Tuesday, October 31, 2017

Vulnerability Spotlight: The Circle of a Bug’s Life

Overview


Cisco Talos is disclosing several vulnerabilities identified in Circle with Disney. Circle with Disney is a network device designed to monitor the Internet use of children on a given network. Circle pairs wirelessly, with your home Wi-Fi and allows you to manage every device on the network, tablet, TV, or laptop. It can also pair via ethernet after the initial pairing. Using an iOS or Android app, families create unique profiles for every member of the home and from there, help shape each person's online experience.

The security team at Circle Media has been exemplary to work with from initial vulnerability discovery to release. They have been responsive and open to communication. Additionally, the Circle with Disney was designed such that software updates are pushed down to customer devices when they become available. Customers who have received these updates are protected against these vulnerabilities.

Through these exploitable vulnerabilities a malicious attacker could gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands , install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device.

Vulnerability Spotlight: Multiple Vulnerabilities in Cesanta Mongoose Server

These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Cesanta Mongoose server.

Cesanta Mongoose is a library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms. The small size of the software enables any Internet-connected device to function as a web server. Mongoose is available under GPL v2 and commercial licenses.
All these discovered vulnerabilities are fixed in version 6.10 of the library.

Friday, October 27, 2017

Threat Round Up for Oct 20 - Oct 27

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between October 20 and October 27. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 26, 2017

Vulnerability Spotlight: Apache OpenOffice Vulnerabilities

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos

Overview

Today, Talos is releasing details of three new vulnerabilities discovered within Apache OpenOffice application. The first vulnerability, TALOS-2017-0295 within OpenOffice Writer, the second TALOS-2017-0300 in the Draw application, and the third TALOS-2017-0301 discovered in the Writer application. All three vulnerabilities allow arbitrary code execution to be performed.

Tuesday, October 24, 2017

Threat Spotlight: Follow the Bad Rabbit

Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

Update 2017-10-26 16:10 EDT: added additional information regarding the links between Nyetya and BadRabbit

Update 2017-10-26 09:20 EDT: added additional information regarding the EternalRomance exploit

Update 2017-10-25: added additional information regarding encryption and propagation methods

On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape.

There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.

Sunday, October 22, 2017

“Cyber Conflict” Decoy Document Used In Real Cyber Conflict

This post was authored by Warren Mercer, Paul Rascagneres and Vitor Ventura

Update 10/23: CCDCOE released a statement today on their website

Introduction


Cisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear…). Ironically the decoy document is a deceptive flyer relating to the Cyber Conflict U.S. conference. CyCon US is a collaborative effort between the Army Cyber Institute at the United States Military Academy and the NATO Cooperative Cyber Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence. Due to the nature of this document, we assume that this campaign targets people with an interest in cyber security. Unlike previous campaigns from this actor, the flyer does not contain an Office exploit or a 0-day, it simply contains a malicious Visual Basic for Applications (VBA) macro.

The VBA drops and executes a new variant of Seduploader. This reconnaissance malware has been used by Group 74 for years and it is composed of 2 files: a dropper and a payload. The dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name, obfuscation keys... We assume that these modifications were performed to avoid detection based on public IOCs.

The article describes the malicious document and the Seduploader reconnaissance malware, especially the difference with the previous versions.

Thursday, October 19, 2017

Vulnerability Spotlight: Google PDFium Tiff Code Execution

Overview


Talos is disclosing a single off-by-one read/write vulnerability found in the TIFF image decoder functionality of PDFium as used in Google Chrome up to and including version 60.0.3112.101. Google Chrome is the most widely used web browser today and a specially crafted PDF could trigger the vulnerability resulting in memory corruption, possible information leak, and potential code execution. This issue has been fixed in Google Chrome version 62.0.3202.62.

Wednesday, October 18, 2017

Beers with Talos EP 15: Landing a Job, Phishing Midstream, and Paul’s IDA Palette



Beers with Talos (BWT) Podcast Episode 15 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP15 Show Notes: 

In this EP, we take on interviewing and finding a job with technical questions and tests (hint: don’t oversell yourself, and make sure your mute button actually works). We also talk about enabling users with security as opposed to hobbling them. When Craig brings up the Google Home Mini beta test issues, he ends up taking a ration over his choices in handling the situation. We also discuss some clever new phishing techniques that insert malware links *mid-conversation* with a trusted party.

Spoiler alert: Joel turns out to be an Apple apologist.  Make sure to subscribe on iTunes, Google Play, or Stitcher to make sure you don't miss an episode!

Friday, October 13, 2017

Threat Round Up for Oct 6 - Oct 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between October 6 and October 13. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 12, 2017

Disassembler and Runtime Analysis

This post was authored by Paul Rascagneres.

Introduction


In the CCleaner 64bit stage 2 previously described in our blog, we explained that the attacker modified a legitimate executable that is part of "Symantec Endpoint". This file is named EFACli64.dll. The modification is performed in the runtime code included by the compiler, more precisely in the __security_init_cookie() function. The attacker modified the last instruction to jump to the malicious code. The well-known IDA Pro disassembler has trouble displaying the modification as we will show later in this post. Finally, we will present a way to identify this kind of modification and the limitation in this approach.

Wednesday, October 11, 2017

Spoofed SEC Emails Distribute Evolved DNSMessenger

This post was authored by Edmund Brumaghin, Colin Grady, with contributions from Dave Maynor and @Simpo13.


Executive Summary


Cisco Talos previously published research into a targeted attack that leveraged an interesting infection process using DNS TXT records to create a bidirectional command and control (C2) channel. Using this channel, the attackers were able to directly interact with the Windows Command Processor using the contents of DNS TXT record queries and the associated responses generated on the attacker-controlled DNS server.

We have since observed additional attacks leveraging this type of malware attempting to infect several target organizations. These attacks began with a targeted spear phishing email to initiate the malware infections and also leveraged compromised U.S. state government servers to host malicious code used in later stages of the malware infection chain. The spear phishing emails were spoofed to make them appear as if they were sent by the Securities and Exchange Commission (SEC) in an attempt to add a level of legitimacy and convince users to open them. The organizations targeted in this latest malware campaign were similar to those targeted during previous DNSMessenger campaigns. These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate.

Tuesday, October 10, 2017

Microsoft Patch Tuesday - October 2017

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.

Vulnerability Spotlight: Arbitrary Code Execution Bugs in Simple DirectMedia Layer Fixed

Today, Talos is disclosing two vulnerabilities that have been identified in the Simple DirectMedia Layer library. Simple DirectMedia Layer (SDL) is a cross-platform development library designed for use in video playback software, emulators, and games by providing low level access to audio, keyboard, mouse, joystick, and graphics hardware. SDL, via its SDL_image library, also has the capability to handle various image formats such as XCF, the default layered image format for GIMP.

An attacker could compromise a user by exploiting one of these vulnerabilities via a specifically crafted file that SDL would handle, such as a XCF file.

Given that numerous applications make use of SDL, Talos has coordinated with the SDL community to disclose these vulnerabilities and ensure that an updated version of the library is available to use.

Wednesday, October 4, 2017

Vulnerability Spotlight: Multiple vulnerabilities in Computerinsel Photoline

These vulnerabilities are discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of multiple vulnerabilities discovered within the Computerinsel GmbH PhotoLine image processing software. PhotoLine, developed by Computerinsel GmbH, is a well established raster and vector graphics editor for Windows and Mac OS X that can also be used for desktop publishing.

TALOS-2017-0387 (CVE-2017-2880). TALOS-2017-0427 (CVE-2017-2920), TALOS-2017-0458 (CVE-2017-12106) and TALOS-2017-0459 (CVE-2017-12107) may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted image file is opened by the PhotoLine image processing software.

Tuesday, October 3, 2017

Beers with Talos EP14: Ranking Threats and Avoiding Bush League Breach Response



Beers with Talos (BWT) Podcast Episode 14 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP14 Show Notes: 

We haven’t gone around the table and introduced ourselves in some time (about 50k downloads ago), so we take the time we usually complain about things at the top of the show to do that.

We have seen a massive amount of “top-tier” threats in the last six months or so. While it might seem like comparing apples and oranges (hint: it is), the crew takes a stab at ranking these recent threats/attacks: CCleaner, Deloitte, Equifax, Nyetya, SEC, Shamoon2, WannaCry. Shockingly, all of us have a different ranking. What’s your list look like?

Regarding response: Consistency matters, don’t be clever. We discuss some recent unbelievably boneheaded things we have seen in security response. More importantly, we discuss how one SHOULD respond to an incident.

Remember: Complexity kills. Unfortunately, it doesn’t kill thought leaders.