Friday, June 15, 2018

Threat Roundup for June 1-15



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 01 and June 15. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 14, 2018

Vulnerability Spotlight: TALOS-2018-0523-24 - Multiple Vulnerabilities in Pixars Renderman application

Vulnerabilities discovered by Tyler Bohan from Talos


Overview


Talos is disclosing two denial-of-service vulnerabilities in Pixar’s Renderman application. Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. Both vulnerabilities are due to the lack of proper validation during the parsing process of network packets.

Pixar remedied  these vulnerabilities in RenderMan version 21.7

Wednesday, June 13, 2018

Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability

Vulnerabilities discovered by Marcin Noga from Talos

Overview


Talos is disclosing a remote code execution vulnerability in the Microsoft wimgapi library. The wimgapi DLL is used in the Microsoft Windows operating system to perform operations on Windows Imaging Format (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack. The vulnerability is related to the file header parsing, which means it gets triggered even on simple operations. WIM files do not have a registered file type handler by default, which means that this vulnerability cannot be triggered by tricking a user into double-clicking a WIM file — at least not without registering a file-handler first. This vulnerability was assigned CVE-2018-8210 and a security patch was released as part of the June 2018 Microsoft Patch Tuesday release. The Microsoft advisory can be found here.

Tuesday, June 12, 2018

Microsoft Patch Tuesday - June 2018

Executive Summary


Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 50 flaws, with 11 of them rated "critical," and 39 rated "important." These vulnerabilities impact Microsoft Edge, Internet Explorer, Chakra Scripting Engine, Windows DNSAPI, Microsoft Office, Windows Kernel and more.

In addition to the 50 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180014, the June 2018 Adobe Flash Security Update, which addresses the vulnerabilities described in the security bulletin.

Wednesday, June 6, 2018

VPNFilter Update - VPNFilter exploits endpoints, targets new devices





Introduction



Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding "VPNFilter." In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We've provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.

Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.

Finally, we've conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic.

Tuesday, June 5, 2018

Talos Threat Research Summit Guide and Cisco Live Preview


The first Cisco Talos Threat Research Summit is coming up at Cisco Live! in Orlando, so we are providing a quick guide to all the activities going on at the summit and beyond. The response to the summit was stronger than we could have anticipated for the first year - it sold out fast!  Next time, we definitely need a bigger boat. Whether or not you have a ticket to the summit, read on for a guide of how to stay on top of what's happening in Orlando, and how you can connect with the events Talos is holding around Cisco Live! 2018.

Vulnerability Spotlight: TALOS-2018-0535 - Ocularis Recorder VMS_VA Denial of Service Vulnerability

Vulnerabilities discovered by Carlos Pacho from Talos


Overview

Talos is disclosing a denial-of-service vulnerability in the Ocularis Recorder. Ocularis is a video management software (VMS) platform used in a variety of settings, from convenience stores, to city-wide deployments. An attacker can trigger this vulnerability by crafting a malicious network packet that causes a process to terminate, resulting in a denial of service.

Thursday, May 31, 2018

NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.

Executive Summary


Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan that we're calling "NavRAT" is downloaded, which can perform various actions on the victim machine, including command execution, and has keylogging capabilities.

The decoy document is named "미북 정상회담 전망 및 대비.hwp" (Prospects for US-North Korea Summit.hwp). The HWP file format is mainly used in South Korea. An Encapsulated PostScript (EPS) object is embedded within the document in order to execute malicious shellcode on the victim systems. The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT.

This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email. The uploaded file(s) are sent by email, and the downloaded files are retrieved from an email attachment. We have already observed malware using free email platforms for abuse, but this is the first time we have identified a malware that uses Naver — which is known for its popularity in South Korea.

One of the most interesting questions we still have is regarding attribution — and who is behind this malware. Previously, we published several articles concerning Group123 (here, here, here, here and here). We currently assess with medium confidence that this campaign and NavRAT are linked to Group123.

Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilites

Vulnerabilities discovered by Cory Duplantis from Talos

Overview


In April 2018, Talos published 5 vulnerabilities in Natus NeuroWorks software. We have also identified 3 additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.

We strongly recommend readers to refer to the "Discussion" part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices. Natus has released Neuroworks 8.5 GMA3 to address these issues. Talos recommends installing this update as quickly as possible on affected systems.

Tuesday, May 29, 2018

Beers with Talos EP 30 - VPNFilter, the Unfiltered Story



Beers with Talos (BWT) Podcast Episode 30 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP30 Show Notes: 


Recorded May 25, 2018 - As you can expect, this episode focuses on VPNFilter. We discuss how we got involved, why Talos made the decision to disclose when we did, and we cover many details of the malware itself. There is a lot of background to this ongoing discussion. Take a peek behind the curtain of the defense against this attack as we cover many different aspects of the malware, the attack and the mitigation.