Friday, July 21, 2017

Threat Round-up for July 14 - July 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 14 and July 21. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 20, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in CorelDRAW X8


Today, Talos is disclosing several vulnerabilities that have been identified in CorelDRAW X8. CorelDRAW X8 is graphics suite used for manipulating raster and vector images and is a common alternative to Adobe Creative Cloud. Several of the vulnerabilities being disclosed today specifically affect PHOTO-PAINT X8, a raster graphics editor. Talos has responsibly disclosed this vulnerability to Corel. Corel has made a software update that addresses this vulnerability available for download.

Wednesday, July 19, 2017

Vulnerabilities in ProcessMaker, WebFOCUS, and OpenFire Identified and Patched

Today, Talos is disclosing several vulnerabilities that have been identified by Portcullis in various software products. All four vulnerabilities have been responsibly disclosed to each respective developer in order ensure they are addressed. In order better protect our customers, Talos has also developed Snort rules that detect attempts to exploit these vulnerabilities.

Vulnerability Details

TALOS-2017-0313 (CVE-2016-9048) ProcessMaker Enterprise Core Multiple SQL Injection Vulnerabilities

TALOS-2017-0313 was identified by Jerzy Kramarz of Portcullis.

TALOS-2017-0313 encompasses multiple SQL injection vulnerabilities in ProcessMarker Enterprise Core 3.0.1.7-community. These vulnerabilities manifest as a result of improperly sanitizing input received in web requests. An attacker who transmits a specifically crafted web request to an affected server with parameters containing SQL injection attacks could trigger this vulnerability. This could allow exfiltration of the database information, user credentials, and in certain configuration access the underlying operating system.

Unravelling .NET with the Help of WinDBG

This blog was authored by Paul Rascagneres and Warren Mercer.

Introduction


.NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other administrative functions rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform.

Analysis tools such as ILSpy help researchers decompile code from applications, but cannot be used to automate the analysis of many samples. In this article we will examine how to use WinDBG to analyse .NET applications using the SOS extension provided by Microsoft.

This article describes:
  • How to analyse PowerShell scripts by inserting a breakpoint in the .NET API.
  • How to easily create a script to automatically unpack .NET samples following analysis of the packer logic.

Additionally, you can download a Python script (based on the WinDBG pykd extension) on our github to automate analysis of .NET. This script will be described in the article too.

Monday, July 17, 2017

PyREBox, a Python Scriptable Reverse Engineering Sandbox

This post was authored by Xabier Ugarte Pedrero


In Talos, we are continuously trying to improve our research and threat intelligence capabilities. As a consequence, we not only leverage standard tools for analysis, but we also focus our efforts on innovation, developing our own technology to overcome new challenges. Also, Talos has traditionally supported open-source projects, and has open-sourced many different projects and tools that are currently used as part of our workflow like FIRST and BASS

In this blogpost we present PyREBox, our Python scriptable Reverse Engineering sandbox. PyREBox is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. PyREBox allows to inspect a running QEMU VM, modify its memory or registers, and to instrument its execution with simple Python scripts. QEMU (when working as a whole-system-emulator) emulates a complete system (CPU, memory, devices...). By using Virtual Machine Introspection (VMI) techniques, it does not require to perform any modification into the guest operating system, as it transparently retrieves information from its memory at run-time.

Several academic projects such as DECAF, PANDA, S2E, or AVATAR, have previously leveraged QEMU based instrumentation for reverse engineering tasks. These projects allow to write plugins in C/C++, and implement several advanced features such as dynamic taint analysis, symbolic execution, or even record and replay of execution traces. With PyREBox, we aim to apply this technology focusing on keeping the design simple, and on the usability of the system for threat analysts.

Memcached - A Story of Failed Patching & Vulnerable Servers

This blog authored by Aleksandar Nikolich and David Maynor with contributions from Nick Biasini

Memcached - Not secure, Not Patched Fast Enough

 

Recently high profile vulnerabilities in systems were used to unleash several global ransomware attacks that greatly impacted organizations. These types of vulnerabilities were previously patched and could have been addressed by organizations before the attacks commenced. This is just the latest example in a long line of threats that are successful in large part because of the inability for patches to be applied in a timely and effective manner. In late 2016 Talos disclosed a series of vulnerabilities in a software platform called Memcached. After releasing the vulnerabilities Talos has been monitoring the amount of systems that were vulnerable as well as the rate at which they have been patched. This blog will give a quick overview of the vulnerabilities and discuss the unfortunate findings of the Internet wide scans that we have been conducting over the last six months.

Tuesday, July 11, 2017

Microsoft Patch Tuesday - July 2017

Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 54 vulnerabilities with 19 of them rated critical, 32 rated important, and 3 rated moderate. Impacted products include Edge, .NET Framework,  Internet Explorer, Office,  and Windows.

Vulnerability Spotlight: Iceni Infix PDF Editor Memory Corruption

Today, Talos is disclosing a vulnerability that has been identified in Iceni Infix PDF Editor that could lead to arbitrary code execution on affected hosts. This vulnerability manifests in a way that could be exploited if a user opens a specifically crafted PDF file that triggers this flaw. Talos has coordinated with Iceni to ensure relevant details regarding the vulnerability have been shared. Iceni has developed a software update that addresses this vulnerability. In addition, Talos has developed Snort Rules that can detect attempts to exploit this flaw.

Friday, July 7, 2017

Attack on Critical Infrastructure Leverages Template Injection


Contributors:  Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall 


Executive Summary


Attackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code. In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user's credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim's computer.

Threat Round-up for June 30 - July 07

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 30 and July 07. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: TALOS-2017-0311,0319,0321 - Multiple Remote Code Execution Vulnerability in Poppler PDF library

Vulnerability discovered by Marcin Noga, Lilith Wyatt and Aleksandar Nikolic of Cisco Talos.

Overview

Talos has discovered multiple vulnerabilities in the freedesktop.org Poppler PDF library. Exploiting these vulnerabilities can allow an attacker to gain full control over the victim's machine. If an attacker builds a specially crafted PDF document and the victim opens it, the attackers code will be executed with the privileges of the local user.

Thursday, July 6, 2017

New KONNI Campaign References North Korean Missile Capabilities

This blog was authored by Paul Rascagneres

Executive Summary


We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in this campaign has similar features to that distributed earlier in 2017 with the following changes:
  • A new decoy document copy/pasted from an article published on the 3rd of July by Yonhap News Agency in Korea;
  • The dropper includes a 64 bit version of KONNI;
  • A new CC infrastructure consisting of a climbing club website.
North Korea conducted a test missile launch on 3rd July. This campaign appears to be directly related to the launch and the ensuing discussion of North Korean missile technology. This is consistent with previous KONNI distribution campaigns which have also frequently mentioned North Korea.

Wednesday, July 5, 2017

The MeDoc Connection

This Post Authored by David Maynor, Aleksandar Nikolic, Matt Olney, and Yves Younan

Summary

The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.

Friday, June 30, 2017

Vulnerability Spotlight: Dell Precision Optimizer and Invincea Vulnerabilities

Vulnerabilities discovered by Marcin ‘Icewall’ Noga of Cisco Talos.

Overview


Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user.

Tuesday, June 27, 2017

New Ransomware Variant "Nyetya" Compromises Systems Worldwide

Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

Update 2017-07-06 12:30 EDT: Updated to explain the modified DoublePulsar backdoor.

Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of malware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in SMBv1 and spread like wildfire across the Internet.

Today a new malware variant has surfaced that is distinct enough from Petya that people have referred to it by various names such as Petrwrap and GoldenEye. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. This behavior is detailed later in the blog under "Malware Functionality". Unlike WannaCry, Nyetya does not appear to contain an external scanning component.

The identification of the initial vector is still under investigation. We have observed no use of email or Office documents as a delivery mechanism for this malware. We believe that infections are associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos is investigating this currently.

Given the circumstances of this attack, Talos assesses with high confidence that the intent of the actor behind Nyetya was destructive in nature and not economically motivated. Talos strongly recommends users and organizations decline to pay the ransom. Any attempts to obtain a decryption key will be fruitless as the associated mailbox used for payment verification and decryption key sharing has been shut down by the posteo.de. This renders any successful payment as useless as there is no method of communication available for this actor to use to verify payments from victims or distribute decryption keys once ransom payments have been received. There is also no method used by the malware to directly connect to command and control for remote unlocking.

Friday, June 23, 2017

Threat Round-up for June 16 - June 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 16 and June 23. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, June 22, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in InsideSecure MatrixSSL

These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos

Overview


MatrixSSL is a TLS/SSL stack offered in the form of a Software Development Kit (SDK) that is geared towards application in Internet of Things (IOT) devices and other embedded systems. It features low resource overhead and supports many different embedded platforms. It also features FIPS 140-2 compliant cryptography making it suitable for use in high security environments. Talos recently discovered multiple vulnerabilities in MatrixSSL version 3.8.7b including two remote code execution (RCE) vulnerabilities as well as an information disclosure vulnerability.

Wednesday, June 21, 2017

Player 1 Limps Back Into the Ring - Hello again, Locky!

This post was authored by Alex Chiu, Warren Mercer, and Jaeson SchultzSean Baird and Matthew Molyett contributed to this post.


Back in May, the Necurs spam botnet jettisoned Locky ransomware in favor of the new Jaff ransomware variant. However, earlier this month Kaspersky discovered a vulnerability within Jaff which allowed them to create a decryptor. This turn of events seems to have caused the miscreants behind Necurs to scramble to distribute a different ransomware payload. Falling back on their old tricks, they have selected to re-distribute Locky ransomware. The malware is being transmitted via email using an .exe file encapsulated within two compressed .zip archives.

The Spam Campaign

The spam that is distributing this ransomware campaign is not significantly different from other ransomware spam campaigns that we have seen from Necurs. Ransomware-oriented spam campaigns from Necurs typically involve order confirmations, payment receipts, business documents, and so on -- all with the common goal of social engineering victims into opening the attachment. The messages Talos observed in this particular campaign are disguised as fake invoices.
An example spam message propagating Locky ransomware

Tuesday, June 20, 2017

Talos Targets Disinformation with Fake News Challenge Victory

This post was authored by Sean Baird with contributions by Doug Sibley and Yuxi Pan

Executive Summary


For the past several months, the problem of “fake news” has been abuzz in news headlines, tweets, and social media posts across the web. With historical roots in information warfare and disinformation, “fake news” is a different kind of cyber-threat affecting people all around the globe. Using advanced machine learning and artificial intelligence technology, Talos researchers set their sights on this different kind of cyber-threat and beat out over 80 registered teams worldwide to claim first place in the Fake News Challenge.


Monday, June 19, 2017

Delphi Used To Score Against Palestine

This blog was authored by Paul Rascagneres and Warren Mercer with contributions from Emmanuel TacheauVanja Svajcer and Martin Lee.

Executive Summary


Talos continuously monitors malicious emails campaigns. We identified one specific spear phishing campaign launched against targets within Palestine, and specifically against Palestinian law enforcement agencies. This campaign started in April 2017, using a spear phishing campaign to deliver the MICROPSIA payload in order to remotely control infected systems. Although this technique is not new, it remains an effective technique for attackers.

The malware itself was developed in Delphi; in this article, we describe the features and the network communication to the command and control server used by the attackers. The threat actor has chosen to reference TV show characters and include German language words within the attack. Most significantly, the attacker has appeared to have used genuine documents stolen from Palestinian sources as well as a controversial music video as part of the attack.


Vulnerability Spotlight: Multiple Foscam C1 Vulnerabilities Come in to Focus

Executive Summary

The Foscam C1 is a webcam that is marketed for use in a variety of applications including home security monitoring. As an indoor webcam, it is designed to be set up inside of a building and features the ability to be accessed remotely via a web interface or from within a mobile application. Talos recently identified several vulnerabilities in the Foscam C1 camera that could be used by attackers for a variety of purposes including access and retrieval of sensitive information stored on the camera, execution of arbitrary commands within the camera's operating system, and in several cases, completely compromise the device. As these cameras are commonly deployed in sensitive locations and used as baby monitors, security cameras, etc. it is recommended that affected devices be updated as quickly as possible to ensure that they are no longer vulnerable.

In accordance with our responsible disclosure policy, Talos has worked with Foscam to resolve these issues, which has resulted in the release of a firmware update addressing them.

Vulnerability Details

BASS - BASS Automated Signature Synthesizer

This blog post was authored by Jonas Zaddach and Mariano Graziano.

Executive Summary

Given the rapid pace of change in the threat landscape with new threats emerging and existing ones evolving, there are bound to be challenges defenders face. These challenges can manifest in multiple ways, such as processing and analyzing millions of new and unknown samples received each day. Other challenges include managing resource constraints for our tools used to automate malware analysis, developing antivirus signatures in an efficient manner that will identify malware families, and ensuring tools are able to scale as the number of samples needing to be analyzed increases. To help address these challenges, Talos is releasing a new open source framework called BASS.

BASS (pronounced "bæs") is a framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters. It is meant to reduce resource usage of ClamAV by producing more pattern-based signatures as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable thanks to Docker.

Please note that this framework is still considered in the Alpha stage and as a result, it will have some rough edges. As this tool is open source and actively maintained by us, we gladly welcome any feedback from the community on improving the functionality of BASS. You can find source code for BASS here:

https://github.com/Cisco-Talos/bass

BASS was announced at REcon 2017 in Montreal, Canada.

Wednesday, June 14, 2017

Deep dive in Lexmark Perceptive Document Filters Exploitation

This post authored by Marcin Noga with contributions from Nick Biasini


Introduction

Talos discovers and releases software vulnerabilities on a regular basis. We don't always publish a deep technical analysis of how the vulnerability was discovered or its potential impact. This blog will cover these technical aspects including discovery and exploitation. Before we deep dive into the technical aspects of exploitation, let's start with an introduction to Lexmark Perceptive Document Filters and MarkLogic. Specifically, how these products are connected and what their purpose is. There are articles across the Internet discussing these products and their purposes. Additionally, you can read the Perceptive Documents Filters product description directly.

In general Perceptive Document Filters are used in Big Data, eDiscovery, DLP, email archival, content management, business intelligence, and intelligent capture. There are 3 major companies with product offerings in this space. Lexmark is one of them with Oracle and HP being the other two.

Tuesday, June 13, 2017

Microsoft Patch Tuesday - June 2017

Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 92 vulnerabilities with 17 of them rated critical and 75 rated important. Impacted products include Edge, Internet Explorer, Office, Sharepoint, Skype for Business, Lync, and Windows.

BWT EP6: Enter the Talos, But Please Use a Unique Password


LISTEN HERE:

Listen via iTunes
Listen directly on the Talos Podcasts page.

Episode Notes:

Friday, June 9, 2017

Threat Round-up for June 2 - June 9

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 02 and June 09. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, June 6, 2017

The Internet of Vulnerable Things

Introduction


Technological progress is resulting in computing systems that are smaller, cheaper and consuming less power. These micro-computing systems are able to be integrated into everyday objects; when coupled with ubiquitous wireless connectivity these devices form the “Internet of Things”. The IoT has the potential to improve our lives, but only if we correctly manage the security risks which are inherent to these devices.

Tuesday, May 30, 2017

BWT EP5 - It Has Been 0-days Since This Term was Abused

Beers with Talos Episode 5 "It Has Been 0-days Since This Term was Abused" is now available

Listen here:

Listen via iTunes
Listen directly on the Talos Podcasts page.


Episode Notes:

The crew talks about the potential of Samba echoing WannaCry and blocking SMB ports (but you already did that, RIGHT?). We discuss some history lessons and give proper usage guidance on words like 0-days, backdoors, and other terms that the industry loves to hype and abuse for extra clicks.
What we learn in the Roundtable this week: Joel struggles to resolve the conflicts inherent in his design choices, Nigel’s daughter steals high-end electronics, Matt gaslights first responders in a major American city, Craig learns the JRE sandbox is a silver bullet, and Mitch issues a passive aggressive non-apology for just trying to make you happy.

Friday, May 26, 2017

Threat Round-up for May 19 - May 26

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 19 and May 26. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, May 25, 2017

Samba Vulnerability: Dancing Its Way to a Network Near You

Overview

Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. CVE-2017-7494 has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file.  This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package.  This currently affects all versions of Samba 3.5.0 (released March of 2010) and later. To emphasize the severity and low complexity: a metasploit one-liner can be used to trigger this vulnerability.

A patch has already been released to address the issue.  Additionally, there is a mitigation available within the configuration of Samba itself. Adding the argument "nt pipe support = no" to the global section of the smb.conf file and restarting the service will also mitigate the threat.  This threat is only beginning to be recognized by potential attackers with POC code having already been released on the Internet. It is only a matter of time before adversaries begin to use it more widely to compromise additional systems, both externally and internally. 

Wednesday, May 24, 2017

File2pcap - The Talos Swiss Army Knife of Snort Rule Creation

This post was authored by Martin Zeiser with contributions by Joel Esler


At Talos we are constantly on the lookout for threats to our customers networks, and part of the protection process is creating Snort rules for the latest vulnerabilities in order to detect any attacks.

To improve your understanding of the rule development process, consider a theoretical remotely exploitable vulnerability in server software Server2010. A proof-of-concept exploit is developed, the server software set up on a virtual machine, traffic is captured on  the network between attacker and victim, rule development can start, right?

But what if months or years later, the rule needs to be re-inspected, because circumstances have changed? This requires another vulnerable version of Server2010 to be found, reinstalled and reconfigured to the vulnerable parameters, to run tests again and again, so that network traffic can be inspected. Then when the server is installed, the particular exploit used does not work anymore, because the language it was written in has since changed and the code needs to be fixed accordingly. All this requires plenty of time, which is why it doesn’t happen that way. Instead, a vulnerability is identified, an exploit is written, the exploit is ran, and the attack captured using Wireshark. From then on, the traffic in said pcap file can be used to develop a correct rule. The traffic recorded in a pcap file can easily be put back on the wire using a tcp replay utility, or read directly by Snort. This is why rule developers generally work with pcaps of attacks, instead of exploits.

Regarding file-based vulnerabilities, the original process used to involve starting a local webserver and using a browser to download the exploit file, while recording the transfer using Wireshark. File2pcap revolutionized this requirement by simulating the traffic and creating the proper pcap without any hassles.

Tuesday, May 23, 2017

Modified Zyklon and plugins from India

Introduction


Streams of malicious emails Talos inspects every day usually consist of active spamming campaigns for various ransomware families, phishing campaigns and the common malware family suspects such as banking Trojans and bots.. It is however often more interesting to analyze campaigns smaller in volume as they might contain more interesting malware. A few weeks ago I became interested in just such a campaign with a smaller number of circulating email messages. The email, first of them submitted from Middle East, purports to be coming from a Turkish trading company, which might further indicate the geographic area where the attacks were active. Analyzing malware is often like solving a puzzle, you have to do it piece by piece to reach the final image. In this case I spent more time analyzing the campaign than I initially planned. The campaign has many stages of the infection chain and all needed to be unraveled before the final payload level was reached. Furthermore, each of the stages used different development platform and was obfuscated in a different way. But let us start from the beginning.

Monday, May 22, 2017

Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks

When the WannaCry attack was launched a little over a week ago, it was one of the first large scale attacks leveraging the data that was leaked by the Shadow Brokers. At the time the real concern was how quickly we would begin to see other threats leverage the same vulnerabilities. Over the past couple of weeks, Talos has observed other malware variants that are using the ETERNALBLUE and DOUBLEPULSAR exploits from the Shadow Brokers release as part of their campaigns. Among them were Adylkuzz, Uiwix, and EternalRocks.

Adylkuzz is a piece of malware that uses ETERNALBLUE and DOUBLEPULSAR to install cryptocurrency mining software on the infected system. This attack actually pre-dates the WannaCry attack and has continued to deliver the cryptocurrency miner.

Uiwix uses a similar technique to install ransomware on the infected system. When the files are encrypted, the file names include "UIWIX" as part of the file extension. The key difference with this malware is that, unlike WannaCry, the Ransomware doesn't "worm itself." It only installs itself on the system.

Thursday, May 18, 2017

Terror Evolved: Exploit Kit Matures

This post is authored by Holger Unterbrink and Emmanuel Tacheau


Executive Summary


Talos is monitoring the major Exploit Kits(EK) on an ongoing basis. While investigating the changes we recently observed in the RIG EK campaigns, we identified another well known candidate: Terror Exploit Kit.

Terror EK is one of the new players who showed up after the big Exploit Kit market consolidation last year. When Angler and friends disappeared new EKs started to try their luck. Many of them were far from Angler’s quality. One of these was Terror EK which appeared end of last year. It started with a very simple version,carpet bombing the victims with many exploits at the same time, no matter if the exploit matched the victim's browser environment or not. Unfortunately, they improved the kit step by step and we saw a fast evolution up to the latest version analysed in this report.

We identified a potentially compromised legitimate web site acting as a malware gate, redirecting visitors initially to a RIG exploit kit landing page, then switching to Terror exploit kit one day later.

This may indicate how these campaigns collaborate and share resources, or possibly one campaign pirating another. Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim's environment and then picks potentially successful exploits depending on the victim's operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.

It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.

Wednesday, May 17, 2017

Beers with Talos Podcast Now Available

The first episodes of Beers with Talos are now available on iTunes and directly on talosintelligence.com/podcasts.



When Talos decided to make a threat intelligence podcast, we wanted to make it different than your typical buttoned down, subdued security podcast. The BWT crew: Craig, Joel, Nigel, and Mitch, decided to do that by making a podcast that is a lot like the discussions that you would have after work with colleagues - if your colleagues were both ridiculously opinionated and hyper-focused on security research. Occasionally we’ll even have some special guests join us.

At its core, Beers with Talos is four people from Talos unpacking some of the biggest recent security stories from various perspectives and making (terrible) jokes the whole time. It doesn’t matter if you are a grizzled SOC vet, a researcher, an executive, or you just want to stay informed about the threat landscape, everyone can take something away with them at the end of an episode. Check out the episodes we have released and let us know what you think and what topics you might want to hear covered or guest you would like us to invite for future episodes.

You can listen and subscribe on iTunes (or directly to our RSS feed if that’s your style). We would love to hear your feedback and ideas for future episodes - tweet @TalosSecurity using #BWT or you can email us at [email protected].

Tuesday, May 16, 2017

Arbitrary Code Execution Vulnerabilities in MuPDF Identified and Patched

Talos is disclosing the presence of two vulnerabilities in the Artifex MuPDF renderer. MuPDF is a lightweight PDF parsing and rendering library featuring high fidelity graphics, high speed, and compact code size which makes it a fairly popular PDF library for embedding in different projects, especially mobile and web applications. Both of these vulnerabilities, if exploited, could lead to arbitrary code execution of an attacker's choice on the target device. Both of these vulnerabilities have been responsibly disclosed and Artifex has released software updates to address these vulnerabilities.

Vulnerability Details

Two memory corruption vulnerabilities exist within Artifex MuPDF render that could result in arbitrary code execution if exploited. These two vulnerabilities manifest as a result of improperly parsing and handling parts of a PDF file.

Friday, May 12, 2017

Player 3 Has Entered the Game: Say Hello to 'WannaCry'

This post was authored by Martin Lee, Warren Mercer, Paul Rascagneres, and Craig Williams.


Executive Summary


A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.

Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.

WannaCry appears to primarily utilize the ETERNALBLUE modules and the DOUBLEPULSAR backdoor. The malware uses ETERNALBLUE for the initial exploitation of the SMB vulnerability. If successful it will then implant the DOUBLEPULSAR backdoor and utilize it to install the malware. If the DOUBLEPULSAR backdoor is already installed the malware will still leverage this to install the ransomware payload. This is the cause of the worm-like activity that has been widely observed across the internet

Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.

Please note this threat is still under active investigation, the situation may change as we learn more or as our adversary responds to our actions. Talos will continue to actively monitor and analyze this situation for new developments and respond accordingly. As a result, new coverage may be developed or existing coverage adapted and/or modified at a later date. For current information, please refer to your Firepower Management Center or Snort.org.

Threat Round-up for May 05 - May 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 05 and May 12. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Jaff Ransomware: Player 2 Has Entered The Game

This post was written by Nick Biasini, Edmund Brumaghin and Warren Mercer with contributions from Colin Grady

Summary


Talos is constantly monitoring the email threat landscape and tracking both new threats as well as changes to existing threats. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. While Cisco customers were already automatically protected against this threat, we decided to take a deeper look at this threat and its possible implications across the threat landscape. We have outlined the infection process and additional relevant information regarding this threat in detail below.

Vulnerability Spotlight: Hangul Word Processor Remote Code Execution Vulnerability

Vulnerability discovered by Rich Johnson of Talos.

Overview


Published by Hancom inc. the Hangul Office Suite, of which Hangul Word Processor is part, is the leading word processing and office productivity suite in South Korea. This vulnerability allows attackers to craft a malicious document that when opened, allows the attacker to cause arbitrary code to be executed on the victim’s system.

Tuesday, May 9, 2017

Microsoft Patch Tuesday - May 2017

Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 56 vulnerabilities with 15 of them rated critical and 41 rated important. Impacted products include .NET, DirectX, Edge, Internet Explorer, Office, Sharepoint, and Windows.

In addition to the coverage Talos is providing for the normal monthly Microsoft security advisories, Talos is also providing coverage for CVE-2017-0290, the MsMpEng Malware Protection service vulnerability in Windows reported by Natalie Silvanovich and Tavis Ormandy of Google Project Zero. Snort rule SIDs for this specific vulnerability are 42820-42821.

Monday, May 8, 2017

Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Talos is disclosing TALOS-2017-0293 / CVE 2017-2800, a code execution vulnerability in WolfSSL. WolfSSL is a lightweight SSL/TLS library targeted specifically for embedded and RTOS (Real-Time Operating System) environments, due largely to its small size and performance. WolfSSL is used in a wide range of products including ICS and IoT devices.

This particular vulnerability is related to the use of x.509 certificates and the code that deals with string fields in DER certificates. Specifically the code responsible for parsing 'commonName', 'countryName', 'localityName', 'stateName', 'orgName', and 'orgUnit'. A specially crafted x.509 certificate can cause a single out-of-bounds overwrite that could result in certificate validation issues, denial of service, or remote code execution. To trigger this vulnerability, the adversary needs to supply a malicious x.509 certificate to either the server or client application that is making use of this library. The full details surrounding the vulnerability are available here.

Friday, May 5, 2017

Vulnerability Spotlight: Power Software PowerISO ISO Code Execution Vulnerabilities

These vulnerabilities were discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of a new vulnerability discovered within the Power Software PowerISO disk imaging software. TALOS-2017-0318 and TALOS-2017-0324 may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted ISO image is opened and parsed by the PowerISO software.

Overview


The vulnerabilities are present in the Power Software PowerISO disk imaging utility, used by Windows users to create, edit, mount and convert various popular disk image file formats. The software is commonly used by home users to mount ISO disk images since this capability is not included by default in Windows versions prior to version 8.

ISO (9660) disk image format is a file system within a single file. Essentially, it is a binary copy of the file system used by the standard software CD-ROM installation disks. Today, most of the installation disks for popular software and operating systems are distributed using the ISO file format.


Thursday, May 4, 2017

Vulnerability Spotlight: AntennaHouse DMC Library Arbitrary Code Execution Flaws

These vulnerabilities were discovered by Marcin 'Icewall' Noga of Talos.

Today, Talos is disclosing several vulnerabilities that have been identified in the AntennaHouse DMC library which is used in various products for web-based document searching and rendering. These vulnerabilities manifest as a failure to correctly parse Microsoft Office documents and could be exploited to achieve arbitrary code execution. These vulnerabilities are being disclosed in coordination with AntennaHouse.

Vulnerability Details

Multiple heap corruption vulnerabilities exist within AntennaHouse DMC HTMLFilter that could be exploited to achieve arbitrary code execution on the targeted machine. These vulnerabilities manifest due to improper handling of Microsoft Office documents, such as Word and PowerPoint files. An adversary that passes a specifically crafted document to the converter could exploit one of these vulnerabilities. Note that the method that an adversary could compromise a vulnerable machine varies as this library is known to be incorporated into other third-party products.

Wednesday, May 3, 2017

Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful

This post authored by Sean Baird and Nick Biasini

Attackers are always looking for creative ways to send large amount of spam to victims. A short-lived, but widespread Google Drive themed phishing campaign has affected a large number of users across a variety of verticals. This campaign would be bcc'd to a target while being sent to [email protected][.]com, to make this email appear legitimate the sender would be someone who had the target in their address book.

Mailinator is a "free, public, email system where you can use any inbox you want," often used for throwaway accounts. In this instance, the Mailinator inbox in question could have been used by the spammer to monitor whether or not the email was successfully sent. The use of Mailinator, however, is not what made this campaign unique.

KONNI: A Malware Under The Radar For Years

This blog was authored by Paul Rascagneres

Executive Summary


Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI.

Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:

Friday, April 28, 2017

Threat Round-up for Apr 21 - Apr 28

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 21 and April 28. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: Randombit Botan Library X509 Certificate Validation Bypass Vulnerability

This vulnerability was discovered by Aleksandar Nikolic of Cisco Talos.

Overview


Talos has discovered a vulnerability in the Randombit Botan library. A programming error exists in a way Botan library implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability. A security advisory was published on the Randombit website to inform users the vulnerability is now fixed in versions 2.1.0 and 1.10.16.

Thursday, April 27, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in Zabbix

These vulnerabilities were discovered by Lilith Wyatt of Cisco ASIG

Summary


Zabbix is an enterprise monitoring solution that is designed to give organizations the ability to monitor the health and status of various systems within their networks, including: network services, servers, and networking equipment. Cisco recently discovered multiple vulnerabilities in the Zabbix Server software component that could be leveraged by attackers to write directly to the Zabbix Proxy database or achieve remote code execution on the Zabbix Server. Cisco worked with Zabbix to responsibly disclose these vulnerabilities and ensure that a patch is available. Zabbix has released public advisories regarding these vulnerabilities which are located here and here.

Wednesday, April 26, 2017

Vulnerability Spotlight: IrfanView Jpeg2000 Reference Tile width Arbitrary Code Execution Vulnerability

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Talos is disclosing TALOS-2017-0310 / CVE-2017-2813, an arbitrary code execution vulnerability in the JP2 plugin for IrfanView image viewer. IrfanView is a widely used, Windows based, image viewing and editing application. 

This particular vulnerability is in the jpeg2000 plugin (JP2) for IrfanView resulting in an integer overflow which leads to a wrong memory allocation and eventual arbitrary code execution. This vulnerability is specifically related to the way in which the plugin leverages the reference tile width value in a buffer size allocation. There are insufficient checks being done which can result in a small buffer being allocated for a large tile. This results in a controlled out of bounds write vulnerability. This out of bounds write bug can be further leveraged to achieve code execution in the application. This vulnerability can be triggered by either viewing an image in the application or by using the thumb nailing feature of IrfanView. The full details surrounding the vulnerability are available here.

Friday, April 21, 2017

Vulnerability Spotlight: Hard-coded Credential Flaw in Moxa ICS Wireless Access Points Identified and Fixed

Earlier this month, Talos responsibly disclosed a set of vulnerabilities in Moxa ICS wireless access points. While most of the vulnerabilities were addressed in the previous set of advisories, Talos has continued to work with Moxa to ensure all remaining vulnerabilities that Talos identified are patched. Today in coordination with Moxa, Talos is disclosing the TALOS-2016-0231, a hard-coded credential vulnerability that could allow an attacker to gain complete control of the device. Moxa has released a software update to address TALOS-2016-0231 and other bugs.

Threat Spotlight: Mighty Morphin Malware Purveyors: Locky Returns Via Necurs

This post was authored by Nick Biasini

Throughout the majority of 2016, Locky was the dominant ransomware in the threat landscape. It was an early pioneer when it came to using scripting formats Windows hosts would natively handle, like .js, .wsf, and .hta. These scripting formats acted as a vehicle to deliver the payload via email campaigns. However, late in 2016 Locky distribution declined dramatically largely due to the slowdown of Necurs that occurred at the same time.

On April 21st, Talos observed the first large scale Locky campaign in months from Necurs. This campaign leveraged techniques associated with a recent Dridex campaign and is currently being distributed in very high volumes. Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky. This large wave of distribution has been attributed to the Necurs botnet which, until recently, had been focused on more traditional spam such as pump-and-dump spam, Russian dating spam, and work-from-home spam.

Threat Round-up for Apr 14 - Apr 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 14 and April 21. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Wednesday, April 19, 2017

Vulnerability Spotlight: ARM Mbedtls x509 ECDSA invalid public key Code Execution Vulnerability

Vulnerability Discovered by Aleksandar Nikolic

Overview

Talos is disclosing TALOS-2017-0274/CVE-2017-2784, a code execution vulnerability in ARM MbedTLS. This vulnerability is specifically related to how MbedTLS handles x509 certificates. MbedTLS is an SSL/TLS implementation aimed specifically at embedded devices that was previously known as PolarSSL. 

The vulnerability exists in the part of the code responsible for handling elliptic curve cryptography keys. An attacker can trigger this vulnerability by providing a specially crafted x509 certificate to the target which performs a series of checks on the certificate. While performing these checks the application fails to properly parse the public key. This results in the invalid free of a stack pointer. There is a mitigating factor associated with this vulnerability in that the memory space that is pointed to is zeroed out shortly before the vulnerability is triggered. However, since it's designed to be used in embedded platforms that may not have modern heap exploitation mitigations in place it may be possible to achieve code execution in certain circumstances.  Full details of the vulnerability are available in our advisory.

Tuesday, April 18, 2017

Vulnerability Spotlight: Information Disclosure Vulnerability in Lexmark Perceptive Document Filters

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

Talos are today releasing a new vulnerability discovered within the Lexmark Perceptive Document Filters library. TALOS-2017-0302 allows for information disclosure using specifically crafted files.

Overview


The vulnerability is present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

Saturday, April 15, 2017

Cisco Coverage for Shadow Brokers 2017-04-14 Information Release

On Friday, April 14, the actor group identifying itself as the Shadow Brokers released new information containing exploits for vulnerabilities that affect various versions of Microsoft Windows as well as applications such as Lotus Domino. Additionally, the release included previously unknown tools, including an exploitation framework identified as "FUZZBUNCH." Preliminary analysis of the information suggested several of the released exploits were targeting zero-day vulnerabilities. Microsoft has released a statement regarding the newly released exploits targeting Windows and notes that most of them have been previously patched. Talos is aware of this new information disclosure and has responded to ensure our customers are protected from these threats.

Coverage for the exploits and tools disclosed by the Shadow Brokers is available through Cisco's security products, services, and open source technologies. In some cases, coverage for specific tools or vulnerabilities was already available prior to today's information release. In the cases of the exploits dubbed ETERNALCHAMPION and ETERNALBLUE, Talos had pre-existing coverage that detects attempts to exploit these vulnerabilities.

Friday, April 14, 2017

Threat Round-up for Apr 7 - Apr 14

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 7 and April 14. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Cisco Coverage for CVE-2017-0199

Over the past week, information regarding a serious zero-day vulnerability (CVE-2017-0199) in Microsoft Office was publically disclosed. Since learning of this flaw, Talos has been actively investigating the issue. Preliminary reports indicated that this vulnerability was actively being exploited in the wild and used to compromise hosts with Dridex, a well-known banking trojan.

On Tuesday, April 11, Microsoft released a patch for CVE-2017-0199. CVE-2017-0199 is an arbitrary code execution vulnerability in Microsoft Office which manifests due to improper handling of Rich Text Format (RTF) files. Exploitation of this flaw has been observed in email-based attacks where adversaries bait users to open a specifically crafted document attached to the message. Given that this vulnerability continues to be actively being exploited, Talos strongly recommends all customers patch as soon as possible.

Tuesday, April 11, 2017

Microsoft Patch Tuesday - April 2017

It’s that time again! Today we bring you April’s Microsoft Patch Tuesday information. These fixed vulnerabilities affect Outlook, Edge, Internet Explorer, Hyper-V, .NET, and Scripting Engine.


Monday, April 10, 2017

From Box to Backdoor: Discovering Just How Insecure an ICS Device is in Only 2 Weeks

This post was authored by Martin Lee and Warren Mercer, based on research conducted by Patrick DeSantis.

*blog post was updated with additional information for Day 4 on April 21. 

Industrial Control Systems provide stability to civilization. They clean our water, deliver our power, and enable the physical infrastructure that we have learnt to rely on. Industrial Control Systems are also highly prevalent in manufacturing. They're the robots who build your cars and assemble T.V's, they're the forklifts that ship your e-commerce purchases. As factories, utilities, and other industrial companies shift to a modern industrial infrastructure, it's vital that those processes and devices remain safe from attackers.

One key component in any ICS architecture is the access point which provides the connection between ICS devices and a industrial wireless network. Inspired by From LOW to PWNED we decided to take a look at one ICS wireless access point and see just how many vulnerabilities we could find in two weeks. The vulnerabilities listed in this post have been responsibly disclosed to Moxa. Moxa has released a software update that addresses most of these vulnerabilities. Additional updates will be forthcoming that will address TALOS-2017-0231.

Friday, April 7, 2017

Threat Round-up for Mar 31 - Apr 7

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 31 and April 7. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, April 6, 2017

Hacking the Belkin E Series OmniView 2-Port KVM Switch

Author: Ian Payton, Security Advisory EMEAR

This post is available to download as a whitepaper.

Introduction


Too frequently security professionals only consider software vulnerabilities when considering the risks of connecting devices to their networks and systems. When it comes to considering potential risks of connected devices and the Internet of Things, not only must security professionals consider potential vulnerabilities in the software and firmware of these systems, but also physical vulnerabilities in hardware.

Tampering with hardware is method by which attacker can physically modify systems in order to introduce new malicious functionality, such as the ability to exfiltrate data without resorting to exploiting software based vulnerabilities.

Monday, April 3, 2017

Introducing ROKRAT

This blog was authored by Warren Mercer and Paul Rascagneres with contributions from Matthew Molyett.

Executive Summary


A few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign. We identified a new campaign, again leveraging a malicious Hangul Word Processor (HWP) document. After analyzing the final payload, we determined the winner was… a Remote Administration Tool, which we have named ROKRAT.

Like in the previous post, the campaign started with a spear phishing email containing a malicious attachment, the HWP document. One of the identified emails was sent from the email server of Yonsei, a private university in Seoul. The address used in the email was '[email protected]' which is the contact email of the Korea Global Forum where the slogan in 2016 was "Peace and Unification of the Korean Peninsula". This fact gives more credit and legitimacy to the email.

The HWP document contained an embedded Encapsulated PostScript (EPS) object. As with our previous publication this again is zlib compressed and trivial to obtain. The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched: ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all make use of HTTPS connectivity, making it much more difficult to identify specific patterns or the usage of specific tokens.


Friday, March 31, 2017

Threat Round-up for Mar 24 - Mar 31

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Threat Spotlight: Sundown Matures

This post authored by Nick Biasini with contributions from Edmund Brumaghin and Alex Chiu

The last time Talos discussed Sundown it was an exploit kit in transition. Several of the large exploit kits had left the landscape and a couple of strong contenders remain. Sundown was one of the kits still active and poised to make a move, but lacked a lot of the sophistication of the other large kits and had lots of easy identifiers throughout its infection chain. Most of these identifiers have been stripped, new exploits added, and Talos was able to uncover an interesting campaign focused around the bulk purchase of expiring domains through auctions commonly held within the domain resellers market.

Wednesday, March 29, 2017

Vulnerability Spotlight: Exploiting Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability

Vulnerabilities discovered by Matthew Van Gundy from Cisco ASIG


Overview



As a member of the Linux Foundation Core Infrastructure Initiative, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. We previously identified a series of vulnerabilities in the Network Time Protocol daemon; through our continued research we have identified a further vulnerabilities in the software. This vulnerability results in a denial of service attack against peers due to the origin timestamp check functionality. The attacker does not need to be authenticated in order to exploit the vulnerability.

The ntpd daemon uses the Network Time Protocol for clock synchronization between computer systems and as such, plays a vital role in maintaining system integrity.

Monday, March 27, 2017

Vulnerability Spotlight: Certificate Validation Flaw in Apple macOS and iOS Identified and Patched

Most people don't give much thought to what happens when you connect to your bank's website or log in to your email account. For most people, securely connecting to a website seems as simple as checking to make sure the little padlock in the address bar is present. However, in the background there are many different steps that are taken to ensure you are safely and securely connecting to the websites that claim they are who they are. This process includes certificate validation, or making sure that the servers that users are connecting to present "identification" showing they are legitimate. This helps to protect users from fraudulent servers that might otherwise steal sensitive information.

Due to the sensitive nature of this process, software vulnerabilities that adversely impact the security of certificate validation could have major consequences. Unfortunately, digital systems are complex and bugs are an inevitable reality in software development. Identifying vulnerabilities and responsibly disclosing them improves the security of the internet by eliminating potential attack vectors. Talos is committed to improving the overall security of the internet and today we are disclosing TALOS-2017-0296 (CVE-2017-2485), a remote code execution vulnerability in the X.509 certificate validation functionality of Apple macOS and iOS. This vulnerability has been responsibly disclosed to Apple and software updates have been released that address this issue for both macOS and iOS.

Friday, March 24, 2017

Threat Round-up for the Week of Mar 20 - Mar 24

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 23, 2017

How Malformed RTF Defeats Security Engines

This post is authored by Paul Rascagneres with contributions from Alex McDonnell

Executive Summary


Talos has discovered a new spam campaign used to infect targets with the well known Loki Bot stealer. The infection vector is an RTF document abusing an old exploit (CVE-2012-1856), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers. The attacker has gone out of their way to attempt to evade content inspection devices like AV or network security devices. According to VirusTotal, the initial detection rate of a malicious RTF document recovered from a recent spam campaign is only 3 out of 45 available engines.

Despite the known vulnerability, many security products fail to identify the exploit because they are unable to correctly classify the RTF file format and scan the embedded OLE document within in the RTF. Even open-source parsers such as rtfobj.py from oletools have difficulties extracting the embedded OLE:


This article explains how the malware author modified the RTF file in order to bypass security protection and frustrate malware researchers.


Wednesday, March 22, 2017

Vulnerability Spotlight: Code Execution Vulnerability in LabVIEW

Vulnerability discovered by Cory Duplantis of Cisco Talos.

Overview


LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation. Talos is disclosing the presence of a code execution vulnerability and a memory corruption vulnerability which can be triggered by opening specially crafted VI files, the proprietary file format used by LabVIEW. National Instruments have released a patch, LabVIEW 2016 f2 which should be applied.

Monday, March 20, 2017

Necurs Diversifies Its Portfolio

The post was authored by Sean Baird, Edmund Brumaghin and Earl Carter, with contributions from Jaeson Schultz.

Executive Summary


The Necurs botnet is the largest spam botnet in the world. Over the past year it has been used primarily for the distribution of Locky ransomware and Dridex. Earlier this year, we wrote about how the Necurs botnet went offline and seemingly disappeared, taking most of the high volume Locky malspam with it. Talos recently identified a significant increase in the amount of spam emails originating from the Necurs botnet, indicating that it may have come back to life, but rather than distributing malware in the form of malicious attachments, it appears to have shifted back to penny stock pump-and-dump messages. This is not the first time that Necurs has been used to send high volume pump-and-dump emails. In analyzing previous telemetry data associated with these campaigns, we identified a similar campaign on December 20, 2016 shortly before the Necurs botnet went offline for an extended period. This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet.

Friday, March 17, 2017

Threat Round-up for the Week of Mar 13 - Mar 17

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Tuesday, March 14, 2017

Microsoft Patch Tuesday - March 2017

Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.

Friday, March 10, 2017

Threat Round-up for the Week of Mar 6 - Mar 10

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with our previous threat round-up, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 9, 2017

Vulnerability Spotlight: R - PDF LoadEncoding Code Execution Vulnerability

Vulnerability Discovered by Cory Duplantis of Cisco Talos

Overview

Talos is disclosing TALOS-2016-0227 / CVE-2016-8714 which is a buffer overflow vulnerability in the LoadEncoding functionality of the R programming language version 3.3.0. The R programming language is commonly used in statistical computing and is supported by the R Foundation for Statistical Computing. R is praised for having a large variety of statistical and graphical features. The vulnerability is specifically related to the creation of a PDF document.

Wednesday, March 8, 2017

Content-Type: Malicious - New Apache Struts2 0-day Under Attack

This post is authored by Nick Biasini

UPDATE: It was recently disclosed that in addition to Content-Type being vulnerable, both Content-Disposition and Content-Length can be manipulated to trigger this particular vulnerability. No new CVE was listed, however details of the vulnerability and remediation are available in this security advisory.

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution.

With exploitation actively underway Talos recommends immediate upgrading if possible or following the work around referenced in the above security advisory.

Crypt0l0cker (TorrentLocker): Old Dog, New Tricks

This post is authored by Matthew Molyett, Holger Unterbrink and Paul Rascagneres.

Executive Summary

Ransomware continues to be a plague on the internet and still sets itself as the fastest growing malware family we have seen in the last number of years. In this post we describe the technical details about a newly observed campaign of the notorious Crypt0l0cker (aka TorrentLocker or Teerac) ransomware. Crypt0l0cker has gone through a long evolution, the adversaries are updating and improving the malware on a regular basis. Several indicators inside the samples we have analysed point to a new major version of the malware. We have already seen large campaigns targeting Europe and other parts of the world in 2014 and 2015. It seems to be that the actors behind these campaigns are back now and launching again massive spam attacks. This post will also give you insights about the level of sophistication this malware has reached.

Tuesday, March 7, 2017

Vulnerability Spotlight: Pharos Vulnerabilities

Discovered by Tyler Bohan of Cisco Talos. Talos would also like to thank NYU Osiris Lab for helping out with these vulnerabilities.

Pharos PopUp Printer is printing software that is widely used to manage multiple connections to a single printing point. Services that run with root privileges that are open to network connections are a tempting target for attackers. Talos is disclosing the presence of three code execution vulnerabilities and a denial of service vulnerability in the psnotifyd application of the Pharos PopUp printer client version 9.0

TALOS-2017-0280, TALOS-2017-0283 Code Execution Vulnerabilities (CVE-2017-2785, CVE-2017-2788)
TALOS-2017-0282 Memcpy Code Execution Vulnerability (CVE-2017-2787)
TALOS-2017-0281 DecodeString Denial of Service Vulnerability (CVE-2017-2786)

Friday, March 3, 2017

Malware Round-up For The Week of Feb 27 - Mar 3

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. Unlike our other posts, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 2, 2017

Covert Channels and Poor Decisions: The Tale of DNSMessenger

This post was authored by Edmund Brumaghin and Colin Grady

Executive Summary


The Domain Name System (DNS) is one of the most commonly used Internet application protocols on corporate networks. It is responsible for providing name resolution so that network resources can be accessed by name, rather than requiring users to memorize IP addresses. While many organizations implement strict egress filtering as it pertains to web traffic, firewall rules, etc. many have less stringent controls in place to protect against DNS based threats. Attackers have recognized this and commonly encapsulate different network protocols within DNS to evade security devices.

Typically this use of DNS is related to the exfiltration of information. Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

Ironically, the author of the malware called SourceFire out in the malware code itself shortly after we released Cisco Umbrella, a security product specifically designed to protect organizations from DNS and web based threats as described here.

Monday, February 27, 2017

Cisco Coverage for Smart Install Client Protocol Abuse


Summary


Talos has become aware of active scanning against customer infrastructure with the intent of finding Cisco Smart Install clients. Cisco Smart Install is one component of the Cisco Smart Operations solution that facilitates the management of LAN switches. Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices. The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.

We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks.

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Iceni Argus PDF Content Extraction affect MarkLogic

Vulnerability discovered by Marcin ’Icewall’ Noga and a member of the Talos VulnDev team.


Overview

Talos has discovered multiple vulnerabilities in Iceni Argus PDF content extraction product. Exploiting these vulnerabilities can allow an attacker to gain full control over the victim's machine. Although the main product is deprecated by Iceni, the library is still supported. Iceni has released a patched version that addresses these vulnerabilities. Nevertheless, the library is widely used; MarkLogic is an example of a product that uses Iceni Argus for PDF document conversion as part of their web based document search and rendering.

Friday, February 24, 2017

Vulnerability Deep Dive - Ichitaro Office Excel File Code Execution Vulnerability

This vulnerability was discovered by Cory Duplantis and another member of Cisco Talos


Overview


Vulnerabilities in word processing and office productivity suites are useful targets for exploitation by threat actors. Users frequently encounter file types used by these software suites in their day to day lives and may not question opening such files within an email or being prompted to download such a file from a website.

Some word processing software is widely used within communities using a specific language, but poorly known elsewhere. For example, Hancom's Hangul Word Processor is widely used within South Korea and Ichitaro Office suite from JustSystems is widely used in Japan and Japanese speaking communities. Exploiting vulnerabilities in these and similar word processing systems allows attackers to target their attacks to a specific country or to the linguistic community of their intended victims. Presumably, attackers may believe that exploits against these systems may be less likely to be discovered by security researchers who may lack the necessary software which the vulnerability exploits.

The recent discovery by Talos of a sophisticated attack exploiting Hangul Word Processor http://blog.talosintelligence.com/2017/02/korean-maldoc.html underlines the ability of attackers with the necessary technical skills to create malicious files that target local office productivity suite software.

Talos has discovered three vulnerabilities within the Ichitaro Office suite, one of the most popular word processors used in Japan.

We have no indication that any of the three vulnerabilities we discovered in Ichitaro Office suite, have been exploited in the wild. Nevertheless, all three lead to a state where arbitrary code can be executed. We have chosen one of these vulnerabilities to explain in more detail how such a vulnerability may be exploited and to demonstrate what remote code execution means by launching calc.exe as an example.

The advisory for this particular vulnerability can be found here http://www.talosintelligence.com/reports/TALOS-2016-0197