Thursday, August 31, 2017

Back to Basics: Worm Defense in the Ransomware Age

This post was authored by Edmund Brumaghin

"Those who cannot remember the past are condemned to repeat it." - George Santayana

The Prequel

In March 2017, Microsoft released a security update for various versions of Windows, which addressed a remote code execution vulnerability affecting a protocol called SMBv1 (MS17-010). As this vulnerability could allow a remote attacker to completely compromise an affected system, the vulnerability was rated "Critical" with organizations being advised to implement the security update. Additionally, Microsoft released workaround guidance for removing this vulnerability in environments that were unable to apply the security update directly. At the same time, Cisco released coverage to ensure that customers remained protected.

The following month, April 2017, a group publishing under the moniker "TheShadowBrokers" publicly released several exploits on the internet. These exploits targeted various vulnerabilities including those that were addressed by MS17-010 a month earlier. As is always the case, whenever new exploit code is released into the wild, it becomes a focus of research for both the information security industry as well as cybercriminals. While the good guys take information and use it for the greater good by improving security, cybercriminals also take the code and attempt to find ways to leverage it to achieve their objectives, whether that be financial gain, to create disruption, etc.

Wednesday, August 30, 2017

Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities


Today, Talos is disclosing the discovery of two remote code execution vulnerabilities which have been identified in the Gdk-Pixbuf Toolkit. This toolkit used in multiple desktop applications including Chromium, Firefox, GNOME thumbnailer, VLC and others. Exploiting this vulnerability allows an attacker to gain full control over the victim's machine. If an attacker builds a specially crafted TIFF or JPEG image and entices the victim to open it, the attackers code will be executed with the privileges of the local user. 

Tuesday, August 29, 2017

Vulnerability Spotlight: Code Execution Vulnerability in LabVIEW

Vulnerability discovered by Cory Duplantis of Cisco Talos.

Update: 9/1/17 - National Instruments has published the following advisory


LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation. Talos is disclosing the presence of a potential code execution vulnerability which can be triggered by opening specially crafted VI files, the proprietary file format used by LabVIEW.

Beers with Talos EP11 - This is How the World Ends, Not with a Whimper but with Cyber Mercenaries

Beers with Talos (BWT) Podcast Episode 11 is now available.  Download this episode and subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing:

Beers with Talos is a fast-paced, smart, and humorous podcast focused on security research topics. Staying abreast of security topics is difficult in this rapidly evolving threat landscape. Beers with Talos serves important security stories in a way that is understandable, engaging, and fun to researchers, executives, and security n00bs alike.

EP11 Show Notes: 

Better late than never? On top of being distributed all around the planet this week, we had some technical issues with our recording platform that created a nice audio jigsaw puzzle to solve. Matt’s audio remained a challenge; it is rough this week. Bear with us, the audio quality will be back to what you have come to expect next episode. If you would like to speak to the manager, please hold.

The last several years have seen a continuing surge in booters, DDOS, and combined exploit campaigns for-hire coming out of Asia and other regions. What does this tell us about the continued “professionalization” of the cyber criminal enterprise? What happens now that the playing field is leveled and launching these attacks requires nothing more than a few hundred USD in cryptocurrency?

Monday, August 28, 2017

Vulnerability Spotlight: Lexmark Perceptive Document Filters Code Execution Bugs


Talos is disclosing a pair of code execution vulnerabilities in Lexmark Perceptive Document Filters. Perceptive Document Filters are a series of libraries that are used to parse massive amounts of different types of file formats for multiple purposes. Talos has previously discussed in detail these filters and how they operate. The software update to resolve these vulnerabilities can be found here.

Friday, August 18, 2017

Threat Round-up for Aug 11 - Aug 18

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 11 and August 18. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center,, or

Tuesday, August 15, 2017

Booters with Chinese Characteristics: The Rise of Chinese Online DDoS Platforms

This post was authored by Dave Liebenberg

In the past few months, Talos has observed an uptick in the number of Chinese websites offering online DDoS services. Many of these websites have a nearly identical layout and design, offering a simple interface in which the user selects a target’s host, port, attack method, and duration of attack. In addition, the majority of these sites have been registered within the past six months. However, the websites operate under different group names and have different registrants. In addition, Talos has observed administrators of these websites launching attacks on one another. Talos sought to research the actors responsible for creating these platforms and analyze why they have become more prevalent lately.

In this blog post, we will begin by looking at the DDoS industry in China and charting the shift toward online DDoS platforms. Then we will examine the types of DDoS platforms created recently, noting their similarities and differences. Finally, we will look into the source code likely responsible for the recent increase in these nearly identical DDoS websites.

Monday, August 14, 2017

When combining exploits for added effect goes wrong


Since public disclosure in April 2017, CVE-2017-0199 has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.

In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, CVE-2012-0158, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.

Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor.

Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain and fails.

Although this attack was unsuccessful it has shown a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. It may have been an experiment that didn’t quite work out, or it may be indication of future attacks yet to materialise.

Wednesday, August 9, 2017

WinDBG and JavaScript Analysis

This blog was authored by Paul Rascagneres.


JavaScript is frequently used by malware authors to execute malicious code on Windows systems because it is powerful, natively available and rarely disabled. Our previous article on .NET analysis generated much interest relating to how to use WinDBG to analyse .js files. In this post we extend our description of using WinDBG to describe the analysis of JavaScript using the 64 bit version of wscript.exe. It is strongly recommended to read our previous article first.

Tuesday, August 8, 2017

Microsoft Patch Tuesday - August 2017

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.

Vulnerability Spotlight: Adobe Reader DC Parser Confusion

Parser vulnerabilities in common software packages such as Adobe Acrobat Reader pose a significant security risk to large portions of the internet. The fact that these software packages typically have a large footprints often gives attackers a broad attack surface they can potentially leverage for malicious purposes. Thus, identifying vulnerabilities and responsibly disclosing them is critical to eliminating attack vectors that may otherwise be exploited.

Today, Talos is disclosing a vulnerability that has been identified in Adobe Acrobat Reader DC. The vulnerability, if exploited, could lead to arbitrary code execution on affected devices. As part of the coordinated effort to responsibly disclose the vulnerability, Adobe has released a software update that addresses the vulnerability. Additionally, Talos has developed Snort rules that detect attempts to exploit the flaw.

Monday, August 7, 2017

On Conveying Doubt

This post was authored by Matt Olney.

Typically, Talos has the luxury of time when conducting research. We can carefully draft a report that clearly lays out the evidence and leads the reader to a clear understanding of our well supported findings. A great deal of time is spent ensuring that the correct words and logical paths are used so that we are both absolutely clear and absolutely correct.  Frequently, the goal is to inform and educate readers about specific threats or techniques.

There are times, however, when we are documenting our research in something very close to real-time. The recent WannaCry and Nyetya events are excellent examples of this. Our goal changes here, as does our process. Here we are racing the clock to get accurate, impactful, and actionable information to help customers react even while new information is coming in.

In these situations, and in certain other kinds of investigations, it is necessary for us to talk about something when we aren’t 100% certain we are correct.  I’ll provide two examples from our Nyetya blog posts:

Friday, August 4, 2017

Threat Round-up for July 28 - August 4

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 28 and August 04. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center,, or

Vulnerability Spotlight: Kakadu SDK Vulnerabilities

Vulnerabilities discovered by Aleksandar Nikolic and Tyler Bohan of Cisco Talos.

Today, Talos is disclosing multiple vulnerabilities that have been identified in the Kakadu JPEG 2000 SDK. The vulnerabilities manifest in a way that could be exploited if a user opens a specifically crafted JPEG 2000 file. Talos has coordinated with Kakadu to ensure relevant details regarding the vulnerabilities have been shared. In addition, Talos has developed Snort Rules that can detect attempts to exploit these flaws.

Thursday, August 3, 2017

Taking the FIRST look at Crypt0l0cker

This post is authored by Matthew Molyett.

Executive Summary

In March, Talos reported on the details of Crypt0l0cker based on an extensive analysis I carried out on the sample binaries. Binaries -- plural -- because, as noted in the original blog, the Crypt0l0cker payload leveraged numerous executable files which shared the same codebase. Those executables had nearly identical functions in each, but identifying all of those functions repeatedly is tedious and draws time away from improving the analysis. Enter FIRST, the Function Identification and Recovery Signature Tool released by Talos in December 2016.

FIRST allowed me to port my analysis from the unpacking dll to the payload file instantly. Once I was satisfied my analysis across both files, I was then handed a suspected previous version of the sample. FIRST was able to identify similar code across the versions and partially port the analysis back to the older file. When the next version of Crypt0l0cker comes out, I will be able to get a jump on my analysis by using FIRST to port that work forward to the similar code. You can use it to port my work to your sample as well. I will demonstrate doing just that with a Crypt0l0cker sample which appeared on VirusTotal in April 2017, more than a month after the Talos blog about it. There has been no targeted analysis of this file to provide background for this post.

Locating the Sample

Procuring a malware sample of a known family without analyzing it can feel like a heavy challenge to overcome. Thankfully, Talos can leverage Threat Grid sandbox reports of suspected malware samples that we receive. Such reports can be scanned for family IOCs. Per our previous analysis into Crypt0l0cker, the infection status of that version is stored in a file named ewiwobiz. By searching Cisco Threat Grid telemetry for files which created ewiwobiz, I identified a file which was probably a Crypt0l0cker executable.

Wednesday, August 2, 2017

Vulnerability Spotlight: EZB Systems UltraISO ISO Parsing Code Execution Vulnerability

Discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of a new vulnerability discovered within the EZB Systems UltraISO ISO disk image creator software. TALOS-2017-0342 (CVE-2017-2840) may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted ISO image is opened and parsed by the UltraISO software.


The vulnerability is present in the EZB Systems UltraISO software, an ISO CD/DVD image file creating/editing/converting tool and a bootable CD/DVD maker. UltraISO can directly edit the CD/DVD image file and extract files and folders from it, as well as directly make ISO files from a CD/DVD-ROM or hard drive.

ISO (9660) disk image format is a file system within a single file. Essentially, it is a binary copy of the file system used by the standard software CD-ROM installation disks. Today, most of the installation disks for popular software and operating systems are distributed using the ISO file format.