Monday, January 22, 2018

SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks


This post was written by Vitor Ventura

Introduction


Talos has been working in conjunction with Cisco IR Services on what we believe to be a new variant of the SamSam ransomware. This ransomware has been observed across multiple industries including Government, Healthcare and ICS. These attacks do not appear to be highly targeted, and appear to be more opportunistic in nature.

Given SamSam's victimology, its impacts are not just felt within the business world, they are also impacting people, especially if we consider the Healthcare sector. Non-urgent surgeries can always be rescheduled but if we take as an example patients where the medical history and former medical treatment are crucial the impact may be more severe. Furthermore, many critical life savings medical devices are now highly computerized. Ransomware can impact the operation of these devices making it very difficult for medical personnel to diagnose and treat patients leading to potentially life threatening situations. Equipment that might be needed in time-sensitive operations may be made unavailable due to the computer used to operate the equipment being unavailable.

The initial infection vector for these ongoing attacks is currently unknown and Talos is investigating this in order to identify it. The history of SamSam indicates that attackers may follow their previous modus operandi of exploiting a host and then laterally moving within their target environment to plant and later run the SamSam ransomware. Previously, we observed the adversaries attacking vulnerable JBoss hosts during a previous wave of SamSam attacks in 2016. Although the infection vector for the new variant is not yet confirmed, there is a possibility that compromised RDP/VNC servers have played a part in allowing the attackers to obtain an initial foothold.

Thursday, January 18, 2018

The Many Tentacles of the Necurs Botnet


This post was written by Jaeson Schultz.

Introduction

Over the past five years the Necurs botnet has established itself as the largest purveyor of spam worldwide. Necurs is responsible for emailing massive amounts of banking malware, ransomware, dating spam, pump-n-dump stock scams, work from home schemes, and even cryptocurrency wallet credential phishing. Necurs sends so much spam that at times Necurs' spam campaigns can make up more than 90% of the spam seen by Cisco Talos in one day.

To conduct a deeper analysis of Necurs, Talos extracted 32 distinct spam campaigns sent by Necurs between August 2017 and November 2017. The result was a collection of over 2.1 million spam messages, sent from almost 1.2 million distinct sending IP addresses in over 200 countries and territories.

Beers with Talos EP20: Crypto, Vuln Disco, and the Spectre Meltdown



Beers with Talos (BWT) Podcast Episode 20 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP20 Show Notes: 

This is easily our best podcast of 2018 (so far). The crew discusses the recent spike in crypto-mania sweeping the globe and also goes in-depth on how vulnerability discovery plays a critical role in overall security. Plus, the crew all (shockingly) have different takes on Spectre/Meltdown and Craig decides to up the ante with the killer robots.

Timeline:

The Roundtable

01:20 - Matt - Discussing Cats - a BOGO on denigrating cultural icons
04:59 - Nigel - The Reds will be victorious and glorious, of course
07:11 - Craig - Probably not the firefighter/arsonist of the security world. Probably.
09:23 - Joel - Arctic bombs and picking a bone with Mother Nature
12:04 - MItch - Tales of the short lives of expensive presents

The Topics

15:10 - CRYPTO MANIA!!! HMB while I take out a second mortgage, also Ethereum CLIENT vulns
24:10 - Vuln disco - why it matters, discussion around recent Blender vulns
39:30 - Meltdown and Spectre - Breaking down the actual threat, risk/exposure, and mitigation
54:28 - Parting shots

The Links and Credits:

Ethereum Client Bugs blog post: http://blog.talosintelligence.com/2018/01/vulnerability-spotlight-multiple.html
Bitcoin Pizza Twitter: https://twitter.com/bitcoin_pizza?lang=en
Blender Vuln Spotlight blog post: http://blog.talosintelligence.com/2018/01/unpatched-blender-vulns.html
Meltdown/Spectre blog post: http://blog.talosintelligence.com/2018/01/meltdown-and-spectre.html
Phantom Tolley relevant XKCD: http://www.explainxkcd.com/wiki/index.php/1938:_Meltdown_and_Spectre
Critical Role (Geek and Sundry Twitch): https://geekandsundry.com/shows/critical-role/
Alexa Silver: https://www.youtube.com/watch?v=YvT_gqs5ETk
==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Wednesday, January 17, 2018

Vulnerability Spotlight: Tinysvcmdns Multi-label DNS DoS Vulnerability

Overview

Talos is disclosing a single NULL pointer dereference vulnerability in the tinysvcmdns library. Tinysvcmdns is a tiny MDNS responder implementation for publishing services. This is essentially a mini and embedded version of Avahi or Bonjour. 

Details

Discovered by Claudio Bozzato, Yves Younan, Lilith Wyatt, and Aleksandar Nikolic of Cisco Talos.

Tuesday, January 16, 2018

Korea In The Crosshairs

This blog post is authored by Warren Mercer and Paul Rascagneres and with contributions from Jungsoo An.

A one year review of campaigns performed by an actor with multiple campaigns mainly linked to South Korean targets.

Executive Summary


This article exposes the malicious activities of Group 123 during 2017. We assess with high confidence that Group 123 was responsible for the following six campaigns:

  • "Golden Time" campaign.
  • "Evil New Year" campaign.
  • "Are you Happy?" campaign.
  • "FreeMilk" campaign.
  • "North Korean Human Rights" campaign.
  • "Evil New Year 2018" campaign.

On January 2nd of 2018, the "Evil New Year 2018" was started. This campaign copies the approach of the 2017 "Evil New Year" campaign.

The links between the different campaigns include shared code and compiler artifacts such as PDB (Program DataBase) patterns which were present throughout these campaigns.

Based on our analysis, the "Golden Time", both "Evil New Year" and the "North Korean Human Rights" campaigns specifically targeted South Korean users. The attackers used spear phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite. Group 123 has been known to use exploits (such as CVE-2013-0808) or scripting languages harnessing OLE objects. The purpose of the malicious documents was to install and to execute ROKRAT, a remote administration tool (RAT). On occasion the attackers directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes: the document only contained a downloader designed to download ROKRAT from a compromised web server.

Additionally, the "FreeMilk" campaign targeted several non-Korean financial institutions. In this campaign, the attackers made use of a malicious Microsoft Office document, a deviation from their normal use of Hancom documents. This document exploited a newer vulnerability, CVE-2017-0199. Group 123 used this vulnerability less than one month after its public disclosure. During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki. PoohMilk exists only to launch Freenki. Freenki is used to gather information about the infected system and to download a subsequent stage payload. This malware was used in several campaigns in 2016 and has some code overlap with ROKRAT.

Finally, we identified a 6th campaign that is also linked to Group 123. We named this 6th campaign "Are You Happy?". In this campaign, the attackers deployed a disk wiper. The purpose of this attack was not only to gain access to the remote infected systems but to also wipe the first sectors of the device. We identified that the wiper is a ROKRAT module.

Friday, January 12, 2018

Threat Round Up for January 5 - 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between January 05 and January 12. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 11, 2018

Vulnerability Spotlight: Multiple Unpatched Vulnerabilities in Blender Identified

Technology has evolved in incredible ways that has helped people to create and visualize media like never before. Today, people can use tools such as Blender to visualize, model, and animate 3D content, especially since it's free and open-source software. However, this also make it an attractive target for adversaries to audit and find vulnerabilities. Given the user base of Blender, exploiting these vulnerabilities to compromise a user could have a significant impact as attackers could use the foothold gained by attacking Blender to further compromise an organization's network.

Today, Talos is disclosing multiple vulnerabilities that have been identified in Blender. These vulnerabilities could allow an attacker to execute arbitrary code on an affected host running Blender. A user who opens a specially crafted file in Blender that is designed to trigger one of these vulnerabilities could be exploited and compromised.

Talos has responsibly disclosed these vulnerabilities to Blender in an attempt to ensure they are addressed. However, Blender has declined to address them stating that "fixing these issues one by one is also a waste of time." As a result, there currently is no software update that addresses these vulnerabilities. Additionally, Blender developers believe that "opening a file with Blender should be considered like opening a file with the Python interpreter, you have [to trust] the source it is coming from."

Talos has offered advice to help with these issues. We realize that one developer in an open source project does not speak on behalf of the entire project. The discussion on Blender's site continues.

Wednesday, January 10, 2018

Vulnerability Spotlight: Ruby Rails Gem XSS Vulnerabilities

Vulnerabilities discovered by Zachary Sanchez of Cisco ASIG

Overview


Talos has discovered two XSS vulnerabilities in Ruby Rails Gems. Rails is a Ruby framework designed to create web services or web pages. Ruby Gems is a package manager for distributing software packages as 'gems'. The two XSS vulnerabilities were discovered in two different gem packages: delayed_job_web and rails_admin.

Ruby is widely used as a language for web development. Gem packages allow software engineers to reuse code across multiple development projects. As such, the discovery of a vulnerability in a gem may mean that many different systems are affected by that vulnerability.

Tuesday, January 9, 2018

Microsoft Patch Tuesday - January 2018

Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 56 new vulnerabilities with 16 of them rated critical, 39 of them rated important and 1 of them rated Moderate. These vulnerabilities impact ASP.NET, Edge, Internet Explorer, Office, Windows, and more.

In addition to the 56 vulnerabilities addressed, Microsoft has also released an update that addresses Meltdown and Spectre. Mitigations for these two vulnerabilities were published for Windows in ADV180002. Note that due to incompatibilities with anti-virus products, users and organizations may not have received this update yet. For more information, users should refer to Microsoft's knowledge base article which covers this issue.

Vulnerability Spotlight: Multiple Vulnerabilities in the CPP and Parity Ethereum Client

Vulnerabilities discovered by Marcin Noga of Cisco Talos.


Overview


Talos is disclosing the presence of multiple vulnerabilities in the CPP and the Parity Ethereum clients.

TALOS-2017-0503 / CVE-2017-14457 describes a denial of service vulnerability and potential memory leak in libevm. The function is not currently enabled in the default build. This vulnerability only affects nodes which have manually enabled it during build time.

TALOS-2017-0508 / CVE-2017-14460 is an overly permissive cross-domain (CORS) whitelist policy vulnerability in the Ethereum Parity client. It can lead to the leak of sensitive data about existing accounts, parity settings and network configurations, in addition to accounts and parity settings modifications, if certain APIs have been turned on.

Further on, TALOS-2017-0464 - TALOS-2017-0471 / CVE-2017-12112 - CVE-2017-12119 describe multiple Authorization Bypass Vulnerabilities which an attacker could misuse to access functionality reserved only for users with administrative privileges without any credentials.

Finally, Talos found TALOS-2017-0471 / CVE-2017-12119, another denial of service vulnerabilities in the CPP-Ethereum JSON-RPC implementation. A specially crafted json request can cause an unhandled exception resulting in a denial of service.