Wednesday, January 31, 2018

Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions

The Dark Side of the Digital Gold Rush

This post was authored by Nick Biasini, Edmund Brumaghin, Warren Mercer and Josh Reynolds with contributions from Azim Khodijbaev and David Liebenberg.

Executive Summary

The threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks.

This focus on mining isn't entirely surprising, considering that various cryptocurrencies along with "blockchain" have been all over the news as the value of these currencies has exponentially increased. Adversaries have taken note of these gains and have been creating new attacks that help them monetize this growth. Over the past several months Talos has observed a marked increase in the volume of cryptocurrency mining software being maliciously delivered to victims.

In this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward.

To put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically. It is important to note that due to volatility present across cryptocurrency markets, these values may change drastically from day to day. All calculations in this blog were made based on XMR/USD at the time of this writing.

Monday, January 29, 2018

2017 in Snort Rules

This post was written by Martin Lee and Vanja Svajcer.

2017 was an eventful year for cyber security with high profile vulnerabilities that allowed self-replicating worm attacks such as WannaCry and BadRabbit to impact organizations throughout the world. In 2017, Talos researchers discovered many new attacks including backdoors in legitimate software such as CCleaner, designed to target high tech companies as well as M.E.Doc, responsible for initial spread of Nyetya. Despite all those, headline making attacks are only a small part of the day to day protection provided by security systems.

In this post we review some of the findings created by investigating the most frequently triggered Snort rules as reported by Cisco Meraki systems and included in the Snort default policy set.

Friday, January 26, 2018

Beers with Talos EP 21: How to Hire the Best, Attribution Without Apaches is Useless

Beers with Talos (BWT) Podcast Episode 21 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing:

EP21 Show Notes: 

It is a packed episode this time! We are joined by Edmund from the Talos Outreach Group to chat about Threat Modeling after we make our way through attribution and Group 123, hipster artisanal patching (hand flipped bits!), and spend a good bit of time talking about how Talos identifies the cream of the crop when we are hiring.

Vulnerability Spotlight: Walt Disney Per-Face Texture Mapping faceInfoSize Code Execution Vulnerability

This vulnerability was discovered by Tyler Bohan of Cisco Talos.

Executive Summary

Walt Disney PTEX is an open source software application maintained by Walt Disney Animation Studios. It is designed for use in post-production rendering. It allows for the storage of thousands of texture mappings within a single file. This particular software library is in many other software applications such as Pixar's RenderMan, giving it a large install base. A list of other applications that have incorporated PTEX is available here. Talos has recently discovered a stack-based buffer overflow in PTEX that could potentially allow a remote attacker to execute arbitrary code on affected systems.

Monday, January 22, 2018

SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks

This post was written by Vitor Ventura


Talos has been working in conjunction with Cisco IR Services on what we believe to be a new variant of the SamSam ransomware. This ransomware has been observed across multiple industries including Government, Healthcare and ICS. These attacks do not appear to be highly targeted, and appear to be more opportunistic in nature.

Given SamSam's victimology, its impacts are not just felt within the business world, they are also impacting people, especially if we consider the Healthcare sector. Non-urgent surgeries can always be rescheduled but if we take as an example patients where the medical history and former medical treatment are crucial the impact may be more severe. Furthermore, many critical life savings medical devices are now highly computerized. Ransomware can impact the operation of these devices making it very difficult for medical personnel to diagnose and treat patients leading to potentially life threatening situations. Equipment that might be needed in time-sensitive operations may be made unavailable due to the computer used to operate the equipment being unavailable.

The initial infection vector for these ongoing attacks is currently unknown and Talos is investigating this in order to identify it. The history of SamSam indicates that attackers may follow their previous modus operandi of exploiting a host and then laterally moving within their target environment to plant and later run the SamSam ransomware. Previously, we observed the adversaries attacking vulnerable JBoss hosts during a previous wave of SamSam attacks in 2016. Although the infection vector for the new variant is not yet confirmed, there is a possibility that compromised RDP/VNC servers have played a part in allowing the attackers to obtain an initial foothold.

Thursday, January 18, 2018

The Many Tentacles of the Necurs Botnet

This post was written by Jaeson Schultz.


Over the past five years the Necurs botnet has established itself as the largest purveyor of spam worldwide. Necurs is responsible for emailing massive amounts of banking malware, ransomware, dating spam, pump-n-dump stock scams, work from home schemes, and even cryptocurrency wallet credential phishing. Necurs sends so much spam that at times Necurs' spam campaigns can make up more than 90% of the spam seen by Cisco Talos in one day.

To conduct a deeper analysis of Necurs, Talos extracted 32 distinct spam campaigns sent by Necurs between August 2017 and November 2017. The result was a collection of over 2.1 million spam messages, sent from almost 1.2 million distinct sending IP addresses in over 200 countries and territories.

Beers with Talos EP20: Crypto, Vuln Disco, and the Spectre Meltdown

Beers with Talos (BWT) Podcast Episode 20 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing:

EP20 Show Notes: 

This is easily our best podcast of 2018 (so far). The crew discusses the recent spike in crypto-mania sweeping the globe and also goes in-depth on how vulnerability discovery plays a critical role in overall security. Plus, the crew all (shockingly) have different takes on Spectre/Meltdown and Craig decides to up the ante with the killer robots.


The Roundtable

01:20 - Matt - Discussing Cats - a BOGO on denigrating cultural icons
04:59 - Nigel - The Reds will be victorious and glorious, of course
07:11 - Craig - Probably not the firefighter/arsonist of the security world. Probably.
09:23 - Joel - Arctic bombs and picking a bone with Mother Nature
12:04 - MItch - Tales of the short lives of expensive presents

The Topics

15:10 - CRYPTO MANIA!!! HMB while I take out a second mortgage, also Ethereum CLIENT vulns
24:10 - Vuln disco - why it matters, discussion around recent Blender vulns
39:30 - Meltdown and Spectre - Breaking down the actual threat, risk/exposure, and mitigation
54:28 - Parting shots

The Links and Credits:

Ethereum Client Bugs blog post:
Bitcoin Pizza Twitter:
Blender Vuln Spotlight blog post:
Meltdown/Spectre blog post:
Phantom Tolley relevant XKCD:
Critical Role (Geek and Sundry Twitch):
Alexa Silver:

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).

Find all episodes:

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog:

Subscribe to the Threat Source newsletter:

Follow Talos on Twitter:

Give us your feedback and suggestions for topics:

Wednesday, January 17, 2018

Vulnerability Spotlight: Tinysvcmdns Multi-label DNS DoS Vulnerability


Talos is disclosing a single NULL pointer dereference vulnerability in the tinysvcmdns library. Tinysvcmdns is a tiny MDNS responder implementation for publishing services. This is essentially a mini and embedded version of Avahi or Bonjour. 


Discovered by Claudio Bozzato, Yves Younan, Lilith Wyatt, and Aleksandar Nikolic of Cisco Talos.

Tuesday, January 16, 2018

Korea In The Crosshairs

This blog post is authored by Warren Mercer and Paul Rascagneres and with contributions from Jungsoo An.

A one year review of campaigns performed by an actor with multiple campaigns mainly linked to South Korean targets.

Executive Summary

This article exposes the malicious activities of Group 123 during 2017. We assess with high confidence that Group 123 was responsible for the following six campaigns:

  • "Golden Time" campaign.
  • "Evil New Year" campaign.
  • "Are you Happy?" campaign.
  • "FreeMilk" campaign.
  • "North Korean Human Rights" campaign.
  • "Evil New Year 2018" campaign.

On January 2nd of 2018, the "Evil New Year 2018" was started. This campaign copies the approach of the 2017 "Evil New Year" campaign.

The links between the different campaigns include shared code and compiler artifacts such as PDB (Program DataBase) patterns which were present throughout these campaigns.

Based on our analysis, the "Golden Time", both "Evil New Year" and the "North Korean Human Rights" campaigns specifically targeted South Korean users. The attackers used spear phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite. Group 123 has been known to use exploits (such as CVE-2013-0808) or scripting languages harnessing OLE objects. The purpose of the malicious documents was to install and to execute ROKRAT, a remote administration tool (RAT). On occasion the attackers directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes: the document only contained a downloader designed to download ROKRAT from a compromised web server.

Additionally, the "FreeMilk" campaign targeted several non-Korean financial institutions. In this campaign, the attackers made use of a malicious Microsoft Office document, a deviation from their normal use of Hancom documents. This document exploited a newer vulnerability, CVE-2017-0199. Group 123 used this vulnerability less than one month after its public disclosure. During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki. PoohMilk exists only to launch Freenki. Freenki is used to gather information about the infected system and to download a subsequent stage payload. This malware was used in several campaigns in 2016 and has some code overlap with ROKRAT.

Finally, we identified a 6th campaign that is also linked to Group 123. We named this 6th campaign "Are You Happy?". In this campaign, the attackers deployed a disk wiper. The purpose of this attack was not only to gain access to the remote infected systems but to also wipe the first sectors of the device. We identified that the wiper is a ROKRAT module.

Friday, January 12, 2018

Threat Round Up for January 5 - 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between January 05 and January 12. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Thursday, January 11, 2018

Vulnerability Spotlight: Multiple Unpatched Vulnerabilities in Blender Identified

Update 1/25/18: Blender has released version 2.79a to address these issues

Technology has evolved in incredible ways that has helped people to create and visualize media like never before. Today, people can use tools such as Blender to visualize, model, and animate 3D content, especially since it's free and open-source software. However, this also make it an attractive target for adversaries to audit and find vulnerabilities. Given the user base of Blender, exploiting these vulnerabilities to compromise a user could have a significant impact as attackers could use the foothold gained by attacking Blender to further compromise an organization's network.

Today, Talos is disclosing multiple vulnerabilities that have been identified in Blender. These vulnerabilities could allow an attacker to execute arbitrary code on an affected host running Blender. A user who opens a specially crafted file in Blender that is designed to trigger one of these vulnerabilities could be exploited and compromised.

Talos has responsibly disclosed these vulnerabilities to Blender in an attempt to ensure they are addressed. However, Blender has declined to address them stating that "fixing these issues one by one is also a waste of time." As a result, there currently is no software update that addresses these vulnerabilities. Additionally, Blender developers believe that "opening a file with Blender should be considered like opening a file with the Python interpreter, you have [to trust] the source it is coming from."

Talos has offered advice to help with these issues. We realize that one developer in an open source project does not speak on behalf of the entire project. The discussion on Blender's site continues.

Wednesday, January 10, 2018

Vulnerability Spotlight: Ruby Rails Gem XSS Vulnerabilities

Vulnerabilities discovered by Zachary Sanchez of Cisco ASIG


Talos has discovered two XSS vulnerabilities in Ruby Rails Gems. Rails is a Ruby framework designed to create web services or web pages. Ruby Gems is a package manager for distributing software packages as 'gems'. The two XSS vulnerabilities were discovered in two different gem packages: delayed_job_web and rails_admin.

Ruby is widely used as a language for web development. Gem packages allow software engineers to reuse code across multiple development projects. As such, the discovery of a vulnerability in a gem may mean that many different systems are affected by that vulnerability.

Tuesday, January 9, 2018

Microsoft Patch Tuesday - January 2018

Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 56 new vulnerabilities with 16 of them rated critical, 39 of them rated important and 1 of them rated Moderate. These vulnerabilities impact ASP.NET, Edge, Internet Explorer, Office, Windows, and more.

In addition to the 56 vulnerabilities addressed, Microsoft has also released an update that addresses Meltdown and Spectre. Mitigations for these two vulnerabilities were published for Windows in ADV180002. Note that due to incompatibilities with anti-virus products, users and organizations may not have received this update yet. For more information, users should refer to Microsoft's knowledge base article which covers this issue.

Vulnerability Spotlight: Multiple Vulnerabilities in the CPP and Parity Ethereum Client

Vulnerabilities discovered by Marcin Noga of Cisco Talos.


Talos is disclosing the presence of multiple vulnerabilities in the CPP and the Parity Ethereum clients.

TALOS-2017-0503 / CVE-2017-14457 describes a denial of service vulnerability and potential memory leak in libevm. The function is not currently enabled in the default build. This vulnerability only affects nodes which have manually enabled it during build time.

TALOS-2017-0508 / CVE-2017-14460 is an overly permissive cross-domain (CORS) whitelist policy vulnerability in the Ethereum Parity client. It can lead to the leak of sensitive data about existing accounts, parity settings and network configurations, in addition to accounts and parity settings modifications, if certain APIs have been turned on.

Further on, TALOS-2017-0464 - TALOS-2017-0471 / CVE-2017-12112 - CVE-2017-12119 describe multiple Authorization Bypass Vulnerabilities which an attacker could misuse to access functionality reserved only for users with administrative privileges without any credentials.

Finally, Talos found TALOS-2017-0471 / CVE-2017-12119, another denial of service vulnerabilities in the CPP-Ethereum JSON-RPC implementation. A specially crafted json request can cause an unhandled exception resulting in a denial of service.

Monday, January 8, 2018

Meltdown and Spectre

Cisco Talos is aware of three new vulnerabilities impacting Intel, AMD, Qualcomm and ARM processors used by almost all computers. We are investigating these issues and although we have not observed exploitation of these vulnerabilities in the wild, that does not mean that it has not occurred. We have observed publicly available proof of concept exploit code being developed to exploit these vulnerabilities.

These issues have been assigned the following CVE entries:

Meltdown: An attacker can access kernel memory from user space
Spectre: An attacker can read memory contents from other users' running programs

Friday, January 5, 2018

Threat Round Up for December 29 - January 5

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between December 29 and January 05. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Thursday, January 4, 2018

Not So Crystal Clear - Zeus Variant Spoils Ukrainian Holiday

This post was authored by Edmund Brumaghin with contributions from Ben Baker, Dave Maynor and Matthew Molyett.


Talos has observed a cyber attack which was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). This vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. However, the attackers did not compromise the firm's update servers and did not have the level of access noted in the Nyetya compromise. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. Websites being compromised to serve malicious content is common and it appears that CFM's website was leveraged in the same way. This can be achieved through exploitation of existing vulnerabilities in server-side software or brute-forcing weak credentials, allowing attackers to gain remote administrative access. The fact that it is an accounting software company in Ukraine and the timing of the attack increased visibility.

This attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine. The details of the specific malware infection process itself have been previously documented here. Talos was able to register and sinkhole one of the Command and Control (C2) domains and through this, obtain additional details regarding the scope of this attack and associated victims. This blog provides additional information related to the geographic regions that were targeted by this attack as well as the size and scope of of systems that were successfully compromised.

Wednesday, January 3, 2018

Tutorial: Mutiny Fuzzing Framework and Decept Proxy

Here's a basic demo video for our new opensource tools, Decept and Mutiny. Happy New Year <(^_^)> 
~ Lilith
Recently, Talos released new tools to assist in the monumental task of finding vulnerabilities in network applications. Mutiny and Decept work together to help researchers fuzz quickly and effectively with some unique features.  For more info on Mutiny Fuzzing Framework and Decept Proxy, see the initial blog post here:

This tutorial assumes the following are previously installed:

Mutiny Fuzzing Framework:
Decept Proxy:
Python 2.7