Wednesday, September 20, 2017

CCleaner Command and Control Causes Concern

This post was authored by Edmund Brumaghin, Earl Carter, Warren Mercer, Matthew Molyett, Matthew Olney, Paul Rascagneres and Craig Williams.

Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

Introduction


Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files.

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.


Interestingly the array specified contains Cisco's domain (cisco.com) along with other high-profile technology companies. This would suggest a very focused actor after valuable intellectual property.

These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.

Beers with Talos EP 13:A Vast CCleanup, Strutting Your Stuff, and the Ex$ploit Economy



Beers with Talos (BWT) Podcast Episode 13 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

Beers with Talos is a fast-paced, smart, and humorous podcast focused on security research topics. Staying abreast of security topics is difficult in this rapidly evolving threat landscape. Beers with Talos serves important security stories in a way that is understandable, engaging, and fun to researchers, executives, and security n00bs alike.

EP13 Show Notes: 

Struts - when to patch and when to patch with a vengeance. In light of the Equifax breach, we discuss how patching can make you live better days, Never look back and say, Could have been me. Naturally, that convo leads into the biggest story of the week around Pwning the Supply Chain - CCleaner, Python, and Nyetya style. Avast made some mistakes, but every tech company is susceptible to supply chain attacks. What can companies do to protect themselves and how can users adopt a stronger security posture in this area? We also talk Ex$ploit Economy - Valuing exploits by supply and demand. Zerodium has an extensive price list, what can we discern about the availability and difficulty of various exploits using basic economics?

Monday, September 18, 2017

CCleanup: A Vast Number of Machines at Risk

This post was authored by: Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams

Update 9/18: CCleaner Cloud version 1.07.3191 is also reported to be affected
Update 9/19: This issue was discovered and reported by both Morphisec and Cisco in separate in-field cases and reported separately to Avast.
Update 9/19: There has been some confusion on how the DGA domains resolve.
The fallback command and control scheme in use by the CCBkdr involves:
1. Generating a Monthly Domain name (all of which are controlled by Talos for 2017)
2. Request the A records for the domain.
3. 16 bits of the true destination IP are encoded in the first A record, 16 bits are encoded in the second A record
4. The true destination IP is then computed and connected to.
To control the connections Talos has to create two IPs such that they can be fed into the application to resolve to the sinkhole IP.
32 bits of random data were generated. 16 bits of that were combined with 16 bits of the destination address to create the first A record. The remaining 16 random bits were combined with the remaining bits of the destination address to create the second A record.
The resulting two A record IP addresses were then assigned to the DNS configuration.
There was no analysis performed on the selected addresses beyond that they could be combined to create the destination.
Update 9/20: Continued research on C2 and payloads can be found here: http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

Introduction

 

Supply chain attacks are a very effective way to distribute malicious software into target organizations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons. The Nyetya worm that was released into the wild earlier in 2017 showed just how potent these types of attacks can be. Frequently, as with Nyetya, the initial infection vector can remain elusive for quite some time. Luckily with tools like AMP the additional visibility can usually help direct attention to the initial vector.

Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack.

Friday, September 15, 2017

Threat Round Up For Sept 8 - Sept 15

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between September 08 and September 15. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 14, 2017

Beers with Talos EP12 - IrmaGerd! The Internet Ate Our Podcast!


Beers with Talos (BWT) Podcast Episode 12 is now available.  Download this episode and subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

Beers with Talos is a fast-paced, smart, and humorous podcast focused on security research topics. Staying abreast of security topics is difficult in this rapidly evolving threat landscape. Beers with Talos serves important security stories in a way that is understandable, engaging, and fun to researchers, executives, and security n00bs alike.

EP12 Show Notes: 

Matt runs the ship this week in Mitch’s absence. Craig and Nigel are joined by Bill Largent and Joel was… in a meeting? The crew discusses ambulance chasing and crying wolf in the security industry and also what the security press is doing to perpetuate questionable reporting. We also chat at length about what exactly goes into vulnerability discovery, chaining exploits, and the months of work to get to those “12 seconds” of glory at Pwn2Own.

Did we mention the internet ate our last podcast? Sorry about that. We do our best to make up for missing a week this time. But man, that was a great episode you missed…

Deep Dive in MarkLogic Exploitation Process via Argus PDF Converter

This post authored by Marcin Noga with contributions from William Largent



Talos discovers and responsibly discloses software vulnerabilities on a regular basis. Occasionally we publish a deep technical analysis of how the vulnerability was discovered or its potential impact. In a previous post Talos took a deep dive into Lexmark Perceptive Document Filters, in this post we are going to focus on another converter used by MarkLogic located in `Converters/cvtpdf` folder, which is responsible for converting pdf to XML-based formats - Argus PDF. This blog will cover the technical aspects including discovery and exploitation process via the Argus PDF converter.

Vulnerability Spotlight: YAML Parsing Remote Code Execution Vulnerabilities in Ansible Vault and Tablib

Vulnerabilities discovered by Cory Duplantis of Talos.

Talos is disclosing the presences of remote code execution vulnerabilities in the processing of Yet Another Markup Language (YAML) content in Ansible Vault and Tablib. Attackers can exploit these vulnerabilities through supplying malicious YAML content to execute arbitrary commands on vulnerable systems.

Overview


YAML is a data serialisation markup format which is designed to be readable for humans yet easily parsed by machines. Many tools and libraries have been developed to parse YAML data. The Python YAML parsing library PyYAML provides two API calls to parse YAML data: yaml.load and yaml.safe_load. The former API does not correctly sanitise YAML input which allows attackers to embed Python code to be executed within YAML content.

Applications which include the PyYAML library and call yaml.load and not yaml.safe_load are vulnerable to remote code execution vulnerabilities.

Wednesday, September 13, 2017

Vulnerability Spotlight: LibOFX Tag Parsing Code Execution Vulnerability

This vulnerability was discovered by Cory Duplantis of Talos

Update 9/20/2017: A patch is now available to fix this issue.

Overview


LibOFX is an open source implementation of OFX (Open Financial Exchange) an open format used by financial institutions to share financial data with clients. As an implementation of a complex standard, this library is used by financial software such as GnuCash. Talos has discovered an exploitable buffer overflow in the implementation: a specially crafted OFX file can cause a write out of bounds resulting in code execution. This vulnerability is not currently patched and Talos has not received a response from the developers within the period specified by the Vendor Vulnerability Reporting and Disclosure Policy.

Tuesday, September 12, 2017

Microsoft Patch Tuesday - September 2017

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 81 new vulnerabilities with 27 of them rated critical, 52 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Office, Remote Desktop Protocol, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.

Note that the Bluetooth vulnerabilities known as "BlueBorne" that affected Windows have been patched in this latest release. For more information, please refer to CVE-2017-8628.

Monday, September 11, 2017

Vulnerability Spotlight: TALOS-2017-0430/0431: Multiple Vulnerabilities in FreeXL Library


Vulnerability discovered by Marcin Noga of Cisco Talos

Overview

Talos has discovered two remote code execution vulnerabilities in the the FreeXL library. FreeXL is an open source C library to extract valid data from within an Excel (.xls) spreadsheet. Exploiting these vulnerabilities can potentially allow an attacker to execute arbitrary code on the victim's machine. If an attacker builds a specially crafted XLS (Excel) file and the victim opens it with an application using the FreeXL library, the attackers code will be executed with the privileges of the local user.

Thursday, September 7, 2017

Another Apache Struts Vulnerability Under Active Exploitation

This post authored by Nick Biasini with contributions from Alex Chiu.

Earlier this week, a critical vulnerability in Apache Struts was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.

This isn't the only vulnerability that has been recently identified in Apache Struts. Earlier this year, Talos responded to a zero-day vulnerability that was under active exploitation in the wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.

Wednesday, September 6, 2017

Vulnerability Spotlight: Content Security Policy bypass in Microsoft Edge, Google Chrome and Apple Safari

The vulnerabilities were discovered by Nicolai Grødum of Cisco.

Today, Talos is releasing details of vulnerabilities discovered in Microsoft Edge browser as well as older versions of Google Chrome (CVE-2017-5033) and browsers based on the Webkit such as Apple Safari (CVE-2017-2419) . An attacker may be able to exploit the vulnerabilities and bypass the Content Security Policy set by the server which may lead to disclosure of confidential information. Microsoft stated that this is by design and has declined to patch this issue.

Tuesday, September 5, 2017

Graftor - But I Never Asked for This…

This post is authored by Holger Unterbrink and Matthew Molyett

Overview

Free software often downloaded from large freeware distribution sites is a boon for the internet, providing users with functionality that otherwise they would not be able to use. Often users, happy that they are getting something free, fail to pay attention to the hints in the licence agreement that they are receiving additional software services bundled with the freeware they desire.
Graftor aka LoadMoney adware dropper is a potentially unwanted program often installed as part of freeware software installers. We wanted to investigate the effects this software has on a user’s system. According to the analysis performed in our sandbox, Graftor and the associated affiliate files it downloads perform the following functions:

  • Hijacks the user's browser and injects advertising banners
  • Installs other potentially unwanted applications from partners like mail.ru
  • It does not ask the user, it just silently installs these programs
  • Random web page text is turned into links
  • Adds Desktop and Browser Quick Launch links
  • User’s homepage is changed
  • User’s search provider is changed
  • Partner adware is executed and it social engineers the user to install further software
  • Checks for installed AV software
  • Checks for sandbox environments
  • Anti-Analysis protection
  • Unnecessary API calls to overflow sandbox environments
  • Creates/Modifies system certificates

Friday, September 1, 2017

Threat Round Up for Aug 25 - Sep 1

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 25 and September 1. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.