Tuesday, August 16, 2022

Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass



Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass. 

AVideo is an open-source web application that allows users to build a video streaming and sharing platform. Anyone who joins the community can host videos on-demand, launch a live stream or encode different video formats. 

Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution



Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device. 

These issues arise in the libhdf5 gif2h5 tool that’s normally used to convert a GIF file to the HDF5 format, commonly used to store large amounts of numerical data. An attacker could exploit these vulnerabilities by tricking a user into opening a specially crafted, malicious file.

Friday, August 12, 2022

Threat Roundup for August 5 to August 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 5 and Aug. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 11, 2022

Threat Source newsletter (Aug. 11, 2022) — All of the things-as-a-service

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

Everyone seems to want to create the next “Netflix” of something. Xbox’s Game Pass is the “Netflix of video games.” Rent the Runway is a “Netflix of fashion” where customers subscribe to a rotation of fancy clothes. 

And now threat actors are looking to be the “Netflix of malware.” All categories of malware have some sort of "as-a-service" twist now. Some of the largest ransomware groups in the world operate “as a service,” allowing smaller groups to pay a fee in exchange for using the larger group’s tools.  

Our latest report on information-stealers points out that “infostealers as-a-service" are growing in popularity, and our researchers also discovered a new “C2 as-a-service" platform where attackers can pay to have this third-party site act as their command and control. And like Netflix, this Dark Utilities site offers several other layers of tools and malware to choose from.

Wednesday, August 10, 2022

Cisco Talos shares insights related to recent cyber attack on Cisco

Update History


Date Description of Updates
Aug. 10th 2022 Adding clarifying details on activity involving active directory.
Aug. 10th 2022 Update made to the Cisco Response and Recommendations section related to MFA.

 Executive summary


  • On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate. 
  • During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. 
  • The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. 
  • CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc. 
  • After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment. 
  • The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful. 
  • We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. 
  • For further information see the Cisco Response page here.

Tuesday, August 9, 2022

Microsoft Patch Tuesday for August 2022 — Snort rules and prominent vulnerabilities



By Jon Munshaw and Vanja Svajcer.

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months.  

This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that’s actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June.  

In all, August’s Patch Tuesday includes 15 critical vulnerabilities and a single low- and moderate-severity issue. The remainder is classified as “important.” 

Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713 are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers it “more likely” to be exploited.

Monday, August 8, 2022

Small-time cybercrime is about to explode — We aren't ready


The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks. Rightfully so, as it can be the most interesting, technically speaking.

When most people think of cybercrime they think of large-scale breaches because that's what dominates the headlines. However, the problem is much bigger. In 2021, the Internet Crime Complaint Center (IC3) received a staggering 847,376 complaints, with each victim losing a little more than $8,000 on average. Once you account for the high-value breaches, the true impact is even lower. The average person is far more likely to have their identity stolen or fall victim to some other sort of scam than be directly affected by a large-scale breach — and business is booming.

A deeper look at the data from IC3 shows that the amount of complaints and revenue being generated from cybercrime continues to rise. Interestingly there is a huge jump in cybercrime during the pandemic with a staggering increase of more than 60% in complaints between 2019 and 2020, with it increasing further in 2021. It's clear that cybercrime is on the rise, but what's driving it?

Friday, August 5, 2022

Threat Roundup for July 29 to August 5


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 29 and Aug. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

New SDR feature released for Cisco Secure Email

Cisco Talos today announced the release of a new mechanism that allows Cisco Secure Email customers the option to submit Sender Domain Reputation (SDR) disputes through TalosIntelligence.com.

Customers now have the option of receiving self-service support through TalosIntelligence.com or may continue engaging with TAC. This new feature improves efficiency for Secure Email customers by streamlining the SDR dispute ticket process.

Users can submit email sender domains and email addresses for investigation if they believe a domain or address should be marked as malicious or has been wrongfully marked as malicious. Please provide as much data as possible to assist our investigation team.

Thursday, August 4, 2022

Threat Source newsletter (Aug. 4, 2022) — BlackHat 2022 preview

By Jon Munshaw. 

Welcome to this week’s edition of the Threat Source newsletter. 

After what seems like forever and honestly has been a really long time, we’re heading back to BlackHat in-person this year. We’re excited to see a lot of old friends again to commiserate, hang out, trade stories and generally talk about security.  

Throughout the two days of the main conference, we’ll have a full suite of flash talks at the Cisco Secure booth and several sponsored talks. Since this is the last edition of the newsletter before BlackHat starts, it’s probably worthwhile running through all the cool stuff we’ll have going on at Hacker Summer Camp. 

Our booth should be easy enough to find — it’s right by the main entrance to Bayside B. If you get to the Trellix Lounge, you’ve gone too far north. Our researchers will be there to answer any questions you have and present on a wide variety of security topics, from research into Adobe vulnerabilities to the privacy effects of the overturn of Roe vs. Wade.

Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns

By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.

Executive Summary


  • Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries.
  • It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.
  • Payloads provided by the platform support Windows, Linux and Python-based implementations and are hosted within the Interplanetary File System (IPFS), making them resilient to content moderation or law enforcement intervention.
  • Since its initial release, we've observed malware samples in the wild leveraging it to facilitate remote access and cryptocurrency mining.

0xCC'd

We spend a lot of time preparing for Blackhat, and as part of putting together content for the show, one of our best, Lurene Grenier, submitted an unexpected piece of content: a poem. Now this poem isn't our regular security research or a shiny piece of corporate correspondence (which we would never do anyways) — but it is raw, and it is painful and it is brilliant. And it raises a number of issues that Cisco takes very seriously, including work-life balance and mental health. In particular, by my interpretation, it speaks about early-in-career work-life balance. I know at that point in my career I felt grateful just to be in the industry while at the same time I felt powerless to advocate for myself in the face of the overwhelming demands of the workplace. This poem hit me hard, and in truth I wouldn't want it published anywhere other than on the Talos blog. So we are presenting Lurene's words here, in hopes that they trigger important conversations and also to remind everyone to just take care of each other. If you'd like to chat with Lurene or myself or another Cisco manager about these issues, we'll be at the Cisco booth (#1932) at Blackhat.  Please come by, say hi, and share your thoughts.

-- Matthew Olney

-- Director, Threat Intelligence & Interdiction

Wednesday, August 3, 2022

Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution


Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Update (Aug. 3, 2022): Talos disclosed two new vulnerabilities in the Alyac antivirus software and added their details to this post.

Cisco Talos recently discovered out-of-bounds read and buffer overflow vulnerabilities in ESTsecurity Corp.’s Alyac antivirus software that could cause a denial-of-service condition or arbitrary code execution. Alyac is an antivirus software developed for Microsoft Windows machines. 

TALOS-2022-1452 (CVE-2022-21147) is a vulnerability that exists in a specific Alyac module that, eventually, leads to a crash of Alyac’s scanning process, which effectively neutralizes the antivirus scan. If successful, an attacker could trigger this vulnerability to stop the program from scanning for malware, which would be crucial in a potential attack scenario. 

Tuesday, August 2, 2022

Manjusaka: A Chinese sibling of Sliver and Cobalt Strike


By Asheer Malhotra and Vitor Ventura.

  • Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework.
  • The implants for the new malware family are written in the Rust language for Windows and Linux.
  • A fully functional version of the command and control (C2), written in GoLang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.
  • We recently discovered a campaign in the wild using lure documents themed around COVID-19 and the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. These maldocs ultimately led to the delivery of Cobalt Strike beacons on infected endpoints.
  • We have observed the same threat actor using the Cobalt Strike beacon and implants from the Manjusaka framework.


Introduction


Cisco Talos has discovered a relatively new attack framework called "Manjusaka" (which can be translated to "cow flower" from the Simplified Chinese writing) by their authors, being used in the wild.

As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools. Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world. This disclosure from Talos intends to provide early notification of the usage of Manjusaka. We also detail the framework's capabilities and the campaign that led to the discovery of this attack framework in the wild.

The research started with a malicious Microsoft Word document (maldoc) that contained a Cobalt Strike (CS) beacon. The lure on this document mentioned a COVID-19 outbreak in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. During the investigation, Cisco Talos found no direct link between the campaign and the framework developers, aside from the usage of the framework (which is freely available on GitHub). However, we could not find any data that could support victimology definition. This is justifiable considering there's a low number of victims, indicating the early stages of the campaign, further supported by the maldoc metadata that indicates it was created in the second half of June 2022.

While investigating the maldoc infection chain, we found an implant used to instrument Manjusaka infections, contacting the same IP address as the CS beacon. This implant is written in the Rust programming language and we found samples for Windows and Linux operating systems. The Windows implant included test samples, which had non-internet-routable IP addresses as command and control (C2). Talos also discovered the Manjusaka C2 executable — a fully functional C2 ELF binary written in GoLang with a User Interface in Simplified Chinese — on GitHub. While analyzing the C2, we generated implants by specifying our configurations. The developer advertises it has an adversary implant framework similar to Cobalt Strike or Sliver.

The developers have provided a design diagram of the Manjusaka framework illustrating the communications between the various components. A lot of these components haven't been implemented in the C2 binary available for free. Therefore, it is likely that either:

  • The framework is actively under development with these capabilities coming soon OR
  • The developer intends to or is already providing these capabilities via a service/tool to purchase - and the C2 available for free is just a demo copy for evaluation.



Manjusaka design diagram.


Monday, August 1, 2022

Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities



By Carl Hurd. 

The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area. What makes the LInkHub system unique is the lack of a network interface to manage the devices individually or in the mesh. Instead, a phone application is the only method to interact with these devices. This is noteworthy because, in theory, it significantly reduces the common attack surface on most small office/home office (SOHO) routers, as it moves the entire HTTP/S code base from the product. This means, in theory, fewer issues with integration or hacked-together scripts to trigger various functions within the device. One of the issues with this approach though is that its functionality still needs to reside somewhere for the user to manage the device. 

However, this setup leaves the LinkHub Mesh Wi-Fi system open to several vulnerabilities, which we are disclosing today. An attacker could exploit these vulnerabilities to carry out a variety of malicious actions, including injecting code at the operating system level, stealing credentials and causing a denial of service of the entire network. Cisco Talos is disclosing these vulnerabilities despite no official fix from TCL, all in adherence to Cisco’s vulnerability disclosure policy

Researcher Spotlight: You should have been listening to Lurene Grenier years ago

The exploit researcher recently rejoined Talos after starting her career with the company’s predecessor 

By Jonathan Munshaw. 

Lurene Grenier says state-sponsored threat actors keep her up at night, even after years of studying and following them.  

She’s spent her security career warning people why this was going to be a problem. 

Today if someone is compromised by a well-funded, state-sponsored actor, she is concerned but doesn’t necessarily feel sorry. After all, she’s been warning the security community about this for years. 

“You think about the phrase ‘fool me once, shame on you...’ Five years ago if we had this discussion and you were hit with an attack, you’d think ‘shame on China,’” she said. “Today, if we have that discussion about why you were hit, it’s shame on us.” 

Grenier has spent her career looking at state-sponsored actor trends and writing detection content to block those actors.