Friday, June 5, 2020

Threat Roundup for May 29 to June 5

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 29 and June 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 4, 2020

Threat Source newsletter for June 4, 2020


Newsletter compiled by Jon Munshaw.

Our social media content and promotion are on pause this week as there are more important issues being discussed and other voices that need to be heard. However, we still wanted to provide users with the latest IOCs and threats we’re seeing. 

Wednesday, June 3, 2020

Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to code execution


A member of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two vulnerabilities in the popular Zoom video chatting application that could allow a malicious user to execute arbitrary code on victims’ machines. Video conferencing software has skyrocketed in popularity during the COVID-19 pandemic as individuals across the globe are encouraged to work from home and avoid close face-to-face contact with friends and family.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Zoom to ensure that
these issues are resolved. TALOS-2020-1056 was fixed in May. Zoom fixed TALOS-2020-1055 server-side in a separate update, though Cisco Talos believes it still requires a fix on the client-side to completely resolve the security risk.

Monday, June 1, 2020

Vulnerability Spotlight: VMware Workstation 15 denial-of-service vulnerability



Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in VMware Workstation 15.
VMware allows users to set up virtual machines and operate various operating systems outside of the ones designed for their machines. This vulnerability exists in VMware guest mode, and could allow an attacker to cause a panic condition in VMware host, leading to a crash.

In accordance with our coordinated disclosure policy, Cisco Talos worked with VMware to ensure that these issues are resolved and that an update is available for affected customers.

Friday, May 29, 2020

Threat Roundup for May 22 to May 29

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 22 and May 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 28, 2020

Threat Source newsletter for May 28, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We need to start things off by wishing a Happy Birthday to Beers with Talos! The first episode was released on May 12, 2017. To celebrate, we have a new episode out this week and are working on another “In Between” for next week.

Send in your questions on Twitter to @TalosSecurity to have them answered on the show. 

Dynamic Data Resolver (DDR) — IDA Plugin 1.0 beta




Executive summary

Static reverse-engineering in IDA can often be problematic. Certain values are calculated at run time, which makes it difficult to understand what a certain basic block is doing. If you try to perform dynamic analysis by debugging a piece of malware, the malware will often detect it and start behaving differently. Today, Cisco Talos is releasing the 1.0 beta version of Dynamic Data Resolver (DDR) — a plugin for IDA that makes reverse-engineering malware easier. DDR is using instrumentation techniques to resolve dynamic values at runtime from the sample. For the 1.0 release, we have fixed a couple of bugs, ported it to the latest IDA version, added multiple new features, plus a new installer script that automatically resolves all dependencies. 

Tuesday, May 26, 2020

Beers with Talos Ep. #82: Talos IR quarterly threat trends

Beers with Talos (BWT) Podcast episode No. 82 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded May 8, 2020

Brad Garnett from Cisco Talos Incident Response joins us today to talk about DFIR, the Talos Quarterly Trends Report, and how a high-speed police chase on reality TV kick-started his DFIR career. That’s not even clickbait, for real. After Brad drops a quick IR trends briefing on us, the crew drills down on some key findings.

We are taking your questions from Twitter so keep sending them for the next "The In-Between" episode — @TalosSecurity #BWT.

Thursday, May 21, 2020

Threat Source newsletter for May 21, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Beers with Talos chugs on during quarantine with the latest episode of “The In-Between.” Once again, the hosts talk about everything but security, answering listener questions from Twitter.

The most pressing threat we have this week is WolfRAT, a variant of the DenDroid Android malware. WolfRAT is attempting to exploit users on different messaging apps like Facebook Messenger, WhatsApp and Line — specifically, users in Thailand.

And if you’re really ready to get into security nitty-gritty, we have a deep dive on a vulnerability some Cisco researchers recently discovered that leave cars with on-board computers open to attack.  

Vulnerability Spotlight: Memory corruption vulnerability in GNU Glibc leaves smart vehicles open to attack

By Sam Dytrych and Jason Royes.

Executive summary


Modern automobiles are complex machines, merging both mechanical and computer systems under one roof. As automobiles become more advanced, additional sensors and devices are added to help the vehicle understand its internal and external environments. These sensors provide drivers with real-time information, connect the vehicle to the global fleet network and, in some cases, actively use and interpret this telemetry data to drive the vehicle.

These vehicles also frequently integrate both mobile and cloud components to improve the end-user experience. Functionality such as vehicle monitoring, remote start/stop, over-the-air-updates and roadside assistance are offered to the end-user as additional services and quality of life improvements.

All these electronic and computer systems introduce a lot of different attack vectors in connected vehicles – Bluetooth, Digital Radio (HD Radio/DAB), USB, CAN bus, Wi-Fi and, in some cases, cellular. However, like any other embedded system, connected vehicles are exposed to cyber attacks and security threats. Some of the threats that connected vehicles face include software vulnerabilities, hardware-based attacks and even remote control of the vehicle. During some recent research, Cisco's Customer Experience Assessment & Penetration Team (CX APT) discovered a memory corruption vulnerability in GNU libc for ARMv7, which leaves Linux ARMv7 systems open to exploitation. This vulnerability is identified as TALOS-2020-1019/CVE-2020-6096.

CX APT represents the integration of experts from the NDS, Neohapsis, and Portcullis acquisitions. This team provides a variety of security assessment and attack simulation services to customers around the globe. The CX APT IoT security practice specializes in identifying vulnerabilities in connected vehicle components. For more on this vulnerability, you can read the full advisory here. CX APT worked with Cisco Talos to disclose the vulnerability and the libc library maintainers plan to release an update that fixes this vulnerability in August.