Wednesday, June 16, 2021

Vulnerability Spotlight: EIP Stack Group OpENer information disclosure vulnerability



Martin Zeiser of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable information disclosure vulnerability in EIP Stack Group OpENer’s Ethernet/IP UDP handler.  

OpENer is an Ethernet/IP stack for I/O adapter devices that includes objects and services for making Ethernet/IP-compliant products, as defined in the ODVA specification.

Tuesday, June 15, 2021

What’s past is prologue – A new world of critical infrastructure security



By Caitlin Huey, Joe Marshall and Thomas Pope.

Attackers have targeted American critical infrastructure several times over the past few years, putting at risk U.S. electrical grids, oil pipelines and water supply systems. However, we collectively have not responded in a meaningful way to these attacks. This inaction has now led to a failure to protect our oil and natural gas (ONG) infrastructure, resulting in some fuel shortages in wide swaths of the U.S. earlier this year. This, in turn, has prompted federal executive action emphasizing protecting critical ONG infrastructure and responding to ransomware attacks in this space. ONG companies must take heed – proactive and wholistic security can protect their enterprises and critical infrastructure.

Friday, June 11, 2021

Threat Roundup for June 4 to June 11


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 4 and June 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #56: The first security steps you should take when you return to the office

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We started out the COVID-19 pandemic by thinking we'd be away from the office for a month — maybe two. More than 12 months later, we're still here, working from home (at least part-time).

But some businesses are starting to reopen now and welcoming workers back into the office. After so much time working out of the office, what should security professionals do once they get back? In this week's episode, Beers with Talos' own Craig Williams joins the show to talk about triple-checking for patches, changing passwords and more. Plus, how should you handle the new hybrid worker?

Thursday, June 10, 2021

Threat Source newsletter (June 10, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We seriously can't escape from ransomware. It's in the headlines constantly and has now drawn the full attention of the federal government. But we at Talos recognize that is going to take far more than just words to address this global threat. In this opinion piece we published this week along with the Cyber Threat Alliance, we outlined some steps we feel the government and private sector need to take to ensure physical life and property, critical infrastructure and the economy are all protected from ransomware. 

While you're on our blog, you should also head over to the new Cisco Talos Incident Response web page. We have updated CTIR's list of offerings and gave it a few visual overhauls that we think you'll love.

Back in the security space, we also had Microsoft Patch Tuesday this week. The company disclosed several vulnerabilities that they've seen actively exploited in the wild, so you should patch all of your Microsoft products if you haven't already.

Quarterly Report: Incident Response trends from Spring 2021



By David Liebenberg and Caitlin Huey

While the security community made a great effort to warn users of the exploitation of several Microsoft Exchange Server zero-day vulnerabilities, it was still the biggest threat Cisco Talos Incident Response (CTIR) saw this past quarter. These vulnerabilities, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, comprised around 35 percent of all incidents investigated.   

This shows that when a vulnerability is recently disclosed, severe, and widespread, CTIR will often see a corresponding rise in engagements in which the vulnerabilities in question are involved. Thankfully, the majority of these incidents involved scanning and not post-compromise behavior, such as file encryption or evidence of exfiltration.  

While CTIR’s focus was largely on the Microsoft Exchange Server vulnerabilities this quarter, ransomware continued to be a persistent and growing problem. This quarter featured several ransomware families that we have not previously encountered in CTIR engagements, including MountLocker, Zeppelin and Avaddon. These families fit the ransomware-as-a-service (RaaS) model and are typically deployed with Cobalt Strike and are delivered by an initial commodity trojan loader. These ransomware families also engage in double extortion, threatening to publish victim data if the ransom demand is not met. 

Tuesday, June 8, 2021

Vulnerability Spotlight: Code execution vulnerability in Google Web Audio API



Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two use-after-free vulnerabilities in Google’s Web Audio API that an adversary could exploit to execute remote code on the victim machine. Web Audio API is a high-level JavaScript API for processing and synthesizing audio in web applications. These vulnerabilities specifically exist in the Google Chrome web browser’s instance of this API.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and an update is available for affected customers.

Microsoft Patch Tuesday for June 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Edmund Brumaghin. 

Microsoft released its monthly security update Tuesday, disclosing 51 vulnerabilities across its suite of products, breaking last month’s 16-month record of the fewest vulnerabilities disclosed in a month by the company. 

There are only four critical vulnerabilities patched in this month, while all the other ones are considered “important.” However, there are several vulnerabilities that Microsoft states are being actively exploited in the wild. 

This month’s security update provides updates for several pieces of software and Windows functions, including SharePoint Server, the Windows kernel and Outlook. For a full rundown of these CVEs, head to Microsoft’s security update page.

Monday, June 7, 2021

Intelligence-driven disruption of ransomware campaigns

By Neil Jenkins and Matthew Olney.

Note: Our guest co-author, Neil Jenkins, is the Chief Analytic Officer at the Cyber Threat Alliance. He leads the CTA's analytic efforts, focusing on the development of threat profiles, adversary playbooks and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy and operational planning for both the public and private sectors.

As the headlines show, ransomware has become a threat to national security, life safety and critical infrastructure. As a result, the U.S. Department of Justice recently announced it would be giving ransomware attacks priority similar to that as terrorism. None of this is a surprise to the more than 60 experts who came together this year under the umbrella of the Ransomware Task Force (RTF), an effort to produce a comprehensive set of recommendations to international governments and private-sector partners on how to address this threat. In fact, the report — issued just days before the Colonial Pipeline attack — begins by saying, "Ransomware attacks present an urgent national security risk around the world."

As contributors to the report, we'd like to drill into the second priority recommendation issued by the group, calling for "...a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign…" To a large extent, we have left the private sector to deal with the ransomware threat by themselves, and when an incident has occurred, we have treated it as a law enforcement matter. Both of these approaches have failed. When the actor only needs to find any flaw in any company or organization's defenses, then they will continue to be successful. When the primary threat society puts forth to deter these activities is "you'll go to jail" and the actors are hiding in countries that have shown no interest in cooperating with law enforcement activities for these behaviors, there is no deterrence.

Friday, June 4, 2021

Threat Roundup for May 28 to June 4


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 28 and June 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.