Friday, April 21, 2017

Vulnerability Spotlight: Hard-coded Credential Flaw in Moxa ICS Wireless Access Points Identified and Fixed

Earlier this month, Talos responsibly disclosed a set of vulnerabilities in Moxa ICS wireless access points. While most of the vulnerabilities were addressed in the previous set of advisories, Talos has continued to work with Moxa to ensure all remaining vulnerabilities that Talos identified are patched. Today in coordination with Moxa, Talos is disclosing the TALOS-2016-0231, a hard-coded credential vulnerability that could allow an attacker to gain complete control of the device. Moxa has released a software update to address TALOS-2016-0231 and other bugs.

Threat Spotlight: Mighty Morphin Malware Purveyors: Locky Returns Via Necurs

This post was authored by Nick Biasini

Throughout the majority of 2016, Locky was the dominant ransomware in the threat landscape. It was an early pioneer when it came to using scripting formats Windows hosts would natively handle, like .js, .wsf, and .hta. These scripting formats acted as a vehicle to deliver the payload via email campaigns. However, late in 2016 Locky distribution declined dramatically largely due to the slowdown of Necurs that occurred at the same time.

On April 21st, Talos observed the first large scale Locky campaign in months from Necurs. This campaign leveraged techniques associated with a recent Dridex campaign and is currently being distributed in very high volumes. Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky. This large wave of distribution has been attributed to the Necurs botnet which, until recently, had been focused on more traditional spam such as pump-and-dump spam, Russian dating spam, and work-from-home spam.

Threat Round-up for Apr 14 - Apr 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 14 and April 21. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Wednesday, April 19, 2017

Vulnerability Spotlight: ARM Mbedtls x509 ECDSA invalid public key Code Execution Vulnerability

Vulnerability Discovered by Aleksandar Nikolic

Overview

Talos is disclosing TALOS-2017-0274/CVE-2017-2784, a code execution vulnerability in ARM MbedTLS. This vulnerability is specifically related to how MbedTLS handles x509 certificates. MbedTLS is an SSL/TLS implementation aimed specifically at embedded devices that was previously known as PolarSSL. 

The vulnerability exists in the part of the code responsible for handling elliptic curve cryptography keys. An attacker can trigger this vulnerability by providing a specially crafted x509 certificate to the target which performs a series of checks on the certificate. While performing these checks the application fails to properly parse the public key. This results in the invalid free of a stack pointer. There is a mitigating factor associated with this vulnerability in that the memory space that is pointed to is zeroed out shortly before the vulnerability is triggered. However, since it's designed to be used in embedded platforms that may not have modern heap exploitation mitigations in place it may be possible to achieve code execution in certain circumstances.  Full details of the vulnerability are available in our advisory.

Tuesday, April 18, 2017

Vulnerability Spotlight: Information Disclosure Vulnerability in Lexmark Perceptive Document Filters

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

Talos are today releasing a new vulnerability discovered within the Lexmark Perceptive Document Filters library. TALOS-2017-0302 allows for information disclosure using specifically crafted files.

Overview


The vulnerability is present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

Saturday, April 15, 2017

Cisco Coverage for Shadow Brokers 2017-04-14 Information Release

On Friday, April 14, the actor group identifying itself as the Shadow Brokers released new information containing exploits for vulnerabilities that affect various versions of Microsoft Windows as well as applications such as Lotus Domino. Additionally, the release included previously unknown tools, including an exploitation framework identified as "FUZZBUNCH." Preliminary analysis of the information suggested several of the released exploits were targeting zero-day vulnerabilities. Microsoft has released a statement regarding the newly released exploits targeting Windows and notes that most of them have been previously patched. Talos is aware of this new information disclosure and has responded to ensure our customers are protected from these threats.

Coverage for the exploits and tools disclosed by the Shadow Brokers is available through Cisco's security products, services, and open source technologies. In some cases, coverage for specific tools or vulnerabilities was already available prior to today's information release. In the cases of the exploits dubbed ETERNALCHAMPION and ETERNALBLUE, Talos had pre-existing coverage that detects attempts to exploit these vulnerabilities.

Friday, April 14, 2017

Threat Round-up for Apr 7 - Apr 14

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 7 and April 14. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Cisco Coverage for CVE-2017-0199

Over the past week, information regarding a serious zero-day vulnerability (CVE-2017-0199) in Microsoft Office was publically disclosed. Since learning of this flaw, Talos has been actively investigating the issue. Preliminary reports indicated that this vulnerability was actively being exploited in the wild and used to compromise hosts with Dridex, a well-known banking trojan.

On Tuesday, April 11, Microsoft released a patch for CVE-2017-0199. CVE-2017-0199 is an arbitrary code execution vulnerability in Microsoft Office which manifests due to improper handling of Rich Text Format (RTF) files. Exploitation of this flaw has been observed in email-based attacks where adversaries bait users to open a specifically crafted document attached to the message. Given that this vulnerability continues to be actively being exploited, Talos strongly recommends all customers patch as soon as possible.

Tuesday, April 11, 2017

Microsoft Patch Tuesday - April 2017

It’s that time again! Today we bring you April’s Microsoft Patch Tuesday information. These fixed vulnerabilities affect Outlook, Edge, Internet Explorer, Hyper-V, .NET, and Scripting Engine.


Monday, April 10, 2017

From Box to Backdoor: Discovering Just How Insecure an ICS Device is in Only 2 Weeks

This post was authored by Martin Lee and Warren Mercer, based on research conducted by Patrick DeSantis.

*blog post was updated with additional information for Day 4 on April 21. 

Industrial Control Systems provide stability to civilization. They clean our water, deliver our power, and enable the physical infrastructure that we have learnt to rely on. Industrial Control Systems are also highly prevalent in manufacturing. They're the robots who build your cars and assemble T.V's, they're the forklifts that ship your e-commerce purchases. As factories, utilities, and other industrial companies shift to a modern industrial infrastructure, it's vital that those processes and devices remain safe from attackers.

One key component in any ICS architecture is the access point which provides the connection between ICS devices and a industrial wireless network. Inspired by From LOW to PWNED we decided to take a look at one ICS wireless access point and see just how many vulnerabilities we could find in two weeks. The vulnerabilities listed in this post have been responsibly disclosed to Moxa. Moxa has released a software update that addresses most of these vulnerabilities. Additional updates will be forthcoming that will address TALOS-2017-0231.

Friday, April 7, 2017

Threat Round-up for Mar 31 - Apr 7

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 31 and April 7. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, April 6, 2017

Hacking the Belkin E Series OmniView 2-Port KVM Switch

Author: Ian Payton, Security Advisory EMEAR

This post is available to download as a whitepaper.

Introduction


Too frequently security professionals only consider software vulnerabilities when considering the risks of connecting devices to their networks and systems. When it comes to considering potential risks of connected devices and the Internet of Things, not only must security professionals consider potential vulnerabilities in the software and firmware of these systems, but also physical vulnerabilities in hardware.

Tampering with hardware is method by which attacker can physically modify systems in order to introduce new malicious functionality, such as the ability to exfiltrate data without resorting to exploiting software based vulnerabilities.

Monday, April 3, 2017

Introducing ROKRAT

This blog was authored by Warren Mercer and Paul Rascagneres with contributions from Matthew Molyett.

Executive Summary


A few weeks ago, Talos published research on a Korean MalDoc. As we previously discussed this actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign. We identified a new campaign, again leveraging a malicious Hangul Word Processor (HWP) document. After analyzing the final payload, we determined the winner was… a Remote Administration Tool, which we have named ROKRAT.

Like in the previous post, the campaign started with a spear phishing email containing a malicious attachment, the HWP document. One of the identified emails was sent from the email server of Yonsei, a private university in Seoul. The address used in the email was 'kgf2016@yonsei.ac.kr' which is the contact email of the Korea Global Forum where the slogan in 2016 was "Peace and Unification of the Korean Peninsula". This fact gives more credit and legitimacy to the email.

The HWP document contained an embedded Encapsulated PostScript (EPS) object. As with our previous publication this again is zlib compressed and trivial to obtain. The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched: ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all make use of HTTPS connectivity, making it much more difficult to identify specific patterns or the usage of specific tokens.


Friday, March 31, 2017

Threat Round-up for Mar 24 - Mar 31

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Threat Spotlight: Sundown Matures

This post authored by Nick Biasini with contributions from Edmund Brumaghin and Alex Chiu

The last time Talos discussed Sundown it was an exploit kit in transition. Several of the large exploit kits had left the landscape and a couple of strong contenders remain. Sundown was one of the kits still active and poised to make a move, but lacked a lot of the sophistication of the other large kits and had lots of easy identifiers throughout its infection chain. Most of these identifiers have been stripped, new exploits added, and Talos was able to uncover an interesting campaign focused around the bulk purchase of expiring domains through auctions commonly held within the domain resellers market.

Wednesday, March 29, 2017

Vulnerability Spotlight: Exploiting Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability

Vulnerabilities discovered by Matthew Van Gundy from Cisco ASIG


Overview



As a member of the Linux Foundation Core Infrastructure Initiative, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. We previously identified a series of vulnerabilities in the Network Time Protocol daemon; through our continued research we have identified a further vulnerabilities in the software. This vulnerability results in a denial of service attack against peers due to the origin timestamp check functionality. The attacker does not need to be authenticated in order to exploit the vulnerability.

The ntpd daemon uses the Network Time Protocol for clock synchronization between computer systems and as such, plays a vital role in maintaining system integrity.

Monday, March 27, 2017

Vulnerability Spotlight: Certificate Validation Flaw in Apple macOS and iOS Identified and Patched

Most people don't give much thought to what happens when you connect to your bank's website or log in to your email account. For most people, securely connecting to a website seems as simple as checking to make sure the little padlock in the address bar is present. However, in the background there are many different steps that are taken to ensure you are safely and securely connecting to the websites that claim they are who they are. This process includes certificate validation, or making sure that the servers that users are connecting to present "identification" showing they are legitimate. This helps to protect users from fraudulent servers that might otherwise steal sensitive information.

Due to the sensitive nature of this process, software vulnerabilities that adversely impact the security of certificate validation could have major consequences. Unfortunately, digital systems are complex and bugs are an inevitable reality in software development. Identifying vulnerabilities and responsibly disclosing them improves the security of the internet by eliminating potential attack vectors. Talos is committed to improving the overall security of the internet and today we are disclosing TALOS-2017-0296 (CVE-2017-2485), a remote code execution vulnerability in the X.509 certificate validation functionality of Apple macOS and iOS. This vulnerability has been responsibly disclosed to Apple and software updates have been released that address this issue for both macOS and iOS.

Friday, March 24, 2017

Threat Round-up for the Week of Mar 20 - Mar 24

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 23, 2017

How Malformed RTF Defeats Security Engines

This post is authored by Paul Rascagneres with contributions from Alex McDonnell

Executive Summary


Talos has discovered a new spam campaign used to infect targets with the well known Loki Bot stealer. The infection vector is an RTF document abusing an old exploit (CVE-2012-1856), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers. The attacker has gone out of their way to attempt to evade content inspection devices like AV or network security devices. According to VirusTotal, the initial detection rate of a malicious RTF document recovered from a recent spam campaign is only 3 out of 45 available engines.

Despite the known vulnerability, many security products fail to identify the exploit because they are unable to correctly classify the RTF file format and scan the embedded OLE document within in the RTF. Even open-source parsers such as rtfobj.py from oletools have difficulties extracting the embedded OLE:


This article explains how the malware author modified the RTF file in order to bypass security protection and frustrate malware researchers.


Wednesday, March 22, 2017

Vulnerability Spotlight: Code Execution Vulnerability in LabVIEW

Vulnerability discovered by Cory Duplantis of Cisco Talos.

Overview


LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation. Talos is disclosing the presence of a code execution vulnerability and a memory corruption vulnerability which can be triggered by opening specially crafted VI files, the proprietary file format used by LabVIEW. National Instruments have released a patch, LabVIEW 2016 f2 which should be applied.

Monday, March 20, 2017

Necurs Diversifies Its Portfolio

The post was authored by Sean Baird, Edmund Brumaghin and Earl Carter, with contributions from Jaeson Schultz.

Executive Summary


The Necurs botnet is the largest spam botnet in the world. Over the past year it has been used primarily for the distribution of Locky ransomware and Dridex. Earlier this year, we wrote about how the Necurs botnet went offline and seemingly disappeared, taking most of the high volume Locky malspam with it. Talos recently identified a significant increase in the amount of spam emails originating from the Necurs botnet, indicating that it may have come back to life, but rather than distributing malware in the form of malicious attachments, it appears to have shifted back to penny stock pump-and-dump messages. This is not the first time that Necurs has been used to send high volume pump-and-dump emails. In analyzing previous telemetry data associated with these campaigns, we identified a similar campaign on December 20, 2016 shortly before the Necurs botnet went offline for an extended period. This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet.

Friday, March 17, 2017

Threat Round-up for the Week of Mar 13 - Mar 17

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Tuesday, March 14, 2017

Microsoft Patch Tuesday - March 2017

Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.

Friday, March 10, 2017

Threat Round-up for the Week of Mar 6 - Mar 10

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with our previous threat round-up, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 9, 2017

Vulnerability Spotlight: R - PDF LoadEncoding Code Execution Vulnerability

Vulnerability Discovered by Cory Duplantis of Cisco Talos

Overview

Talos is disclosing TALOS-2016-0227 / CVE-2016-8714 which is a buffer overflow vulnerability in the LoadEncoding functionality of the R programming language version 3.3.0. The R programming language is commonly used in statistical computing and is supported by the R Foundation for Statistical Computing. R is praised for having a large variety of statistical and graphical features. The vulnerability is specifically related to the creation of a PDF document.

Wednesday, March 8, 2017

Content-Type: Malicious - New Apache Struts2 0-day Under Attack

This post is authored by Nick Biasini

UPDATE: It was recently disclosed that in addition to Content-Type being vulnerable, both Content-Disposition and Content-Length can be manipulated to trigger this particular vulnerability. No new CVE was listed, however details of the vulnerability and remediation are available in this security advisory.

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution.

With exploitation actively underway Talos recommends immediate upgrading if possible or following the work around referenced in the above security advisory.

Crypt0l0cker (TorrentLocker): Old Dog, New Tricks

This post is authored by Matthew Molyett, Holger Unterbrink and Paul Rascagneres.

Executive Summary

Ransomware continues to be a plague on the internet and still sets itself as the fastest growing malware family we have seen in the last number of years. In this post we describe the technical details about a newly observed campaign of the notorious Crypt0l0cker (aka TorrentLocker or Teerac) ransomware. Crypt0l0cker has gone through a long evolution, the adversaries are updating and improving the malware on a regular basis. Several indicators inside the samples we have analysed point to a new major version of the malware. We have already seen large campaigns targeting Europe and other parts of the world in 2014 and 2015. It seems to be that the actors behind these campaigns are back now and launching again massive spam attacks. This post will also give you insights about the level of sophistication this malware has reached.

Tuesday, March 7, 2017

Vulnerability Spotlight: Pharos Vulnerabilities

Discovered by Tyler Bohan of Cisco Talos. Talos would also like to thank NYU Osiris Lab for helping out with these vulnerabilities.

Pharos PopUp Printer is printing software that is widely used to manage multiple connections to a single printing point. Services that run with root privileges that are open to network connections are a tempting target for attackers. Talos is disclosing the presence of three code execution vulnerabilities and a denial of service vulnerability in the psnotifyd application of the Pharos PopUp printer client version 9.0

TALOS-2017-0280, TALOS-2017-0283 Code Execution Vulnerabilities (CVE-2017-2785, CVE-2017-2788)
TALOS-2017-0282 Memcpy Code Execution Vulnerability (CVE-2017-2787)
TALOS-2017-0281 DecodeString Denial of Service Vulnerability (CVE-2017-2786)

Friday, March 3, 2017

Malware Round-up For The Week of Feb 27 - Mar 3

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. Unlike our other posts, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 2, 2017

Covert Channels and Poor Decisions: The Tale of DNSMessenger

This post was authored by Edmund Brumaghin and Colin Grady

Executive Summary


The Domain Name System (DNS) is one of the most commonly used Internet application protocols on corporate networks. It is responsible for providing name resolution so that network resources can be accessed by name, rather than requiring users to memorize IP addresses. While many organizations implement strict egress filtering as it pertains to web traffic, firewall rules, etc. many have less stringent controls in place to protect against DNS based threats. Attackers have recognized this and commonly encapsulate different network protocols within DNS to evade security devices.

Typically this use of DNS is related to the exfiltration of information. Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

Ironically, the author of the malware called SourceFire out in the malware code itself shortly after we released Cisco Umbrella, a security product specifically designed to protect organizations from DNS and web based threats as described here.

Monday, February 27, 2017

Cisco Coverage for Smart Install Client Protocol Abuse


Summary


Talos has become aware of active scanning against customer infrastructure with the intent of finding Cisco Smart Install clients. Cisco Smart Install is one component of the Cisco Smart Operations solution that facilitates the management of LAN switches. Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices. The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.

We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks.

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Iceni Argus PDF Content Extraction affect MarkLogic

Vulnerability discovered by Marcin ’Icewall’ Noga and a member of the Talos VulnDev team.


Overview

Talos has discovered multiple vulnerabilities in Iceni Argus PDF content extraction product. Exploiting these vulnerabilities can allow an attacker to gain full control over the victim's machine. Although the main product is deprecated by Iceni, the library is still supported. Iceni has released a patched version that addresses these vulnerabilities. Nevertheless, the library is widely used; MarkLogic is an example of a product that uses Iceni Argus for PDF document conversion as part of their web based document search and rendering.

Friday, February 24, 2017

Vulnerability Deep Dive - Ichitaro Office Excel File Code Execution Vulnerability

This vulnerability was discovered by Cory Duplantis and another member of Cisco Talos


Overview


Vulnerabilities in word processing and office productivity suites are useful targets for exploitation by threat actors. Users frequently encounter file types used by these software suites in their day to day lives and may not question opening such files within an email or being prompted to download such a file from a website.

Some word processing software is widely used within communities using a specific language, but poorly known elsewhere. For example, Hancom's Hangul Word Processor is widely used within South Korea and Ichitaro Office suite from JustSystems is widely used in Japan and Japanese speaking communities. Exploiting vulnerabilities in these and similar word processing systems allows attackers to target their attacks to a specific country or to the linguistic community of their intended victims. Presumably, attackers may believe that exploits against these systems may be less likely to be discovered by security researchers who may lack the necessary software which the vulnerability exploits.

The recent discovery by Talos of a sophisticated attack exploiting Hangul Word Processor http://blog.talosintelligence.com/2017/02/korean-maldoc.html underlines the ability of attackers with the necessary technical skills to create malicious files that target local office productivity suite software.

Talos has discovered three vulnerabilities within the Ichitaro Office suite, one of the most popular word processors used in Japan.

We have no indication that any of the three vulnerabilities we discovered in Ichitaro Office suite, have been exploited in the wild. Nevertheless, all three lead to a state where arbitrary code can be executed. We have chosen one of these vulnerabilities to explain in more detail how such a vulnerability may be exploited and to demonstrate what remote code execution means by launching calc.exe as an example.

The advisory for this particular vulnerability can be found here http://www.talosintelligence.com/reports/TALOS-2016-0197

Vulnerability Spotlight: Multiple Ichitaro Office Vulnerabilities

These vulnerabilities were discovered by Cory Duplantis and another member of Cisco Talos

Talos has discovered three vulnerabilities within the Ichitaro Office suite. Ichitaro is published by JustSystems and is considered one of the more popular word processors used within Japan. All three vulnerabilities reported lead to code execution. These issues were initially reported to the vendor in September and it took them until February 23rd to address these issues.


TALOS-2016-0196 (CVE-2017-2789) - Ichitaro Office JTD Figure handling Code Execution Vulnerability
TALOS-2016-0197 (CVE-2017-2790) - Ichitaro Office Excel File Code Execution Vulnerability
TALOS-2016-0199 (CVE-2017-2791) - Ichitaro Word Processor PersistDirectory Code Execution Vulnerability

For a detailed technical analysis of how these issues may be exploited in the wild please refer to the writeup here.

Thursday, February 23, 2017

Korean MalDoc Drops Evil New Years Presents

This blog was authored by Warren Mercer and Paul Rascagneres.


Executive Summary


Talos has investigated a targeted malware campaign against South Korean users. The campaign was active between November 2016 and January 2017, targeting a limited number of people. The infection vector is a Hangul Word Processor document (HWP), a popular alternative to Microsoft Office for South Korean users developed by Hancom.

The malicious document in question is written in Korean with the following title:

5170101-17년_북한_신년사_분석.hwp (translation: 5170101-17 __ North Korea _ New Year _ analysis .hwp)
This document was alleged to be written by the Korean Ministry of Unification and included their logo as a footer on the document.

An interesting twist also came within the analysed malicious document as it attempts to download a file from an official Korean government website: kgls.or.kr (Korean Government Legal Service). The file downloaded is a binary masquerading as a jpeg file that is later executed as part of the infection. It's likely that the website was compromised by the attackers to try and legitimise the HTTP GET attempts for the final payload, this traffic would potentially not have looked unfamiliar for any system administrators.

The attackers' infrastructure appeared to be up for a few days at a time with no observed infrastructure re-use occurring. Unfortunately, the compromised sites were all either cleaned or removed by the attackers and Talos were unable to obtain the final payload. This level of operational security is common for sophisticated attackers.

Due to these elements it's likely that this loader has been designed by a well-funded group in order to target public sector entities in South Korea. Many of these techniques fit the profile of campaigns previously associated with attacks by certain government groups.


Tuesday, February 21, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in the Aerospike NoSQL Database Server

Vulnerabilities discovered by Talos

Talos is releasing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from Denial of Service to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. These issues have been addressed in version 3.11.1.1 of the Aerospike Database software. 

The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media. 

TALOS-2016-0263 (CVE-2016-9049) - Aerospike Database Server  Fabric_Worker Socket-Loop Denial-of-Service Vulnerability
TALOS-2016-0265 (CVE-2016-9051) - Aerospike Database Server Client Batch Request Code Execution Vulnerability
TALOS-2016-0267 (CVE-2016-9053) - Aerospike Database Server RW Fabric Message Particle Type Code Execution Vulnerability

Thursday, February 16, 2017

Cisco Coverage for 'Magic Hound'

'Magic Hound' is the code name used to reference a seemingly limited series of malware distribution campaigns that were observed targeting organizations in Saudi Arabia as well as organizations with business interests in Saudi Arabia. Similar to other malware distribution campaigns that Talos has observed and documented, this series of campaigns made use of phishing emails containing links to malicious Word documents hosted on attacker controlled servers. When opened, the malicious documents display a message instructing the user to enable macros in an attempt to entice recipients to execute the attacker's scripts and download additional malware, thus infecting their systems. Unlike some of the more sophisticated campaigns seen in the wild, in the case of 'Magic Hound' the attackers made use of commodity malware and tools. This included tools such as IRC bots and Metasploit Meterpreter payloads as well as an open source Remote Administration Tool (RAT).

Talos is aware of this targeted campaign and we have responded to ensure that customers remain protected from 'Magic Hound' as well as other similar campaigns as they are identified and change over time.

Tuesday, February 14, 2017

Vulnerability Spotlight: Apple Garage Band Out of Bounds Write Vulnerability

Discovered by Tyler Bohan of Cisco Talos

Overview

Talos is disclosing TALOS-2016-0262  (CVE-2017-2372) and TALOS-2017-0275  (CVE-2017-2374), an out of bounds write vulnerability in Apple GarageBand. GarageBand is a music creation program, allowing users to create and edit music easily and effectively from their Mac computer. GarageBand is installed by default on all Mac computers so there is a significant number of potential victims. This issue was partially resolved on 1/18/17 with a patch which addressed CVE-2017-2372, the patch released on 2/13/17 addressed CVE-2017-2374 resolving the issue.

This particular vulnerability is the result of the way the application parses the proprietary file format used for GarageBand files, .band. The format is broken into chunks with a specific length field for each. This length is controlled by the user and can be leveraged to expose an exploitable condition. This vulnerability could be exploited by a user opening a specially crafted .band file. The full details surrounding the vulnerability are available here and here.

Thursday, February 9, 2017

Cisco Coverage for 'Ticketbleed'

Vulnerability Details


A vulnerability (CVE-2016-9244) was recently disclosed affecting various F5 products due to the way in which the products handle Session IDs when the non-default Session Tickets option is enabled. By manipulating the Session IDs provided to affected products, an attacker could potentially leak up to 31 bytes of uninitialized memory. This vulnerability can be used to retrieve potentially sensitive information from affected devices such as SSL session IDs from other sessions, or the contents of uninitialized memory.

It is important to note that the number of bytes returned in the Ticketbleed attack is small (up to 31 bytes). This means that it would likely take a significant number of requests to successfully obtain sensitive information. Also, it does not appear that an attacker could predict or control the contents of memory that are returned when exploiting this vulnerability. F5 has released a Knowledge Base article (K05121675) describing which products are affected as well as mitigation instructions.

A full technical report disclosing the details of this vulnerability can be found here.

Coverage


The following Snort IDs have been released to detect this threat: 41547, 41548

Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Wednesday, February 8, 2017

Go RAT, Go! AthenaGo points “TorWords” Portugal

This post was authored by Edmund Brumaghin with contributions from Angel Villegas

Summary


Talos is constantly monitoring the threat landscape in an effort to identify changes in the way attackers are attempting to target organizations around the world. We identified a unique malware campaign that was distributed via malicious Word documents. The campaign appeared to be targeting victims in Portugal. The malware being distributed was interesting for a variety of reasons. As the author of this malware refers to it as "Athena" in their source code working directory and the fact that the C2 domain used by the malware begins with "athena", we have identified this malware as "AthenaGo". We were unable to locate a detailed analysis of this particular malware.

AthenaGo appears to be a Remote Access Trojan (RAT) that also features the capability to download and run additional binaries on infected systems when instructed to do so by an attacker. The malware was written using the Go programming language. Windows-based malware written in Go is not commonly seen in the wild. Additionally the command and control (C2) communications used by the malware made use of Tor2Web proxies, which is part of a trend of increased reliance on these proxying services by various malware authors. As this was an interesting/unique infection chain, Talos decided to examine the malware itself as well as the campaigns that were distributing it.

Tuesday, February 7, 2017

When A Pony Walks Out Of A Pub



This blog was authored by Warren Mercer and Paul Rascagneres.

Talos has observed a small email campaign leveraging the use of Microsoft Publisher files. These .pub files are normally used for the publishing of documents such as newsletters, allowing users to create such documents using familiar office functions such as mail merging. Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a 'Protected View' mode. This is a read only mode which can help end users remain protected from malicious document files. Microsoft Publisher is included and installed by default in Office 365.

The file used in this campaign was aimed at infecting the victim with the, well known, Pony malware. Whilst Pony is well documented in technical capability it has not been known to use the .pub file format until now. Pony is a credential harvesting piece of malware with other trojan capabilities. In addition to credential harvesting, it is also commonly deployed as a malware loader and used to infect systems with additional malware in multi-stage infection chains. Pony is still used heavily as the sources of multiple Pony versions leaked thus making it much easier for other malicious actors to implement Pony into their infection chain.

Thursday, February 2, 2017

Vulnerability Spotlight - McAfee ePolicy Orchestrator DataChannel Blind SQL Injection Vulnerability

Discovered by Cisco Talos

Overview

Talos is today disclosing TALOS-2016-0229 / CVE-2016-8027. This is an exploitable blind SQL injection vulnerability exists within McAfee's ePolicy Orchestrator 5.3.0 that is accessible without user authentication. A specially crafted HTTP POST can allow an attacker to alter a SQL query which can result in information disclosure from within the database, or can allow the impersonation of a McAfee agent, which could reveal specific information related to that McAfee agent. An attacker can use any HTTP client to trigger this vulnerability.

McAfee have published their advisory for this vulnerability here.

Tuesday, January 31, 2017

Cisco Coverage for Shamoon 2

Shamoon is a type of destructive malware that has been previously associated with attacks against the Saudi Arabian energy sector we've been tracking since 2012. We've observed that a variant of Shamoon, identified as Shamoon 2, has recently been used against several compromised organizations and institutions. Talos is aware of the recent increase in Shamoon 2 activity and has responded to ensure our customers are protected. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.

Propagation

Shamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.

Monday, January 30, 2017

EyePyramid: An Archaeological Journey

This post authored by Mariano Graziano and Paul Rascagneres

Summary


The last few days a malware sample named EyePyramid has received considerable attention, especially in Italy. The Italian police have arrested two suspects and also published a preliminary report of the investigation. This malware is notable due to the targeting of Italian celebrities and politicians.

We conducted our analysis on one of the first public samples attributed to EyePyramid. Sources in the security community have described this malware campaign as unsophisticated, and the malware samples involved as uninteresting. However Talos was intrigued to determine just how EyePyramid managed to stay hidden under-the-radar for years.

Friday, January 27, 2017

Matryoshka Doll Reconnaissance Framework

This post authored by David Maynor & Paul Rascagneres with the contribution of Alex McDonnell and Matthew Molyett


Overview

Talos has identified a malicious Microsoft Word document with several unusual features and an advanced workflow, performing reconnaissance on the targeted system to avoid sandbox detection and virtual analysis, as well as exploitation from a non-embedded Flash payload. This document targeted NATO members in a campaign during the Christmas and New Year holiday. Due to the file name, Talos researchers assume that the document targeted NATO members governments. This attack is also notable because the payload was swapped out with a large amount of junk data which was designed to create resource issues for some simplistic security devices.

Monday, January 23, 2017

Vulnerability Spotlight - LibBPG Image Decoding Code Execution

Discovered by Cisco Talos

Overview

Talos is disclosing TALOS-2016-0223 / CVE-2016-8710. An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be triggered via attempting to decode a crafted BPG image using libbpg.

Details

BPG (Better Portable Graphics) is an image format created in 2014 based on the HECV video compression standard. BPG has been praised for its ability to produce the same quality image as the well known JPEG format, but in a much smaller file size. Talos is disclosing the presence of a remote code execution vulnerability in the libbpg library which is widely used to support the file format. During the decoding of a BPG, in the `restore_tqb_pixels` function, an attacker controlled integer underflow can occur during the calculation of offsets for the `src` and `dst` operands of a `mempcy`. Because of the underflows, the resulting addresses passed to the `memcpy` are outside the bounds of the original heap structures, resulting in an out of bounds write condition. This vulnerability can be used to create a specially crafted BPG image file which results in remote code execution when opened with any application using a vulnerable version of the libbpg library. The full details surrounding the vulnerability are available here.

Friday, January 20, 2017

Vulnerability Spotlight: Adobe Acrobat Reader DC jpeg Decoder Vulnerability

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Talos is disclosing TALOS-2016-0259 / CVE-2017-2971 an uninitialized memory vulnerability in Adobe Acrobat Reader DC. Adobe Acrobat Reader is one of the largest and well known PDF readers available today. 

This particular vulnerability is associated with the JPEG Decoder functionality embedded in the application. A specially crafted PDF document containing a JPEG can be used to trigger this vulnerability which results in a heap-based buffer overflow which can be leveraged to achieve remote code execution. This issue has been resolved in the most recent patch provided by Adobe. The full details surrounding the vulnerability are available here.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rule: 41298 - 41305

Wednesday, January 18, 2017

Without Necurs, Locky Struggles

This post authored by Nick Biasini with contributions from Jaeson Schultz

Locky has been a devastating force for the last year in the spam and ransomware landscape. The Locky variant of ransomware has been responsible for huge amounts of spam messages being sent on a daily basis. The main driver behind this traffic is the Necurs botnet. This botnet is responsible for the majority of Locky and Dridex activity. Periodically Necurs goes offline and during these periods we typically see Locky activity decrease drastically. One of these periods is currently ongoing.

The number of active IP addresses on the SpamCop BL illustrates the current lack of Necurs activity

Vulnerability Spotlight: Multiple Code Execution Vulnerabilities in Oracle Outside In Technology

These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos.

Summary


Oracle's Outside In Technology (OIT) is a set of SDKs that software developers can use to perform various actions against a large number of different file formats. According to the OIT website: "Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats." Talos recently discovered vulnerabilities in the RTF and PDF parsers used by OIT that can be used to achieve arbitrary code execution on affected systems. Specially crafted files that leverage these parsers can be used to create conditions that could be leveraged by an attacker to obtain the ability to execute arbitrary code on affected systems.

Thursday, January 12, 2017

Vulnerability Spotlight: Exploiting the Aerospike Database Server

Vulnerabilities discovered by Talos

Talos is disclosing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from memory disclosure to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. Aerospike fixed these issues in  version 3.11.

The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media. 

TALOS-2016-0264 (CVE-2016-9050) - Aerospike Database Server Client Message Memory Disclosure Vulnerability
TALOS-2016-0266 (CVE-2016-9052) - Aerospike Database Server Index Name Code Execution Vulnerability
TALOS-2016-0268 (CVE-2016-9054) - Aerospike Database Server Set Name Code Execution Vulnerability

Shadow Brokers Malware Coverage

The Shadow Brokers released what appears to be a series of windows rootkit components in a farewell message. The malware released included many Windows malware files that supposedly all trigger as either “equationdrug.generic” or “equationdrug.k”  by the Kaspersky security product.


The files are signed with the same key used previously for Equation Group malware which indicates that these files came from the same threat actor. Talos has convicted these files and will continue to monitor the situation for additional action.

Tuesday, January 10, 2017

Microsoft Patch Tuesday - January 2017

Happy New Year to our readers! Today marks the first Patch Tuesday of 2017 with Microsoft releasing their monthly set of bulletins designed to address security vulnerabilities. This month's release is relatively light with 4 bulletins addressing 3 vulnerabilities. Two bulletins are rated critical and address vulnerabilities in Office and Adobe Flash Player while the other two are rated important and address vulnerabilities Edge and the Local Security Authority Subsystem Service.

Bulletins Rated Critical

Microsoft bulletins MS17-002 and MS17-003 are rated critical.

MS17-002 addresses CVE-2017-0003, an arbitrary code execution vulnerability in Microsoft Office 2016. Specifically, Microsoft Word 2016 and Microsoft SharePoint Enterprise Server 2016 are affected. This vulnerability manifests in the way Office handles objects in memory. Exploitation of this flaw is achievable if, for example, a user opens a specifically crafted Word document received via email or downloaded from a site hosting a specifically crafted document.

Friday, January 6, 2017

Cisco Coverage for 'GRIZZLY STEPPE'

Over the past several weeks, there have been ongoing discussions regarding cyber attacks that have occurred against several political, governmental, and private sector entities in the United States. These discussions have revolved around allegations that these cyber attacks were designed to interfere with the 2016 U.S. Federal Elections as well as identifying who is responsible for these high-profile compromises. On December 29, 2016, the United States Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a joint analysis report detailing some of the tools and infrastructure used by adversaries to compromise these institutions. The DHS-FBI joint report is referring to this activity as GRIZZLY STEPPE. Talos is aware of these discussions and reports of malicious activity associated with GRIZZLY STEPPE and has responded to ensure our customers are protected.

Coverage for GRIZZLY STEPPE is available through Cisco's security products, services, and open source technologies. The IP addresses listed in the DHS-FBI report have also been evaluated and applicable ones blacklisted. Note that Talos will continue to monitor for new developments to ensure our customers remain protected.