit module.

CVE-2015-0235 affects the functions gethostbyname() and gethostbyname2() --functions originally used to resolve a hostname to an IP address. However, these functions have been deprecated for approximately fifteen years, largely because of their lack of support for IPv6.  The superseding function is getaddrinfo() which does support IPv6 and is not affected by this buffer overflow. Programs that still utilize the deprecated gethostbyname() and gethostbyname2() functions may potentially be affected by GHOST.

Friday, January 23, 2015

Flash 0-day Exploited by Angler Exploit Kit

This post was authored by Nick Biasini, Earl Carter and Jaeson Schultz

Flash has long been a favorite target among Exploit Kits (EK). In October 2014 the Angler EK was believed to be targeting a new Flash vulnerability. The bug that the Angler exploit kit was attempting to exploit had been “accidentally” patched by Adobe’s APSB14-22 update. According to F-Secure, the vulnerability that Angler was actually attempting to exploit was an entirely new bug, CVE-2014-8439. The bug was severe enough that Adobe fixed it out-of-band.

Fast forward to January 2015. With the emergence of this new Flash 0-day bug, we have more evidence that the Angler Exploit Kit developers are actively working on discovering fresh bugs in Flash for themselves. The group is incorporating these exploits into the Angler EK *before* the bugs are publicized. Considering these 0-day exploits are being used alongside one of Angler’s preferred methods of distribution, malvertising, thus intensifying the potential for large-scale compromise.

Tuesday, January 13, 2015

Microsoft Update Tuesday January 2015: Another Light Month, No IE Bulletins, More Changes to Reporting

This post was written by Yves Younan.

Microsoft’s first Update Tuesday of 2015 is pretty light, there’s a total of eight bulletins, all covering a single vulnerability. Seven of these bulletins are rated as important and just one is rated critical. No bulletin for IE is being released this month. Two of the vulnerabilities were publicly disclosed prior to today, while another one was being actively exploited by attackers.

Microsoft made a number of changes to Update Tuesday last month, such as dropping deployment priority in favor of their exploitability index (XI). This month more changes were made to the program: Microsoft is no longer providing their Advance Notification Service (ANS) to the general public, but is instead only providing it to premier customers.

Tuesday, January 6, 2015

Ransomware on Steroids: Cryptowall 2.0

This post was authored by Andrea Allievi and Earl Carter.

Ransomware holds a user’s data hostage. The latest ransomware variants encrypt the user’s data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper. Under the Windows 32-bit on Windows 64-bit (WOW64) environment, it is indeed able to switch the processor execution context from 32 bit to 64 bit.