Monday, December 27, 2021
2021: Looking back on the year in malware and cyber attacks, from SolarWinds to Log4j
Monday, December 20, 2021
Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices
Matt Wiseman of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could allow remote attackers to bypass authentication requirements, manipulate metal detector configurations, and even execute arbitrary code on the device.
The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors.
Vulnerability Spotlight: Vulnerabilities in DaVinci Resolve video editing software could lead to code execution
A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered two vulnerabilities in the DaVinci Resolve video editing software that could allow an adversary to execute code in the context of the application.
DaVinci Resolve is a non-linear video editing application from Blackmagic Software that is available on multiple operating systems. Both these vulnerabilities exist in the DPDecoder service inside DaVinci Resolve.
Friday, December 10, 2021
Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
Update History
Date | Description of Updates |
---|---|
Dec. 20, 2021 | Additional coverage and IOCs; additional detection capabilities for customers via Cisco Global Threat Alerts. |
Dec. 18, 2021 | Additional mitigation guidance; updated coverage information. |
Dec. 17, 2021 | Added additional vulnerability and mitigation information; added section on guidance for developers; timeline. |
Dec. 16, 2021 | Added additional vulnerability and mitigation information; added event timeline; relevant advisory information. |
Dec. 15, 2021 | Added observations on exploitation activity; updated coverage information. Additional IOCs. |
Dec. 14, 2021 | Added new CVE details; updated coverage information; additional mitigation guidance; additional threat vectors; Additional IOCs. |
Dec. 13, 2021 | Added additional vulnerability information; updated coverage information; additional attack vectors identified; emerging obfuscations; Additional IOCs. |
Dec. 12, 2021 | Added additional vulnerability information; additional details on earliest observed activity; additional mitigation recommendations; additional IOCs. |
Dec. 11, 2021 | Added additional information on observed exploitation activity; updated coverage information; additional IOCs. |
Dec. 10, 2021 | Added additional vulnerability information; updated coverage information; additional IOCs. |
Dec. 10, 2021 | Initial publication date. |
Update Dec. 21, 2021
Cisco Talos is releasing updates to Snort SIDs: 58722-58744, 58751, 58784-58790, 58795, 58801, 58811-58814 to address CVE-2021-44228/CVE-2021-45046/CVE-2021-45105, an RCE vulnerability in the Apache Log4j API.
Cisco Talos has also released an update for ClamAV signature: Java.Malware.CVE_2021_44228-9915816-1 and a new signature: PUA.Java.Tool.CVE_2021_44228-9916978-0 for threats exploiting these vulnerabilities. Please refer to the “Coverage” section for a comprehensive list of protections and signatures.
Talos Takes Ep. #80: I'll have a blue Christmas without a CTIR retainer
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
Threat Roundup for December 3 to December 10
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 3 and Dec. 10. As with previous roundups, this post isn't meant tobifj be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Threat Source Newsletter (Dec. 16, 2021)
Newsletter compiled by Jon Munshaw.
Thursday, December 9, 2021
Beers with Talos, Ep. #112: A new host approaches!
Beers with Talos (BWT) Podcast episode No. 112 is now available. Download this episode and subscribe to Beers with Talos:
Threat Source Newsletter (Dec. 9, 2021)
Newsletter compiled by Jon Munshaw.
Tuesday, December 7, 2021
Cisco recognized by Forrester as cybersecurity incident response services provider
By Brad Garnett.
Cisco Talos Incident Response is proud to announce that Forrester has recognized us by including Cisco in the new Forrester report “Now Tech: Cybersecurity Incident Response Services, Q4 2021.”
The Forrester report provides an overview of 36 Cybersecurity Incident Response Services (CIRS) providers that offer critical incident response and digital forensic expertise during cybersecurity breaches based upon size, capabilities, industry vertical and geography. We are especially pleased to be recognized in this Forrester report as this news comes on the heels of us being named an industry leader in incident readiness as part of an IDC MarketScape report.
Friday, December 3, 2021
Threat Roundup for November 26 to December 3
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 26 and Dec. 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Talos Takes Ep. #79: Emotet's back with the worst type of holiday present
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
Emotet is back, and it brought the worst possible holiday present (just in time for peak spam season, too!). We recently chronicled how the long-known botnet could be coming back after an international law enforcement takedown effort earlier this year.
Thursday, December 2, 2021
Threat Source Newsletter (Dec. 2, 2021)
Newsletter compiled by Jon Munshaw.
Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension
By Tiago Pereira.
- Talos recently observed a malicious campaign offering fake installers of popular software as bait to get users to execute malware on their systems.
- This campaign includes a set of malware distribution campaigns that started in late 2018 and have targeted mainly Canada, along with the U.S., Australia and some EU countries.
- Two undocumented malware families (a backdoor and a Google Chrome extension) are consistently delivered together in these campaigns.
- An unknown actor with the alias "magnat" is the likely author of these new families and has been constantly developing and improving them.
- The attacker's motivations appear to be financial gain from selling stolen credentials, fraudulent transactions and Remote Desktop access to systems.
Wednesday, December 1, 2021
Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution
Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.
Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that other software developers use to build their browsers, as well. This specific vulnerability exists in Blink, the main DOM parsing and rendering engine at the core of Chromium.