Thursday, November 30, 2017

Vulnerability Walkthrough: 7zip CVE-2016-2334 HFS+ Code Execution Vulnerability

This blog post was authored by Marcin Noga of Cisco Talos.

Introduction


In 2016 Talos released an advisory for CVE-2016-2334, which was a remote code execution vulnerability affecting certain versions of 7zip, a popular compression utility. In this blog post we will walk through the process of weaponizing this vulnerability and creating a fully working exploit that leverages it on Windows 7 x86 with the affected version of 7zip (x86 15.05 beta) installed.

Tuesday, November 28, 2017

ROKRAT Reloaded

This post was authored by Warren Mercer, Paul Rascagneres and with contributions from Jungsoo An.

Executive Summary


Earlier this year, Talos published 2 articles concerning South Korean threats. The first one was about the use of a malicious HWP document which dropped downloaders used to retrieve malicious payloads on several compromised websites. One of the website was a compromised government website. We named this case "Evil New Years". The second one was about the analysis and discovery of the ROKRAT malware.

This month, Talos discovered a new ROKRAT version. This version contains technical elements that link the two previous articles. This new sample contains code from the two publications earlier this year:

  • It contains the same reconnaissance code used;
  • Similar PDB pattern that the "Evil New Years" samples used;
  • it contains the same cloud features and similar copy-paste methods that ROKRAT used;
  • It uses cloud platform as C&C but not exactly the same. This version uses pcloud, box, dropbox and yandex.

Wednesday, November 22, 2017

Talos Wins The 5th Volatility Plugin Contest With Pyrebox


Talos has won this year's 5th Volatility plugin contest with Pyrebox. Volatility is a well-known open-source framework designed to analyze operating system memory. The framework has existed since 2007. For the previous 5 years they have run a plugin contest to find the most innovative, interesting, and useful extensions for the Volatility framework. Pyrebox is an open-source Python scriptable Reverse Engineering sandbox developed by Talos. Based on QEMU, its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. In this context, Pyrebox is able to interact with Volatility in order to collect information from the memory of the analysed system.

Tuesday, November 21, 2017

Beers with Talos EP 17: Greek Gods, Trojans, and the Spice Girls as Spirit Animals



Beers with Talos (BWT) Podcast Episode 17 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP17 Show Notes: 

Matt hijacks the Roundtable to tell us which Spice Girl each host is, because where else does a PR gimmick from KFC lead? Also, what’s worse than clicking a search result and getting a slideshow listicle? Getting a trojan payload when searching for banking forms (but that is the only thing that is worse - ARE YOU LISTENING BUZZFEED?). We also discuss the misnaming of troll farms and how patching and proper network segmentation are your friends - unlike anyone who publishes clickbait slideshows - STILL LOOKING AT YOU, BUZZFEED)

For your consideration - Did Joel intentionally break the uploader to delay the episode by several days? Why would he do such a thing?  Discuss.
Make sure to subscribe on iTunes, Google Play, or Stitcher to make sure you don't miss an episode!


Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Monday, November 20, 2017

This Holiday Season - Buy One IoT Device, Get Free CVEs

As the Internet of Things gains steam and continues to develop, so are adversaries and the threats affecting these systems. Companies throughout the world are busy deploying low cost Internet-connected computing devices (aka the Internet of Things) to solve business problems and improve our lives. In tandem, criminals are developing their methods for abusing and compromising vulnerable and poorly defended IoT devices.

Friday, November 17, 2017

Threat Round Up for Nov 10 - Nov 17

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between November 10 and November 17. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, November 15, 2017

Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within libxls

Vulnerabilities discovered by Marcin Noga of Cisco Talos

Talos is releasing seven new vulnerabilities discovered within the libxls library: TALOS-2017-0403, TALOS-2017-0404, TALOS-2017-0426, TALOS-2017-0460, TALOS-2017-0461, TALOS-2017-0462, and TALOS-2017-0463. These vulnerabilities result in remote code execution using specially crafted XLS files.

Overview

libxls is a C library supported on Windows, Mac and Linux which can read Microsoft Excel File Format (XLS) files ranging from current versions of XLS files down to Excel 97 (BIFF8) formats. 
The library is used by the `readxl` package which can be installed in the R programming language via the CRAN repository. The library is also part of the ‘xls2csv’ tool. The library can also be used to successfully parse Microsoft XLS files.

Please note that the update is only available via svn currently.

Tuesday, November 14, 2017

Microsoft Patch Tuesday - November 2017

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.

In addition, an update for Adobe Reader was released which addresses CVE-2017-16367 / TALOS-2017-0356 - Adobe Acrobat Reader DC PDF Structured Hierarchy ActualText Structure Element Code Execution Vulnerability which was discovered by Aleksandar Nikolic of Cisco Talos. This vulnerability manifests as a type confusion vulnerability in the PDF parsing functionality for documents containing marked structure elements. A specifically crafted PDF document designed to trigger the vulnerability could cause an out-of-bounds access on the heap, potentially leading to arbitrary code execution. More details regarding this vulnerability are available here.

Monday, November 13, 2017

Vulnerability Spotlight: Multiple Vulnerabilities in Foscam C1 Indoor HD Cameras

These vulnerabilities were discovered by Claudio Bozzato of Cisco Talos.

Executive Summary


The Foscam C1 Indoor HD Camera is a network-based camera that is marketed for use in a variety of applications, including use as a home security monitoring device. Talos recently identified several vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details for in a blog post here. In continuing our security assessment of these devices, Talos has discovered additional vulnerabilities. In accordance with our responsible disclosure policy, Talos has worked with Foscam to ensure that these issues are resolved and that a firmware update is made available for affected customers. These vulnerabilities could be leveraged by an attacker to achieve remote code execution on affected devices, as well as upload rogue firmware images to the devices, which could result in an attacker being able to completely take control of the devices.

Friday, November 3, 2017

Beers with Talos EP 16: Strong Copy - Bad Rabbit and the Nyetya Connection



Beers with Talos (BWT) Podcast Episode 16 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP16 Show Notes: 

The crew takes on Apache OpenOffice vulns and when you need one CVE versus one hundred. We spend a lot of time discussing signal to noise ratio and Twitter canaries getting things wrong. Of course, we also discuss Bad Rabbit, its relationship to Nyetya, and why OpenOffice vulns are a worry, even to businesses that are run like hippie communes. As per usual, we mostly just make bad jokes.

Mitch also fails miserably at uploading podcasts to the website, making people work at midnight. Make sure to subscribe on iTunes, Google Play, or Stitcher to make sure you don't miss an episode!


Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)
Posted on the website amazingly by Nick Herbert

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Thursday, November 2, 2017

Poisoning the Well: Banking Trojan Targets Google Search Results

This blog post was authored by Edmund Brumaghin, Earl Carter and Emmanuel Tacheau.


Summary


It has become common for users to use Google to find information that they do not know. In a quick Google search you can find practically anything you need to know. Links returned by a Google search, however, are not guaranteed to be safe. In this situation, the threat actors decided to take advantage of this behavior by using Search Engine Optimization (SEO) to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus Panda banking Trojan. By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion.

By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc. The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware. This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time.