Monday, October 21, 2019

Gustuff return, new features for victims

By Vitor Ventura with contributions from Chris Neal.

Executive summary


The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS.

The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions. On the capability side, the addition of a "poor man scripting engine" based on JavaScript provides the operator with the ability to execute scripts while using its own internal commands backed by the power of JavaScript language. This is something that is very innovative in the Android malware space.

The first version of Gustuff that we analyzed was clearly based on Marcher, another banking trojan that's been active for several years. Now, Gustuff has lost some similarities from Marcher, displaying changes in its methodology after infection..

Today, Gustuff still relies primarily on malicious SMS messages to infect users, mainly targeting users in Australia. Although Gustuff has evolved, the best defense remains token-based two-factor authentication, such as Cisco Duo, combined with security awareness and the use of only official app stores.

Friday, October 18, 2019

Threat Roundup for October 11 to October 18

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 11 and Oct. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 17, 2019

Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube



Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Post by Jon Munshaw.

YouPHPTube contains multiple vulnerabilities that could allow an attacker to carry out a variety of malicious activities. Specially crafted, attacker-created web requests can allow an attacker to inject SQL code into the application in some of these cases. YouPHPTube is an open-source program that can allow users to create their own, custom video sites. The software is meant to mimic popular websites such as YouTube, Netflix and Vimeo, according to its website. If successful, an attacker could use these vulnerabilities to gain the ability to exfiltrate files in the database, steal user credentials and, in some configurations, access the underlying operating system.

In accordance with our coordinated disclosure policy, Cisco Talos worked with YouPHPTube to ensure that these issues are resolved and that an update is available for affected customers.

Threat Source newsletter (Oct. 17, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s rare that iOS jailbreaks make it onto the scene. Apple is usually able to patch them out quickly. But a recent exploit is actually unpatchable, and researchers are racing to release tools that can allow users to jailbreak their phone. But malicious attackers are also trying to capitalize on this opportunity. We recently discovered a malicious site that promises to offer a jailbreaking tool, but it actually just conducts click fraud and installs a malicious profile onto the user’s device.

This week, Adobe released its third patch for a vulnerability we discovered earlier this year in Acrobat Reader. An attacker could exploit this bug to gain the ability to execute arbitrary code on the victim machine.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Tuesday, October 15, 2019

Vulnerability Spotlight: Another fix for Adobe Acrobat Reader DC text field value remote code execution



Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Cisco Talos once again would like to bring attention to a remote code execution vulnerability in Adobe Acrobat Reader. Acrobat, which is one of the most popular PDF readers on the market, contains a bug when the software incorrectly counts array elements. The same code present in the previously disclosed TALOS-2018-0704 and TALOS-2019-0774 could trigger this vulnerability, allowing the attacker to potentially execute remote code. Adobe previously patched those two vulnerabilities, but the fixes did not cover all possible cases.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Checkrain fake iOS jailbreak leads to click fraud

By Warren Mercer and Paul Rascagneres.

Introduction


Attackers are capitalizing on the recent discovery of a new vulnerability that exists across legacy iOS hardware. Cisco Talos recently discovered a malicious actor using a fake website that claims to give iPhone users the ability to jailbreak their phones. However, this site just prompts users to download a malicious profile which allows the attacker to conduct click-fraud.

Checkm8 is a vulnerability in the bootrom of some legacy iOS devices that allows users to control the boot process. The vulnerability impacts all legacy models of the iPhone from the 4S through the X. The campaign we'll cover in this post tries to capitalize off of checkra1n, a project that uses the checkm8 vulnerability to modify the bootrom and load a jailbroken image onto the iPhone. Checkm8 can be exploited with an open-source tool called "ipwndfu" developed by Axi0mX.

The attackers we're tracking run a malicious website called checkrain[.]com that aims to draw in users who are looking for checkra1n.

This discovery made headlines and caught the attention of many security researchers. Jailbreaking a mobile device can be attractive to researchers, average users and malicious actors. A researcher or user may want to jailbreak phones to bypass standard restrictions put in place by the manufacturer to download additional software onto the device or look deeper into the inner workings of the phone. However, an attacker could jailbreak a device for malicious purposes, eventually obtaining full control of the device.

This new malicious actor Talos discovered claims to provide the checkra1n jailbreak. The site even claims to be working with popular jailbreaking researchers such as “CoolStar” and Google Project Zero’s Ian Beer. The page attempts to look legitimate, prompting users to seemingly download an application to jailbreak their phone. However, there is no application, this is an attempt to install malicious profile onto the end-user device

Jailbreaking iOS devices has been around since the launch of the first iPhone in 2007. These are a rare commodity in the iOS world, with Apple moving to patch most software defects swiftly. This can mean a user remains on older versions of iOS at the cost of security to keep their jailbreak — a dangerous proposition. Some users want to jailbreak their devices because it allows them to perform a lot of additional actions on their devices that Apple has locked down. This can be simple tasks like SSHing (remotely accessing) the iOS device, changing icons and themes on the iOS device, and also for illegitimate use such as pirated software and games.

Friday, October 11, 2019

Threat Roundup for October 4 to October 11

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 4 and Oct. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos Ep. #63: The third law of thermodynamics


Beers with Talos (BWT) Podcast episode No. 63 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Sept. 27, 2019 

We are missing Matt and Joel this time, so Mitch, Craig and Nigel are taking you through this episode. We cover some recent posts from Talos with Divergent and Tortoiseshell. Turns out, people get a bit excited when you target U.S. veterans with malware — even other malware authors thinks that’s scummy. That takes us into a chat about social engineering in general, and we end up talking about some interesting stuff with unpatchable vulnerabilities and why deleting /var on install could be described as "a bad idea" for a Google Chrome update.

Thursday, October 10, 2019

Threat Source newsletter (Oct. 10, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s that time again to update all your Microsoft products. The company released its monthly update Tuesday, disclosing more than 60 vulnerabilities in a variety of its products. This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software. We’ve got a rundown of the most important bugs here, and all our Snort coverage here.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

P.S., we have to give ourselves a pat on the back for the researchers who took home the top honors at the Virus Bulletin conference, winning the Péter Ször Award.

New IDA Pro plugin provides TileGX support

By Jonas Zaddach

Overview

Cisco Talos has a new plugin available for IDA Pro that provides a new disassembler for TileGX binaries. This tool should assist researchers in reverse-engineering threats in IDA Pro that target TileGX.