Thursday, October 29, 2015

Domains of the Living Dead

According to the Centers for Disease Control and Prevention (CDC), “If you’re ready for a zombie apocalypse, then you’re ready for any emergency.” While events haven’t yet risen to the level of “zombie apocalypse”, computer attackers are continuing to use their voodoo to zombify Internet domains, and repurpose them for their own heinous crimes.

Image from the CDC’s Zombie Apocalypse preparedness site

Wednesday, October 21, 2015

Cisco Identifies Multiple Vulnerabilities in Network Time Protocol daemon (ntpd)

Cisco is committed to improving the overall security of the products and services our customers rely on. As part of this commitment, Cisco assesses the security of software components used in our products. Open source software plays a key role in many Cisco products and as a result, ensuring the security of open source software components is vital, especially in the wake of major vulnerabilities such as Heartbleed and Shellshock.

In April 2014, the Linux Foundation spearheaded the creation of the Core Infrastructure Initiative in response to the disclosure of Heartbleed with the goal of securing open source projects that are widely used on the internet. As a member of the Linux Foundation Core Infrastructure Initiative (CII) Steering Group, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. ntpd is a widely deployed software package used to synchronize time between hosts. ntpd ships with a wide variety of network and embedded devices as well as desktop and server operating systems, including Mac OS X, major Linux distributions, and BSDs.

Today, in coordination with the NTP Project, Cisco is releasing 8 advisories for vulnerabilities that have been identified by the Talos Group and the Advanced Security Initiatives Group (ASIG) within Cisco. These vulnerabilities have been reported to the NTP Project in accordance with Cisco vulnerability reporting and disclosure guidelines. The NTP Project has responded by issuing a Security Advisory along with releasing a patched version of ntpd. The following serves as a summary for all the advisories being released. For the full advisories, readers should visit the Vulnerability Reports page on the Talos website.

Tuesday, October 20, 2015

Dangerous Clipboard: Analysis of the MS15-072 Patch

This post was authored by Marcin Noga with contributions from Jaeson Schultz.

Have you ever thought about how security researchers take a patch that has been released, and then reverse it to find the underlying security issue? Well, back In July Microsoft released security bulletin MS15-072, titled: "Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392)”. According to Microsoft, this vulnerability "could allow elevation of privilege if the Windows graphics component fails to properly process bitmap conversions.” Talos decided to have a deeper look at this vulnerability in order to better understand it, and this post describes the details of this process so that our readers may gain a better understanding of how this is done.

Table of Contents

  1. Diffing
  2. GdiConvertBitmapV5 analysis
  3. What does the RtlAllocateHeap "size" value consist of?
  4. Places where buffer overflow /writeAV can appear
  5. Proof of Concept (PoC)
  6. Crash analysis
  7. Where is this API called?
  8. Potential attack scenarios
  9. Summary

Tuesday, October 13, 2015

Project Aspis


One of the hardest jobs on the Internet is to work the abuse desk at a hosting provider.  These teams have to strike a difficult balance between protecting their customers, ensuring that their services aren’t being abused by malicious actors and delivering the service and convenience their customers expect.  They don’t get near enough credit for their work.

Recently, Talos had the privilege to work with the abuse team from Limestone Networks.  In the course of our joint investigation, we learned that Limestone Networks had been working against the same actor abusing their services for months.  Based on our findings, this actor was costing them approximately $10,000 a month in fraudulent charges plus wasted engineering time and the overhead of managing the abuse tickets this actor was causing.  By working together, Talos and Limestone Networks were able to make their network a difficult one for the actor to work in by rapidly identifying and terminating the systems they were trying to use.  As a result, the actor moved off of their network.

The results of this experience were so positive, both for Limestone Networks and Talos, that today Talos is announcing Project Aspis.

What is Project Aspis?
Provided by Talos, Project Aspis assists hosting providers, in certain situations, who are dealing with malicious actors who are persistent in their environment and a threat to others on the Internet.

How does it work?
Working together with the hosting provider -- at no cost -- Talos will share its expertise, resources and capabilities.  Network and systems forensics, reverse engineering, threat intelligence sharing and, in the right circumstances, even a dedicated research engineer to work with.  This collaboration will help the hosting provider maintain a safe and cost-effective environment and assist Talos in its mission of pissing off the bad guys.

What to do if you’re affected?
Any hosting provider can request our help by emailing [email protected].  In the email, please include the following information:

  • Dedicated point of contact with email and phone
  • A description of the situation you are facing
  • Any forensic information you can share up front
  • Any indicators of compromise you’re already leveraging

Project Aspis is Talos’ next step to extend our efforts to protect our customers beyond their perimeter. Collaborations like this create the foundations necessary for quickly identifying and degrading large-scale threat actors, reduce the costs for hosting providers and protect our customers before a packet even reaches their network -- helping build a safer Internet for everyone.

Microsoft Patch Tuesday - October 2015

Microsoft's Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is fairly light with a total of 6 bulletins released addressing 33 vulnerabilities. Half of the bulletins are rated "Critical" and address vulnerabilities in Internet Explorer, JScript/VBScript, and the Windows Shell. The other half of the bulletins are rated "Important" and address vulnerabilities in Edge, Office, and the Windows Kernel.

Bulletins Rated Critical

MS15-106, MS15-108, are MS15-109 are rated Critical in this month's release.

MS15-106 is this month's Internet Explorer security bulletin for versions 7 through 11. In total, 14 vulnerabilities were addressed with most of them being memory corruption conditions that could allow arbitrary code execution. This bulletin also addresses 2 memory corruption flaws and 2 information disclosure flaw in the JScript/VBScript scripting engine for Internet Explorer versions 8 through 11 only. Users and organizations that currently use Internet Explorer 7 or who do not have Internet Explorer installed will need to install MS15-108 to address the vulnerabilities in the VBScript/JScript scripting engine.

Tuesday, October 6, 2015

Threat Spotlight: Cisco Talos Thwarts Access to Massive International Exploit Kit Generating $60M Annually From Ransomware Alone

This post was authored by Nick Biasini with contributions from Joel Esler, Nick Hebert, Warren Mercer, Matt Olney, Melissa Taylor, and Craig Williams.

Executive Summary

Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit. Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high-profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.

In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks ­ -- with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually. This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in-depth visibility into the domain activity associated with the adversaries.

Cisco then took action:
  • Shutting down access for customers by updating products to stop redirects to the Angler proxy servers.
  • Released Snort rules to detect and block checks from the health checks
  • All rules are being released to the community through Snort
  • Publishing communications mechanisms including protocols so others can protect themselves and customers.
  • Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers
This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.

Watch Angler compromise a box and install ransomware at the end of the video.