Friday, May 26, 2017

Threat Round-up for May 19 - May 26

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 19 and May 26. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, May 25, 2017

Samba Vulnerability: Dancing Its Way to a Network Near You

Overview

Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. CVE-2017-7494 has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file.  This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package.  This currently affects all versions of Samba 3.5.0 (released March of 2010) and later. To emphasize the severity and low complexity: a metasploit one-liner can be used to trigger this vulnerability.

A patch has already been released to address the issue.  Additionally, there is a mitigation available within the configuration of Samba itself. Adding the argument "nt pipe support = no" to the global section of the smb.conf file and restarting the service will also mitigate the threat.  This threat is only beginning to be recognized by potential attackers with POC code having already been released on the Internet. It is only a matter of time before adversaries begin to use it more widely to compromise additional systems, both externally and internally. 

Wednesday, May 24, 2017

File2pcap - The Talos Swiss Army Knife of Snort Rule Creation

This post was authored by Martin Zeiser with contributions by Joel Esler


At Talos we are constantly on the lookout for threats to our customers networks, and part of the protection process is creating Snort rules for the latest vulnerabilities in order to detect any attacks.

To improve your understanding of the rule development process, consider a theoretical remotely exploitable vulnerability in server software Server2010. A proof-of-concept exploit is developed, the server software set up on a virtual machine, traffic is captured on  the network between attacker and victim, rule development can start, right?

But what if months or years later, the rule needs to be re-inspected, because circumstances have changed? This requires another vulnerable version of Server2010 to be found, reinstalled and reconfigured to the vulnerable parameters, to run tests again and again, so that network traffic can be inspected. Then when the server is installed, the particular exploit used does not work anymore, because the language it was written in has since changed and the code needs to be fixed accordingly. All this requires plenty of time, which is why it doesn’t happen that way. Instead, a vulnerability is identified, an exploit is written, the exploit is ran, and the attack captured using Wireshark. From then on, the traffic in said pcap file can be used to develop a correct rule. The traffic recorded in a pcap file can easily be put back on the wire using a tcp replay utility, or read directly by Snort. This is why rule developers generally work with pcaps of attacks, instead of exploits.

Regarding file-based vulnerabilities, the original process used to involve starting a local webserver and using a browser to download the exploit file, while recording the transfer using Wireshark. File2pcap revolutionized this requirement by simulating the traffic and creating the proper pcap without any hassles.

Tuesday, May 23, 2017

Modified Zyklon and plugins from India

Introduction


Streams of malicious emails Talos inspects every day usually consist of active spamming campaigns for various ransomware families, phishing campaigns and the common malware family suspects such as banking Trojans and bots.. It is however often more interesting to analyze campaigns smaller in volume as they might contain more interesting malware. A few weeks ago I became interested in just such a campaign with a smaller number of circulating email messages. The email, first of them submitted from Middle East, purports to be coming from a Turkish trading company, which might further indicate the geographic area where the attacks were active. Analyzing malware is often like solving a puzzle, you have to do it piece by piece to reach the final image. In this case I spent more time analyzing the campaign than I initially planned. The campaign has many stages of the infection chain and all needed to be unraveled before the final payload level was reached. Furthermore, each of the stages used different development platform and was obfuscated in a different way. But let us start from the beginning.

Monday, May 22, 2017

Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks

When the WannaCry attack was launched a little over a week ago, it was one of the first large scale attacks leveraging the data that was leaked by the Shadow Brokers. At the time the real concern was how quickly we would begin to see other threats leverage the same vulnerabilities. Over the past couple of weeks, Talos has observed other malware variants that are using the ETERNALBLUE and DOUBLEPULSAR exploits from the Shadow Brokers release as part of their campaigns. Among them were Adylkuzz, Uiwix, and EternalRocks.

Adylkuzz is a piece of malware that uses ETERNALBLUE and DOUBLEPULSAR to install cryptocurrency mining software on the infected system. This attack actually pre-dates the WannaCry attack and has continued to deliver the cryptocurrency miner.

Uiwix uses a similar technique to install ransomware on the infected system. When the files are encrypted, the file names include "UIWIX" as part of the file extension. The key difference with this malware is that, unlike WannaCry, the Ransomware doesn't "worm itself." It only installs itself on the system.

Thursday, May 18, 2017

Terror Evolved: Exploit Kit Matures

This post is authored by Holger Unterbrink and Emmanuel Tacheau


Executive Summary


Talos is monitoring the major Exploit Kits(EK) on an ongoing basis. While investigating the changes we recently observed in the RIG EK campaigns, we identified another well known candidate: Terror Exploit Kit.

Terror EK is one of the new players who showed up after the big Exploit Kit market consolidation last year. When Angler and friends disappeared new EKs started to try their luck. Many of them were far from Angler’s quality. One of these was Terror EK which appeared end of last year. It started with a very simple version,carpet bombing the victims with many exploits at the same time, no matter if the exploit matched the victim's browser environment or not. Unfortunately, they improved the kit step by step and we saw a fast evolution up to the latest version analysed in this report.

We identified a potentially compromised legitimate web site acting as a malware gate, redirecting visitors initially to a RIG exploit kit landing page, then switching to Terror exploit kit one day later.

This may indicate how these campaigns collaborate and share resources, or possibly one campaign pirating another. Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim's environment and then picks potentially successful exploits depending on the victim's operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.

It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.

Wednesday, May 17, 2017

Beers with Talos Podcast Now Available

The first episodes of Beers with Talos are now available on iTunes and directly on talosintelligence.com/podcasts.



When Talos decided to make a threat intelligence podcast, we wanted to make it different than your typical buttoned down, subdued security podcast. The BWT crew: Craig, Joel, Nigel, and Mitch, decided to do that by making a podcast that is a lot like the discussions that you would have after work with colleagues - if your colleagues were both ridiculously opinionated and hyper-focused on security research. Occasionally we’ll even have some special guests join us.

At its core, Beers with Talos is four people from Talos unpacking some of the biggest recent security stories from various perspectives and making (terrible) jokes the whole time. It doesn’t matter if you are a grizzled SOC vet, a researcher, an executive, or you just want to stay informed about the threat landscape, everyone can take something away with them at the end of an episode. Check out the episodes we have released and let us know what you think and what topics you might want to hear covered or guest you would like us to invite for future episodes.

You can listen and subscribe on iTunes (or directly to our RSS feed if that’s your style). We would love to hear your feedback and ideas for future episodes - tweet @TalosSecurity using #BWT or you can email us at [email protected].

Tuesday, May 16, 2017

Arbitrary Code Execution Vulnerabilities in MuPDF Identified and Patched

Talos is disclosing the presence of two vulnerabilities in the Artifex MuPDF renderer. MuPDF is a lightweight PDF parsing and rendering library featuring high fidelity graphics, high speed, and compact code size which makes it a fairly popular PDF library for embedding in different projects, especially mobile and web applications. Both of these vulnerabilities, if exploited, could lead to arbitrary code execution of an attacker's choice on the target device. Both of these vulnerabilities have been responsibly disclosed and Artifex has released software updates to address these vulnerabilities.

Vulnerability Details

Two memory corruption vulnerabilities exist within Artifex MuPDF render that could result in arbitrary code execution if exploited. These two vulnerabilities manifest as a result of improperly parsing and handling parts of a PDF file.

Friday, May 12, 2017

Player 3 Has Entered the Game: Say Hello to 'WannaCry'

This post was authored by Martin Lee, Warren Mercer, Paul Rascagneres, and Craig Williams.


Executive Summary


A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.

Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.

WannaCry appears to primarily utilize the ETERNALBLUE modules and the DOUBLEPULSAR backdoor. The malware uses ETERNALBLUE for the initial exploitation of the SMB vulnerability. If successful it will then implant the DOUBLEPULSAR backdoor and utilize it to install the malware. If the DOUBLEPULSAR backdoor is already installed the malware will still leverage this to install the ransomware payload. This is the cause of the worm-like activity that has been widely observed across the internet

Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.

Please note this threat is still under active investigation, the situation may change as we learn more or as our adversary responds to our actions. Talos will continue to actively monitor and analyze this situation for new developments and respond accordingly. As a result, new coverage may be developed or existing coverage adapted and/or modified at a later date. For current information, please refer to your Firepower Management Center or Snort.org.

Threat Round-up for May 05 - May 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 05 and May 12. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Jaff Ransomware: Player 2 Has Entered The Game

This post was written by Nick Biasini, Edmund Brumaghin and Warren Mercer with contributions from Colin Grady

Summary


Talos is constantly monitoring the email threat landscape and tracking both new threats as well as changes to existing threats. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. While Cisco customers were already automatically protected against this threat, we decided to take a deeper look at this threat and its possible implications across the threat landscape. We have outlined the infection process and additional relevant information regarding this threat in detail below.

Vulnerability Spotlight: Hangul Word Processor Remote Code Execution Vulnerability

Vulnerability discovered by Rich Johnson of Talos.

Overview


Published by Hancom inc. the Hangul Office Suite, of which Hangul Word Processor is part, is the leading word processing and office productivity suite in South Korea. This vulnerability allows attackers to craft a malicious document that when opened, allows the attacker to cause arbitrary code to be executed on the victim’s system.

Tuesday, May 9, 2017

Microsoft Patch Tuesday - May 2017

Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 56 vulnerabilities with 15 of them rated critical and 41 rated important. Impacted products include .NET, DirectX, Edge, Internet Explorer, Office, Sharepoint, and Windows.

In addition to the coverage Talos is providing for the normal monthly Microsoft security advisories, Talos is also providing coverage for CVE-2017-0290, the MsMpEng Malware Protection service vulnerability in Windows reported by Natalie Silvanovich and Tavis Ormandy of Google Project Zero. Snort rule SIDs for this specific vulnerability are 42820-42821.

Monday, May 8, 2017

Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Talos is disclosing TALOS-2017-0293 / CVE 2017-2800, a code execution vulnerability in WolfSSL. WolfSSL is a lightweight SSL/TLS library targeted specifically for embedded and RTOS (Real-Time Operating System) environments, due largely to its small size and performance. WolfSSL is used in a wide range of products including ICS and IoT devices.

This particular vulnerability is related to the use of x.509 certificates and the code that deals with string fields in DER certificates. Specifically the code responsible for parsing 'commonName', 'countryName', 'localityName', 'stateName', 'orgName', and 'orgUnit'. A specially crafted x.509 certificate can cause a single out-of-bounds overwrite that could result in certificate validation issues, denial of service, or remote code execution. To trigger this vulnerability, the adversary needs to supply a malicious x.509 certificate to either the server or client application that is making use of this library. The full details surrounding the vulnerability are available here.

Friday, May 5, 2017

Vulnerability Spotlight: Power Software PowerISO ISO Code Execution Vulnerabilities

These vulnerabilities were discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of a new vulnerability discovered within the Power Software PowerISO disk imaging software. TALOS-2017-0318 and TALOS-2017-0324 may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted ISO image is opened and parsed by the PowerISO software.

Overview


The vulnerabilities are present in the Power Software PowerISO disk imaging utility, used by Windows users to create, edit, mount and convert various popular disk image file formats. The software is commonly used by home users to mount ISO disk images since this capability is not included by default in Windows versions prior to version 8.

ISO (9660) disk image format is a file system within a single file. Essentially, it is a binary copy of the file system used by the standard software CD-ROM installation disks. Today, most of the installation disks for popular software and operating systems are distributed using the ISO file format.


Thursday, May 4, 2017

Vulnerability Spotlight: AntennaHouse DMC Library Arbitrary Code Execution Flaws

These vulnerabilities were discovered by Marcin 'Icewall' Noga of Talos.

Today, Talos is disclosing several vulnerabilities that have been identified in the AntennaHouse DMC library which is used in various products for web-based document searching and rendering. These vulnerabilities manifest as a failure to correctly parse Microsoft Office documents and could be exploited to achieve arbitrary code execution. These vulnerabilities are being disclosed in coordination with AntennaHouse.

Vulnerability Details

Multiple heap corruption vulnerabilities exist within AntennaHouse DMC HTMLFilter that could be exploited to achieve arbitrary code execution on the targeted machine. These vulnerabilities manifest due to improper handling of Microsoft Office documents, such as Word and PowerPoint files. An adversary that passes a specifically crafted document to the converter could exploit one of these vulnerabilities. Note that the method that an adversary could compromise a vulnerable machine varies as this library is known to be incorporated into other third-party products.

Wednesday, May 3, 2017

Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful

This post authored by Sean Baird and Nick Biasini

Attackers are always looking for creative ways to send large amount of spam to victims. A short-lived, but widespread Google Drive themed phishing campaign has affected a large number of users across a variety of verticals. This campaign would be bcc'd to a target while being sent to [email protected][.]com, to make this email appear legitimate the sender would be someone who had the target in their address book.

Mailinator is a "free, public, email system where you can use any inbox you want," often used for throwaway accounts. In this instance, the Mailinator inbox in question could have been used by the spammer to monitor whether or not the email was successfully sent. The use of Mailinator, however, is not what made this campaign unique.

KONNI: A Malware Under The Radar For Years

This blog was authored by Paul Rascagneres

Executive Summary


Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI.

Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:

Friday, April 28, 2017

Threat Round-up for Apr 21 - Apr 28

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 21 and April 28. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: Randombit Botan Library X509 Certificate Validation Bypass Vulnerability

This vulnerability was discovered by Aleksandar Nikolic of Cisco Talos.

Overview


Talos has discovered a vulnerability in the Randombit Botan library. A programming error exists in a way Botan library implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability. A security advisory was published on the Randombit website to inform users the vulnerability is now fixed in versions 2.1.0 and 1.10.16.

Thursday, April 27, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in Zabbix

These vulnerabilities were discovered by Lilith Wyatt of Cisco ASIG

Summary


Zabbix is an enterprise monitoring solution that is designed to give organizations the ability to monitor the health and status of various systems within their networks, including: network services, servers, and networking equipment. Cisco recently discovered multiple vulnerabilities in the Zabbix Server software component that could be leveraged by attackers to write directly to the Zabbix Proxy database or achieve remote code execution on the Zabbix Server. Cisco worked with Zabbix to responsibly disclose these vulnerabilities and ensure that a patch is available. Zabbix has released public advisories regarding these vulnerabilities which are located here and here.

Wednesday, April 26, 2017

Vulnerability Spotlight: IrfanView Jpeg2000 Reference Tile width Arbitrary Code Execution Vulnerability

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Talos is disclosing TALOS-2017-0310 / CVE-2017-2813, an arbitrary code execution vulnerability in the JP2 plugin for IrfanView image viewer. IrfanView is a widely used, Windows based, image viewing and editing application. 

This particular vulnerability is in the jpeg2000 plugin (JP2) for IrfanView resulting in an integer overflow which leads to a wrong memory allocation and eventual arbitrary code execution. This vulnerability is specifically related to the way in which the plugin leverages the reference tile width value in a buffer size allocation. There are insufficient checks being done which can result in a small buffer being allocated for a large tile. This results in a controlled out of bounds write vulnerability. This out of bounds write bug can be further leveraged to achieve code execution in the application. This vulnerability can be triggered by either viewing an image in the application or by using the thumb nailing feature of IrfanView. The full details surrounding the vulnerability are available here.

Friday, April 21, 2017

Vulnerability Spotlight: Hard-coded Credential Flaw in Moxa ICS Wireless Access Points Identified and Fixed

Earlier this month, Talos responsibly disclosed a set of vulnerabilities in Moxa ICS wireless access points. While most of the vulnerabilities were addressed in the previous set of advisories, Talos has continued to work with Moxa to ensure all remaining vulnerabilities that Talos identified are patched. Today in coordination with Moxa, Talos is disclosing the TALOS-2016-0231, a hard-coded credential vulnerability that could allow an attacker to gain complete control of the device. Moxa has released a software update to address TALOS-2016-0231 and other bugs.

Threat Spotlight: Mighty Morphin Malware Purveyors: Locky Returns Via Necurs

This post was authored by Nick Biasini

Throughout the majority of 2016, Locky was the dominant ransomware in the threat landscape. It was an early pioneer when it came to using scripting formats Windows hosts would natively handle, like .js, .wsf, and .hta. These scripting formats acted as a vehicle to deliver the payload via email campaigns. However, late in 2016 Locky distribution declined dramatically largely due to the slowdown of Necurs that occurred at the same time.

On April 21st, Talos observed the first large scale Locky campaign in months from Necurs. This campaign leveraged techniques associated with a recent Dridex campaign and is currently being distributed in very high volumes. Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky. This large wave of distribution has been attributed to the Necurs botnet which, until recently, had been focused on more traditional spam such as pump-and-dump spam, Russian dating spam, and work-from-home spam.

Threat Round-up for Apr 14 - Apr 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 14 and April 21. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Wednesday, April 19, 2017

Vulnerability Spotlight: ARM Mbedtls x509 ECDSA invalid public key Code Execution Vulnerability

Vulnerability Discovered by Aleksandar Nikolic

Overview

Talos is disclosing TALOS-2017-0274/CVE-2017-2784, a code execution vulnerability in ARM MbedTLS. This vulnerability is specifically related to how MbedTLS handles x509 certificates. MbedTLS is an SSL/TLS implementation aimed specifically at embedded devices that was previously known as PolarSSL. 

The vulnerability exists in the part of the code responsible for handling elliptic curve cryptography keys. An attacker can trigger this vulnerability by providing a specially crafted x509 certificate to the target which performs a series of checks on the certificate. While performing these checks the application fails to properly parse the public key. This results in the invalid free of a stack pointer. There is a mitigating factor associated with this vulnerability in that the memory space that is pointed to is zeroed out shortly before the vulnerability is triggered. However, since it's designed to be used in embedded platforms that may not have modern heap exploitation mitigations in place it may be possible to achieve code execution in certain circumstances.  Full details of the vulnerability are available in our advisory.

Tuesday, April 18, 2017

Vulnerability Spotlight: Information Disclosure Vulnerability in Lexmark Perceptive Document Filters

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

Talos are today releasing a new vulnerability discovered within the Lexmark Perceptive Document Filters library. TALOS-2017-0302 allows for information disclosure using specifically crafted files.

Overview


The vulnerability is present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

Saturday, April 15, 2017

Cisco Coverage for Shadow Brokers 2017-04-14 Information Release

On Friday, April 14, the actor group identifying itself as the Shadow Brokers released new information containing exploits for vulnerabilities that affect various versions of Microsoft Windows as well as applications such as Lotus Domino. Additionally, the release included previously unknown tools, including an exploitation framework identified as "FUZZBUNCH." Preliminary analysis of the information suggested several of the released exploits were targeting zero-day vulnerabilities. Microsoft has released a statement regarding the newly released exploits targeting Windows and notes that most of them have been previously patched. Talos is aware of this new information disclosure and has responded to ensure our customers are protected from these threats.

Coverage for the exploits and tools disclosed by the Shadow Brokers is available through Cisco's security products, services, and open source technologies. In some cases, coverage for specific tools or vulnerabilities was already available prior to today's information release. In the cases of the exploits dubbed ETERNALCHAMPION and ETERNALBLUE, Talos had pre-existing coverage that detects attempts to exploit these vulnerabilities.

Friday, April 14, 2017

Threat Round-up for Apr 7 - Apr 14

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 7 and April 14. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Cisco Coverage for CVE-2017-0199

Over the past week, information regarding a serious zero-day vulnerability (CVE-2017-0199) in Microsoft Office was publically disclosed. Since learning of this flaw, Talos has been actively investigating the issue. Preliminary reports indicated that this vulnerability was actively being exploited in the wild and used to compromise hosts with Dridex, a well-known banking trojan.

On Tuesday, April 11, Microsoft released a patch for CVE-2017-0199. CVE-2017-0199 is an arbitrary code execution vulnerability in Microsoft Office which manifests due to improper handling of Rich Text Format (RTF) files. Exploitation of this flaw has been observed in email-based attacks where adversaries bait users to open a specifically crafted document attached to the message. Given that this vulnerability continues to be actively being exploited, Talos strongly recommends all customers patch as soon as possible.

Tuesday, April 11, 2017

Microsoft Patch Tuesday - April 2017

It’s that time again! Today we bring you April’s Microsoft Patch Tuesday information. These fixed vulnerabilities affect Outlook, Edge, Internet Explorer, Hyper-V, .NET, and Scripting Engine.


Monday, April 10, 2017

From Box to Backdoor: Discovering Just How Insecure an ICS Device is in Only 2 Weeks

This post was authored by Martin Lee and Warren Mercer, based on research conducted by Patrick DeSantis.

*blog post was updated with additional information for Day 4 on April 21. 

Industrial Control Systems provide stability to civilization. They clean our water, deliver our power, and enable the physical infrastructure that we have learnt to rely on. Industrial Control Systems are also highly prevalent in manufacturing. They're the robots who build your cars and assemble T.V's, they're the forklifts that ship your e-commerce purchases. As factories, utilities, and other industrial companies shift to a modern industrial infrastructure, it's vital that those processes and devices remain safe from attackers.

One key component in any ICS architecture is the access point which provides the connection between ICS devices and a industrial wireless network. Inspired by From LOW to PWNED we decided to take a look at one ICS wireless access point and see just how many vulnerabilities we could find in two weeks. The vulnerabilities listed in this post have been responsibly disclosed to Moxa. Moxa has released a software update that addresses most of these vulnerabilities. Additional updates will be forthcoming that will address TALOS-2017-0231.

Friday, April 7, 2017

Threat Round-up for Mar 31 - Apr 7

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 31 and April 7. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, April 6, 2017

Hacking the Belkin E Series OmniView 2-Port KVM Switch

Author: Ian Payton, Security Advisory EMEAR

This post is available to download as a whitepaper.

Introduction


Too frequently security professionals only consider software vulnerabilities when considering the risks of connecting devices to their networks and systems. When it comes to considering potential risks of connected devices and the Internet of Things, not only must security professionals consider potential vulnerabilities in the software and firmware of these systems, but also physical vulnerabilities in hardware.

Tampering with hardware is method by which attacker can physically modify systems in order to introduce new malicious functionality, such as the ability to exfiltrate data without resorting to exploiting software based vulnerabilities.

Monday, April 3, 2017

Introducing ROKRAT

This blog was authored by Warren Mercer and Paul Rascagneres with contributions from Matthew Molyett.

Executive Summary


A few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign. We identified a new campaign, again leveraging a malicious Hangul Word Processor (HWP) document. After analyzing the final payload, we determined the winner was… a Remote Administration Tool, which we have named ROKRAT.

Like in the previous post, the campaign started with a spear phishing email containing a malicious attachment, the HWP document. One of the identified emails was sent from the email server of Yonsei, a private university in Seoul. The address used in the email was '[email protected]' which is the contact email of the Korea Global Forum where the slogan in 2016 was "Peace and Unification of the Korean Peninsula". This fact gives more credit and legitimacy to the email.

The HWP document contained an embedded Encapsulated PostScript (EPS) object. As with our previous publication this again is zlib compressed and trivial to obtain. The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched: ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all make use of HTTPS connectivity, making it much more difficult to identify specific patterns or the usage of specific tokens.


Friday, March 31, 2017

Threat Round-up for Mar 24 - Mar 31

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Threat Spotlight: Sundown Matures

This post authored by Nick Biasini with contributions from Edmund Brumaghin and Alex Chiu

The last time Talos discussed Sundown it was an exploit kit in transition. Several of the large exploit kits had left the landscape and a couple of strong contenders remain. Sundown was one of the kits still active and poised to make a move, but lacked a lot of the sophistication of the other large kits and had lots of easy identifiers throughout its infection chain. Most of these identifiers have been stripped, new exploits added, and Talos was able to uncover an interesting campaign focused around the bulk purchase of expiring domains through auctions commonly held within the domain resellers market.

Wednesday, March 29, 2017

Vulnerability Spotlight: Exploiting Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability

Vulnerabilities discovered by Matthew Van Gundy from Cisco ASIG


Overview



As a member of the Linux Foundation Core Infrastructure Initiative, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. We previously identified a series of vulnerabilities in the Network Time Protocol daemon; through our continued research we have identified a further vulnerabilities in the software. This vulnerability results in a denial of service attack against peers due to the origin timestamp check functionality. The attacker does not need to be authenticated in order to exploit the vulnerability.

The ntpd daemon uses the Network Time Protocol for clock synchronization between computer systems and as such, plays a vital role in maintaining system integrity.

Monday, March 27, 2017

Vulnerability Spotlight: Certificate Validation Flaw in Apple macOS and iOS Identified and Patched

Most people don't give much thought to what happens when you connect to your bank's website or log in to your email account. For most people, securely connecting to a website seems as simple as checking to make sure the little padlock in the address bar is present. However, in the background there are many different steps that are taken to ensure you are safely and securely connecting to the websites that claim they are who they are. This process includes certificate validation, or making sure that the servers that users are connecting to present "identification" showing they are legitimate. This helps to protect users from fraudulent servers that might otherwise steal sensitive information.

Due to the sensitive nature of this process, software vulnerabilities that adversely impact the security of certificate validation could have major consequences. Unfortunately, digital systems are complex and bugs are an inevitable reality in software development. Identifying vulnerabilities and responsibly disclosing them improves the security of the internet by eliminating potential attack vectors. Talos is committed to improving the overall security of the internet and today we are disclosing TALOS-2017-0296 (CVE-2017-2485), a remote code execution vulnerability in the X.509 certificate validation functionality of Apple macOS and iOS. This vulnerability has been responsibly disclosed to Apple and software updates have been released that address this issue for both macOS and iOS.

Friday, March 24, 2017

Threat Round-up for the Week of Mar 20 - Mar 24

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 23, 2017

How Malformed RTF Defeats Security Engines

This post is authored by Paul Rascagneres with contributions from Alex McDonnell

Executive Summary


Talos has discovered a new spam campaign used to infect targets with the well known Loki Bot stealer. The infection vector is an RTF document abusing an old exploit (CVE-2012-1856), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers. The attacker has gone out of their way to attempt to evade content inspection devices like AV or network security devices. According to VirusTotal, the initial detection rate of a malicious RTF document recovered from a recent spam campaign is only 3 out of 45 available engines.

Despite the known vulnerability, many security products fail to identify the exploit because they are unable to correctly classify the RTF file format and scan the embedded OLE document within in the RTF. Even open-source parsers such as rtfobj.py from oletools have difficulties extracting the embedded OLE:


This article explains how the malware author modified the RTF file in order to bypass security protection and frustrate malware researchers.


Wednesday, March 22, 2017

Vulnerability Spotlight: Code Execution Vulnerability in LabVIEW

Vulnerability discovered by Cory Duplantis of Cisco Talos.

Overview


LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation. Talos is disclosing the presence of a code execution vulnerability and a memory corruption vulnerability which can be triggered by opening specially crafted VI files, the proprietary file format used by LabVIEW. National Instruments have released a patch, LabVIEW 2016 f2 which should be applied.

Monday, March 20, 2017

Necurs Diversifies Its Portfolio

The post was authored by Sean Baird, Edmund Brumaghin and Earl Carter, with contributions from Jaeson Schultz.

Executive Summary


The Necurs botnet is the largest spam botnet in the world. Over the past year it has been used primarily for the distribution of Locky ransomware and Dridex. Earlier this year, we wrote about how the Necurs botnet went offline and seemingly disappeared, taking most of the high volume Locky malspam with it. Talos recently identified a significant increase in the amount of spam emails originating from the Necurs botnet, indicating that it may have come back to life, but rather than distributing malware in the form of malicious attachments, it appears to have shifted back to penny stock pump-and-dump messages. This is not the first time that Necurs has been used to send high volume pump-and-dump emails. In analyzing previous telemetry data associated with these campaigns, we identified a similar campaign on December 20, 2016 shortly before the Necurs botnet went offline for an extended period. This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet.

Friday, March 17, 2017

Threat Round-up for the Week of Mar 13 - Mar 17

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Tuesday, March 14, 2017

Microsoft Patch Tuesday - March 2017

Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.

Friday, March 10, 2017

Threat Round-up for the Week of Mar 6 - Mar 10

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with our previous threat round-up, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 9, 2017

Vulnerability Spotlight: R - PDF LoadEncoding Code Execution Vulnerability

Vulnerability Discovered by Cory Duplantis of Cisco Talos

Overview

Talos is disclosing TALOS-2016-0227 / CVE-2016-8714 which is a buffer overflow vulnerability in the LoadEncoding functionality of the R programming language version 3.3.0. The R programming language is commonly used in statistical computing and is supported by the R Foundation for Statistical Computing. R is praised for having a large variety of statistical and graphical features. The vulnerability is specifically related to the creation of a PDF document.

Wednesday, March 8, 2017

Content-Type: Malicious - New Apache Struts2 0-day Under Attack

This post is authored by Nick Biasini

UPDATE: It was recently disclosed that in addition to Content-Type being vulnerable, both Content-Disposition and Content-Length can be manipulated to trigger this particular vulnerability. No new CVE was listed, however details of the vulnerability and remediation are available in this security advisory.

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution.

With exploitation actively underway Talos recommends immediate upgrading if possible or following the work around referenced in the above security advisory.

Crypt0l0cker (TorrentLocker): Old Dog, New Tricks

This post is authored by Matthew Molyett, Holger Unterbrink and Paul Rascagneres.

Executive Summary

Ransomware continues to be a plague on the internet and still sets itself as the fastest growing malware family we have seen in the last number of years. In this post we describe the technical details about a newly observed campaign of the notorious Crypt0l0cker (aka TorrentLocker or Teerac) ransomware. Crypt0l0cker has gone through a long evolution, the adversaries are updating and improving the malware on a regular basis. Several indicators inside the samples we have analysed point to a new major version of the malware. We have already seen large campaigns targeting Europe and other parts of the world in 2014 and 2015. It seems to be that the actors behind these campaigns are back now and launching again massive spam attacks. This post will also give you insights about the level of sophistication this malware has reached.

Tuesday, March 7, 2017

Vulnerability Spotlight: Pharos Vulnerabilities

Discovered by Tyler Bohan of Cisco Talos. Talos would also like to thank NYU Osiris Lab for helping out with these vulnerabilities.

Pharos PopUp Printer is printing software that is widely used to manage multiple connections to a single printing point. Services that run with root privileges that are open to network connections are a tempting target for attackers. Talos is disclosing the presence of three code execution vulnerabilities and a denial of service vulnerability in the psnotifyd application of the Pharos PopUp printer client version 9.0

TALOS-2017-0280, TALOS-2017-0283 Code Execution Vulnerabilities (CVE-2017-2785, CVE-2017-2788)
TALOS-2017-0282 Memcpy Code Execution Vulnerability (CVE-2017-2787)
TALOS-2017-0281 DecodeString Denial of Service Vulnerability (CVE-2017-2786)

Friday, March 3, 2017

Malware Round-up For The Week of Feb 27 - Mar 3

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. Unlike our other posts, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 2, 2017

Covert Channels and Poor Decisions: The Tale of DNSMessenger

This post was authored by Edmund Brumaghin and Colin Grady

Executive Summary


The Domain Name System (DNS) is one of the most commonly used Internet application protocols on corporate networks. It is responsible for providing name resolution so that network resources can be accessed by name, rather than requiring users to memorize IP addresses. While many organizations implement strict egress filtering as it pertains to web traffic, firewall rules, etc. many have less stringent controls in place to protect against DNS based threats. Attackers have recognized this and commonly encapsulate different network protocols within DNS to evade security devices.

Typically this use of DNS is related to the exfiltration of information. Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

Ironically, the author of the malware called SourceFire out in the malware code itself shortly after we released Cisco Umbrella, a security product specifically designed to protect organizations from DNS and web based threats as described here.

Monday, February 27, 2017

Cisco Coverage for Smart Install Client Protocol Abuse


Summary


Talos has become aware of active scanning against customer infrastructure with the intent of finding Cisco Smart Install clients. Cisco Smart Install is one component of the Cisco Smart Operations solution that facilitates the management of LAN switches. Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices. The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.

We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks.

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Iceni Argus PDF Content Extraction affect MarkLogic

Vulnerability discovered by Marcin ’Icewall’ Noga and a member of the Talos VulnDev team.


Overview

Talos has discovered multiple vulnerabilities in Iceni Argus PDF content extraction product. Exploiting these vulnerabilities can allow an attacker to gain full control over the victim's machine. Although the main product is deprecated by Iceni, the library is still supported. Iceni has released a patched version that addresses these vulnerabilities. Nevertheless, the library is widely used; MarkLogic is an example of a product that uses Iceni Argus for PDF document conversion as part of their web based document search and rendering.

Friday, February 24, 2017

Vulnerability Deep Dive - Ichitaro Office Excel File Code Execution Vulnerability

This vulnerability was discovered by Cory Duplantis and another member of Cisco Talos


Overview


Vulnerabilities in word processing and office productivity suites are useful targets for exploitation by threat actors. Users frequently encounter file types used by these software suites in their day to day lives and may not question opening such files within an email or being prompted to download such a file from a website.

Some word processing software is widely used within communities using a specific language, but poorly known elsewhere. For example, Hancom's Hangul Word Processor is widely used within South Korea and Ichitaro Office suite from JustSystems is widely used in Japan and Japanese speaking communities. Exploiting vulnerabilities in these and similar word processing systems allows attackers to target their attacks to a specific country or to the linguistic community of their intended victims. Presumably, attackers may believe that exploits against these systems may be less likely to be discovered by security researchers who may lack the necessary software which the vulnerability exploits.

The recent discovery by Talos of a sophisticated attack exploiting Hangul Word Processor http://blog.talosintelligence.com/2017/02/korean-maldoc.html underlines the ability of attackers with the necessary technical skills to create malicious files that target local office productivity suite software.

Talos has discovered three vulnerabilities within the Ichitaro Office suite, one of the most popular word processors used in Japan.

We have no indication that any of the three vulnerabilities we discovered in Ichitaro Office suite, have been exploited in the wild. Nevertheless, all three lead to a state where arbitrary code can be executed. We have chosen one of these vulnerabilities to explain in more detail how such a vulnerability may be exploited and to demonstrate what remote code execution means by launching calc.exe as an example.

The advisory for this particular vulnerability can be found here http://www.talosintelligence.com/reports/TALOS-2016-0197

Vulnerability Spotlight: Multiple Ichitaro Office Vulnerabilities

These vulnerabilities were discovered by Cory Duplantis and another member of Cisco Talos

Talos has discovered three vulnerabilities within the Ichitaro Office suite. Ichitaro is published by JustSystems and is considered one of the more popular word processors used within Japan. All three vulnerabilities reported lead to code execution. These issues were initially reported to the vendor in September and it took them until February 23rd to address these issues.


TALOS-2016-0196 (CVE-2017-2789) - Ichitaro Office JTD Figure handling Code Execution Vulnerability
TALOS-2016-0197 (CVE-2017-2790) - Ichitaro Office Excel File Code Execution Vulnerability
TALOS-2016-0199 (CVE-2017-2791) - Ichitaro Word Processor PersistDirectory Code Execution Vulnerability

For a detailed technical analysis of how these issues may be exploited in the wild please refer to the writeup here.

Thursday, February 23, 2017

Korean MalDoc Drops Evil New Years Presents

This blog was authored by Warren Mercer and Paul Rascagneres.


Executive Summary


Talos has investigated a targeted malware campaign against South Korean users. The campaign was active between November 2016 and January 2017, targeting a limited number of people. The infection vector is a Hangul Word Processor document (HWP), a popular alternative to Microsoft Office for South Korean users developed by Hancom.

The malicious document in question is written in Korean with the following title:

5170101-17년_북한_신년사_분석.hwp (translation: 5170101-17 __ North Korea _ New Year _ analysis .hwp)
This document was alleged to be written by the Korean Ministry of Unification and included their logo as a footer on the document.

An interesting twist also came within the analysed malicious document as it attempts to download a file from an official Korean government website: kgls.or.kr (Korean Government Legal Service). The file downloaded is a binary masquerading as a jpeg file that is later executed as part of the infection. It's likely that the website was compromised by the attackers to try and legitimise the HTTP GET attempts for the final payload, this traffic would potentially not have looked unfamiliar for any system administrators.

The attackers' infrastructure appeared to be up for a few days at a time with no observed infrastructure re-use occurring. Unfortunately, the compromised sites were all either cleaned or removed by the attackers and Talos were unable to obtain the final payload. This level of operational security is common for sophisticated attackers.

Due to these elements it's likely that this loader has been designed by a well-funded group in order to target public sector entities in South Korea. Many of these techniques fit the profile of campaigns previously associated with attacks by certain government groups.


Tuesday, February 21, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in the Aerospike NoSQL Database Server

Vulnerabilities discovered by Talos

Talos is releasing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from Denial of Service to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. These issues have been addressed in version 3.11.1.1 of the Aerospike Database software. 

The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media. 

TALOS-2016-0263 (CVE-2016-9049) - Aerospike Database Server  Fabric_Worker Socket-Loop Denial-of-Service Vulnerability
TALOS-2016-0265 (CVE-2016-9051) - Aerospike Database Server Client Batch Request Code Execution Vulnerability
TALOS-2016-0267 (CVE-2016-9053) - Aerospike Database Server RW Fabric Message Particle Type Code Execution Vulnerability

Thursday, February 16, 2017

Cisco Coverage for 'Magic Hound'

'Magic Hound' is the code name used to reference a seemingly limited series of malware distribution campaigns that were observed targeting organizations in Saudi Arabia as well as organizations with business interests in Saudi Arabia. Similar to other malware distribution campaigns that Talos has observed and documented, this series of campaigns made use of phishing emails containing links to malicious Word documents hosted on attacker controlled servers. When opened, the malicious documents display a message instructing the user to enable macros in an attempt to entice recipients to execute the attacker's scripts and download additional malware, thus infecting their systems. Unlike some of the more sophisticated campaigns seen in the wild, in the case of 'Magic Hound' the attackers made use of commodity malware and tools. This included tools such as IRC bots and Metasploit Meterpreter payloads as well as an open source Remote Administration Tool (RAT).

Talos is aware of this targeted campaign and we have responded to ensure that customers remain protected from 'Magic Hound' as well as other similar campaigns as they are identified and change over time.

Tuesday, February 14, 2017

Vulnerability Spotlight: Apple Garage Band Out of Bounds Write Vulnerability

Discovered by Tyler Bohan of Cisco Talos

Overview

Talos is disclosing TALOS-2016-0262  (CVE-2017-2372) and TALOS-2017-0275  (CVE-2017-2374), an out of bounds write vulnerability in Apple GarageBand. GarageBand is a music creation program, allowing users to create and edit music easily and effectively from their Mac computer. GarageBand is installed by default on all Mac computers so there is a significant number of potential victims. This issue was partially resolved on 1/18/17 with a patch which addressed CVE-2017-2372, the patch released on 2/13/17 addressed CVE-2017-2374 resolving the issue.

This particular vulnerability is the result of the way the application parses the proprietary file format used for GarageBand files, .band. The format is broken into chunks with a specific length field for each. This length is controlled by the user and can be leveraged to expose an exploitable condition. This vulnerability could be exploited by a user opening a specially crafted .band file. The full details surrounding the vulnerability are available here and here.

Thursday, February 9, 2017

Cisco Coverage for 'Ticketbleed'

Vulnerability Details


A vulnerability (CVE-2016-9244) was recently disclosed affecting various F5 products due to the way in which the products handle Session IDs when the non-default Session Tickets option is enabled. By manipulating the Session IDs provided to affected products, an attacker could potentially leak up to 31 bytes of uninitialized memory. This vulnerability can be used to retrieve potentially sensitive information from affected devices such as SSL session IDs from other sessions, or the contents of uninitialized memory.

It is important to note that the number of bytes returned in the Ticketbleed attack is small (up to 31 bytes). This means that it would likely take a significant number of requests to successfully obtain sensitive information. Also, it does not appear that an attacker could predict or control the contents of memory that are returned when exploiting this vulnerability. F5 has released a Knowledge Base article (K05121675) describing which products are affected as well as mitigation instructions.

A full technical report disclosing the details of this vulnerability can be found here.

Coverage


The following Snort IDs have been released to detect this threat: 41547, 41548

Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Wednesday, February 8, 2017

Go RAT, Go! AthenaGo points “TorWords” Portugal

This post was authored by Edmund Brumaghin with contributions from Angel Villegas

Summary


Talos is constantly monitoring the threat landscape in an effort to identify changes in the way attackers are attempting to target organizations around the world. We identified a unique malware campaign that was distributed via malicious Word documents. The campaign appeared to be targeting victims in Portugal. The malware being distributed was interesting for a variety of reasons. As the author of this malware refers to it as "Athena" in their source code working directory and the fact that the C2 domain used by the malware begins with "athena", we have identified this malware as "AthenaGo". We were unable to locate a detailed analysis of this particular malware.

AthenaGo appears to be a Remote Access Trojan (RAT) that also features the capability to download and run additional binaries on infected systems when instructed to do so by an attacker. The malware was written using the Go programming language. Windows-based malware written in Go is not commonly seen in the wild. Additionally the command and control (C2) communications used by the malware made use of Tor2Web proxies, which is part of a trend of increased reliance on these proxying services by various malware authors. As this was an interesting/unique infection chain, Talos decided to examine the malware itself as well as the campaigns that were distributing it.

Tuesday, February 7, 2017

When A Pony Walks Out Of A Pub



This blog was authored by Warren Mercer and Paul Rascagneres.

Talos has observed a small email campaign leveraging the use of Microsoft Publisher files. These .pub files are normally used for the publishing of documents such as newsletters, allowing users to create such documents using familiar office functions such as mail merging. Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a 'Protected View' mode. This is a read only mode which can help end users remain protected from malicious document files. Microsoft Publisher is included and installed by default in Office 365.

The file used in this campaign was aimed at infecting the victim with the, well known, Pony malware. Whilst Pony is well documented in technical capability it has not been known to use the .pub file format until now. Pony is a credential harvesting piece of malware with other trojan capabilities. In addition to credential harvesting, it is also commonly deployed as a malware loader and used to infect systems with additional malware in multi-stage infection chains. Pony is still used heavily as the sources of multiple Pony versions leaked thus making it much easier for other malicious actors to implement Pony into their infection chain.

Thursday, February 2, 2017

Vulnerability Spotlight - McAfee ePolicy Orchestrator DataChannel Blind SQL Injection Vulnerability

Discovered by Cisco Talos

Overview

Talos is today disclosing TALOS-2016-0229 / CVE-2016-8027. This is an exploitable blind SQL injection vulnerability exists within McAfee's ePolicy Orchestrator 5.3.0 that is accessible without user authentication. A specially crafted HTTP POST can allow an attacker to alter a SQL query which can result in information disclosure from within the database, or can allow the impersonation of a McAfee agent, which could reveal specific information related to that McAfee agent. An attacker can use any HTTP client to trigger this vulnerability.

McAfee have published their advisory for this vulnerability here.

Tuesday, January 31, 2017

Cisco Coverage for Shamoon 2

Shamoon is a type of destructive malware that has been previously associated with attacks against the Saudi Arabian energy sector we've been tracking since 2012. We've observed that a variant of Shamoon, identified as Shamoon 2, has recently been used against several compromised organizations and institutions. Talos is aware of the recent increase in Shamoon 2 activity and has responded to ensure our customers are protected. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.

Propagation

Shamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.

Monday, January 30, 2017

EyePyramid: An Archaeological Journey

This post authored by Mariano Graziano and Paul Rascagneres

Summary


The last few days a malware sample named EyePyramid has received considerable attention, especially in Italy. The Italian police have arrested two suspects and also published a preliminary report of the investigation. This malware is notable due to the targeting of Italian celebrities and politicians.

We conducted our analysis on one of the first public samples attributed to EyePyramid. Sources in the security community have described this malware campaign as unsophisticated, and the malware samples involved as uninteresting. However Talos was intrigued to determine just how EyePyramid managed to stay hidden under-the-radar for years.

Friday, January 27, 2017

Matryoshka Doll Reconnaissance Framework

This post authored by David Maynor & Paul Rascagneres with the contribution of Alex McDonnell and Matthew Molyett


Overview

Talos has identified a malicious Microsoft Word document with several unusual features and an advanced workflow, performing reconnaissance on the targeted system to avoid sandbox detection and virtual analysis, as well as exploitation from a non-embedded Flash payload. This document targeted NATO members in a campaign during the Christmas and New Year holiday. Due to the file name, Talos researchers assume that the document targeted NATO members governments. This attack is also notable because the payload was swapped out with a large amount of junk data which was designed to create resource issues for some simplistic security devices.

Monday, January 23, 2017

Vulnerability Spotlight - LibBPG Image Decoding Code Execution

Discovered by Cisco Talos

Overview

Talos is disclosing TALOS-2016-0223 / CVE-2016-8710. An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be triggered via attempting to decode a crafted BPG image using libbpg.

Details

BPG (Better Portable Graphics) is an image format created in 2014 based on the HECV video compression standard. BPG has been praised for its ability to produce the same quality image as the well known JPEG format, but in a much smaller file size. Talos is disclosing the presence of a remote code execution vulnerability in the libbpg library which is widely used to support the file format. During the decoding of a BPG, in the `restore_tqb_pixels` function, an attacker controlled integer underflow can occur during the calculation of offsets for the `src` and `dst` operands of a `mempcy`. Because of the underflows, the resulting addresses passed to the `memcpy` are outside the bounds of the original heap structures, resulting in an out of bounds write condition. This vulnerability can be used to create a specially crafted BPG image file which results in remote code execution when opened with any application using a vulnerable version of the libbpg library. The full details surrounding the vulnerability are available here.

Friday, January 20, 2017

Vulnerability Spotlight: Adobe Acrobat Reader DC jpeg Decoder Vulnerability

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Talos is disclosing TALOS-2016-0259 / CVE-2017-2971 an uninitialized memory vulnerability in Adobe Acrobat Reader DC. Adobe Acrobat Reader is one of the largest and well known PDF readers available today. 

This particular vulnerability is associated with the JPEG Decoder functionality embedded in the application. A specially crafted PDF document containing a JPEG can be used to trigger this vulnerability which results in a heap-based buffer overflow which can be leveraged to achieve remote code execution. This issue has been resolved in the most recent patch provided by Adobe. The full details surrounding the vulnerability are available here.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rule: 41298 - 41305

Wednesday, January 18, 2017

Without Necurs, Locky Struggles

This post authored by Nick Biasini with contributions from Jaeson Schultz

Locky has been a devastating force for the last year in the spam and ransomware landscape. The Locky variant of ransomware has been responsible for huge amounts of spam messages being sent on a daily basis. The main driver behind this traffic is the Necurs botnet. This botnet is responsible for the majority of Locky and Dridex activity. Periodically Necurs goes offline and during these periods we typically see Locky activity decrease drastically. One of these periods is currently ongoing.

The number of active IP addresses on the SpamCop BL illustrates the current lack of Necurs activity

Vulnerability Spotlight: Multiple Code Execution Vulnerabilities in Oracle Outside In Technology

These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos.

Summary


Oracle's Outside In Technology (OIT) is a set of SDKs that software developers can use to perform various actions against a large number of different file formats. According to the OIT website: "Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats." Talos recently discovered vulnerabilities in the RTF and PDF parsers used by OIT that can be used to achieve arbitrary code execution on affected systems. Specially crafted files that leverage these parsers can be used to create conditions that could be leveraged by an attacker to obtain the ability to execute arbitrary code on affected systems.

Thursday, January 12, 2017

Vulnerability Spotlight: Exploiting the Aerospike Database Server

Vulnerabilities discovered by Talos

Talos is disclosing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from memory disclosure to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. Aerospike fixed these issues in  version 3.11.

The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media. 

TALOS-2016-0264 (CVE-2016-9050) - Aerospike Database Server Client Message Memory Disclosure Vulnerability
TALOS-2016-0266 (CVE-2016-9052) - Aerospike Database Server Index Name Code Execution Vulnerability
TALOS-2016-0268 (CVE-2016-9054) - Aerospike Database Server Set Name Code Execution Vulnerability

Shadow Brokers Malware Coverage

The Shadow Brokers released what appears to be a series of windows rootkit components in a farewell message. The malware released included many Windows malware files that supposedly all trigger as either “equationdrug.generic” or “equationdrug.k”  by the Kaspersky security product.


The files are signed with the same key used previously for Equation Group malware which indicates that these files came from the same threat actor. Talos has convicted these files and will continue to monitor the situation for additional action.

Tuesday, January 10, 2017

Microsoft Patch Tuesday - January 2017

Happy New Year to our readers! Today marks the first Patch Tuesday of 2017 with Microsoft releasing their monthly set of bulletins designed to address security vulnerabilities. This month's release is relatively light with 4 bulletins addressing 3 vulnerabilities. Two bulletins are rated critical and address vulnerabilities in Office and Adobe Flash Player while the other two are rated important and address vulnerabilities Edge and the Local Security Authority Subsystem Service.

Bulletins Rated Critical

Microsoft bulletins MS17-002 and MS17-003 are rated critical.

MS17-002 addresses CVE-2017-0003, an arbitrary code execution vulnerability in Microsoft Office 2016. Specifically, Microsoft Word 2016 and Microsoft SharePoint Enterprise Server 2016 are affected. This vulnerability manifests in the way Office handles objects in memory. Exploitation of this flaw is achievable if, for example, a user opens a specifically crafted Word document received via email or downloaded from a site hosting a specifically crafted document.

Friday, January 6, 2017

Cisco Coverage for 'GRIZZLY STEPPE'

Over the past several weeks, there have been ongoing discussions regarding cyber attacks that have occurred against several political, governmental, and private sector entities in the United States. These discussions have revolved around allegations that these cyber attacks were designed to interfere with the 2016 U.S. Federal Elections as well as identifying who is responsible for these high-profile compromises. On December 29, 2016, the United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a joint analysis report detailing some of the tools and infrastructure used by adversaries to compromise these institutions. The DHS-FBI joint report is referring to this activity as GRIZZLY STEPPE. Talos is aware of these discussions and reports of malicious activity associated with GRIZZLY STEPPE and has responded to ensure our customers are protected.

Coverage for GRIZZLY STEPPE is available through Cisco's security products, services, and open source technologies. The IP addresses listed in the DHS-FBI report have also been evaluated and applicable ones blacklisted. Note that Talos will continue to monitor for new developments to ensure our customers remain protected.