Monday, March 27, 2017

Vulnerability Spotlight: Certificate Validation Flaw in Apple macOS and iOS Identified and Patched

Most people don't give much thought to what happens when you connect to your bank's website or log in to your email account. For most people, securely connecting to a website seems as simple as checking to make sure the little padlock in the address bar is present. However, in the background there are many different steps that are taken to ensure you are safely and securely connecting to the websites that claim they are who they are. This process includes certificate validation, or making sure that the servers that users are connecting to present "identification" showing they are legitimate. This helps to protect users from fraudulent servers that might otherwise steal sensitive information.

Due to the sensitive nature of this process, software vulnerabilities that adversely impact the security of certificate validation could have major consequences. Unfortunately, digital systems are complex and bugs are an inevitable reality in software development. Identifying vulnerabilities and responsibly disclosing them improves the security of the internet by eliminating potential attack vectors. Talos is committed to improving the overall security of the internet and today we are disclosing TALOS-2017-0296 (CVE-2017-2485), a remote code execution vulnerability in the X.509 certificate validation functionality of Apple macOS and iOS. This vulnerability has been responsibly disclosed to Apple and software updates have been released that address this issue for both macOS and iOS.

Friday, March 24, 2017

Threat Round-up for the Week of Mar 20 - Mar 24

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 23, 2017

How Malformed RTF Defeats Security Engines

This post is authored by Paul Rascagneres with contributions from Alex McDonnell

Executive Summary


Talos has discovered a new spam campaign used to infect targets with the well known Loki Bot stealer. The infection vector is an RTF document abusing an old exploit (CVE-2012-1856), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers. The attacker has gone out of their way to attempt to evade content inspection devices like AV or network security devices. According to VirusTotal, the initial detection rate of a malicious RTF document recovered from a recent spam campaign is only 3 out of 45 available engines.

Despite the known vulnerability, many security products fail to identify the exploit because they are unable to correctly classify the RTF file format and scan the embedded OLE document within in the RTF. Even open-source parsers such as rtfobj.py from oletools have difficulties extracting the embedded OLE:


This article explains how the malware author modified the RTF file in order to bypass security protection and frustrate malware researchers.


Wednesday, March 22, 2017

Vulnerability Spotlight: Code Execution Vulnerability in LabVIEW

Overview


LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation. Talos is disclosing the presence of a code execution vulnerability and a memory corruption vulnerability which can be triggered by opening specially crafted VI files, the proprietary file format used by LabVIEW.

Monday, March 20, 2017

Necurs Diversifies Its Portfolio

The post was authored by Sean Baird, Edmund Brumaghin and Earl Carter, with contributions from Jaeson Schultz.

Executive Summary


The Necurs botnet is the largest spam botnet in the world. Over the past year it has been used primarily for the distribution of Locky ransomware and Dridex. Earlier this year, we wrote about how the Necurs botnet went offline and seemingly disappeared, taking most of the high volume Locky malspam with it. Talos recently identified a significant increase in the amount of spam emails originating from the Necurs botnet, indicating that it may have come back to life, but rather than distributing malware in the form of malicious attachments, it appears to have shifted back to penny stock pump-and-dump messages. This is not the first time that Necurs has been used to send high volume pump-and-dump emails. In analyzing previous telemetry data associated with these campaigns, we identified a similar campaign on December 20, 2016 shortly before the Necurs botnet went offline for an extended period. This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet.

Friday, March 17, 2017

Threat Round-up for the Week of Mar 13 - Mar 17

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Tuesday, March 14, 2017

Microsoft Patch Tuesday - March 2017

Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.

Friday, March 10, 2017

Threat Round-up for the Week of Mar 6 - Mar 10

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. As with our previous threat round-up, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 9, 2017

Vulnerability Spotlight: R - PDF LoadEncoding Code Execution Vulnerability

Vulnerability Discovered by Cory Duplantis of Cisco Talos

Overview

Talos is disclosing TALOS-2016-0227 / CVE-2016-8714 which is a buffer overflow vulnerability in the LoadEncoding functionality of the R programming language version 3.3.0. The R programming language is commonly used in statistical computing and is supported by the R Foundation for Statistical Computing. R is praised for having a large variety of statistical and graphical features. The vulnerability is specifically related to the creation of a PDF document.

Wednesday, March 8, 2017

Content-Type: Malicious - New Apache Struts2 0-day Under Attack

This post is authored by Nick Biasini

UPDATE: It was recently disclosed that in addition to Content-Type being vulnerable, both Content-Disposition and Content-Length can be manipulated to trigger this particular vulnerability. No new CVE was listed, however details of the vulnerability and remediation are available in this security advisory.

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution.

With exploitation actively underway Talos recommends immediate upgrading if possible or following the work around referenced in the above security advisory.

Crypt0l0cker (TorrentLocker): Old Dog, New Tricks

This post is authored by Matthew Molyett, Holger Unterbrink and Paul Rascagneres.

Executive Summary

Ransomware continues to be a plague on the internet and still sets itself as the fastest growing malware family we have seen in the last number of years. In this post we describe the technical details about a newly observed campaign of the notorious Crypt0l0cker (aka TorrentLocker or Teerac) ransomware. Crypt0l0cker has gone through a long evolution, the adversaries are updating and improving the malware on a regular basis. Several indicators inside the samples we have analysed point to a new major version of the malware. We have already seen large campaigns targeting Europe and other parts of the world in 2014 and 2015. It seems to be that the actors behind these campaigns are back now and launching again massive spam attacks. This post will also give you insights about the level of sophistication this malware has reached.

Tuesday, March 7, 2017

Vulnerability Spotlight: Pharos Vulnerabilities

Discovered by Tyler Bohan of Cisco Talos. Talos would also like to thank NYU Osiris Lab for helping out with these vulnerabilities.

Pharos PopUp Printer is printing software that is widely used to manage multiple connections to a single printing point. Services that run with root privileges that are open to network connections are a tempting target for attackers. Talos is disclosing the presence of three code execution vulnerabilities and a denial of service vulnerability in the psnotifyd application of the Pharos PopUp printer client version 9.0

TALOS-2017-0280, TALOS-2017-0283 Code Execution Vulnerabilities (CVE-2017-2785, CVE-2017-2788)
TALOS-2017-0282 Memcpy Code Execution Vulnerability (CVE-2017-2787)
TALOS-2017-0281 DecodeString Denial of Service Vulnerability (CVE-2017-2786)

Friday, March 3, 2017

Malware Round-up For The Week of Feb 27 - Mar 3

Today, Talos is publishing a glimpse into the most prevalent threats we've observed over the past week. Unlike our other posts, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, March 2, 2017

Covert Channels and Poor Decisions: The Tale of DNSMessenger

This post was authored by Edmund Brumaghin and Colin Grady

Executive Summary


The Domain Name System (DNS) is one of the most commonly used Internet application protocols on corporate networks. It is responsible for providing name resolution so that network resources can be accessed by name, rather than requiring users to memorize IP addresses. While many organizations implement strict egress filtering as it pertains to web traffic, firewall rules, etc. many have less stringent controls in place to protect against DNS based threats. Attackers have recognized this and commonly encapsulate different network protocols within DNS to evade security devices.

Typically this use of DNS is related to the exfiltration of information. Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

Ironically, the author of the malware called SourceFire out in the malware code itself shortly after we released Cisco Umbrella, a security product specifically designed to protect organizations from DNS and web based threats as described here.