Friday, April 19, 2019

Threat Roundup for April 12 to April 19


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 12 and April 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, April 18, 2019

Threat Source (April 18): New attacks distribute Formbook, LokiBot


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

The top news this week is, without a doubt, Sea Turtle. Wednesday, we posted our research related to this DNS hijacking campaign that has impacted countries around the world and is going after government agencies, many dealing with national security. You can check out all the details here. This week’s episode of the Beers with Talos podcast also discusses Sea Turtle.

And while it didn’t grab as many headlines, we also wrote this week about HawkEye Reborn, a variant of the HawkEye malware. The keylogger recently changed ownership, and the new actors behind the malware have recently made a sizable push to infect users.

Also, take a look below to find out new information regarding LokiBot.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Wednesday, April 17, 2019

Beers with Talos Ep. #51: Sea Turtles yeeting packets



Beers with Talos (BWT) Podcast Ep. No. 51 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded April 12, 2019 — Today, we rip through a few other things to spend most of our time discussing Sea Turtle, the latest DNS hijacking campaign discovered by Talos. Also, Joel causes the biggest blockchain outburst in some time. Special thanks for today’s podcast goes to Danny Adamitis, the main Talos researcher on the Sea Turtle campaign. Danny was going to be with us today, but experienced some technical issues that prevented that from happening. RIP Danny’s mic: 4-12-19.

DNS Hijacking Abuses Trust In Core Internet Service




Authors: Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres.


Update 4/18: A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance

Preface

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.

Monday, April 15, 2019

New HawkEye Reborn Variant Emerges Following Ownership Change

Edmund Brumaghin and Holger Unterbrink authored this blog post.

Executive summary


Malware designed to steal sensitive information has been a threat to organizations around the world for a long time. The emergence of the greyware market and the increased commercialization of keyloggers, stealers, and remote access trojans (RATs) has magnified this threat by reducing the barrier to entry for attackers. In many cases, the adversaries leveraging these tools do not need to possess programming skills or in-depth computer science expertise, as they are now being provided as commercial offerings across the cybercriminal underground. We have previously released in-depth analyses of these types of threats and how malicious attackers are leveraging them to attack organizations with Remcos in August and Agent Tesla in October.

HawkEye is another example of a malware kit that is actively being marketed across various hacking forums. Over the past several months, Talos observed ongoing malware distribution campaigns attempting to leverage the latest version of the HawkEye keylogger/stealer, HawkEye Reborn v9, against organizations to steal sensitive information and account credentials for use in additional attacks and account compromise.

Vulnerability Spotlight: Denial of service in VMWare Workstation 15


Piotr Bania of Cisco Talos discovered this vulnerability.

Executive summary

VMware Workstation 15 contains an exploitable denial-of-service vulnerability. Workstation allows users to run multiple operating systems on a Linux or Windows PC. An attacker could trigger this particular vulnerability from VMware guest user mode to cause a denial-of-service condition through an out-of-bounds read. This vulnerability only affects Windows machines.

In accordance with our coordinated disclosure policy, Cisco Talos worked with VMware to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Multiple vulnerabilities in Shimo VPN's helper tool



Discovered by Tyler Bohan of Cisco Talos.

Overview

Cisco Talos is disclosing a series of vulnerabilities found in the Shimo VPN Helper Tool. Shimo VPN is a popular VPN client for MacOS that can be used to connect multiple VPN accounts to one application. These specific vulnerabilities were found in the “helper tool,” a feature that Shimo VPN uses to accomplish some of its privileged work.

These vulnerabilities are being released without a patch, per our disclosure policy, after repeated attempts were made to communicate with the vendor.

Friday, April 12, 2019

Threat Roundup for April 5 to April 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 05 and April 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, April 11, 2019

Threat Source (April 11)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

We made waves this week with an article on malicious groups on Facebook. We discovered thousands of users who were offering to buy and sell various malicious services, such as carding, spamming and the creation of fake IDs. News outlets across the globe covered this story, including NBC News, Forbes and WIRED.

There’s also new research on the Gustuff malware. Researchers discovered this banking trojan earlier this year, and recently, we tracked it targeting Australian users in the hopes of stealing their login credentials to financial services websites.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Sextortion profits decline despite higher volume, new techniques

Post authored by Nick Biasini and Jaeson Schultz.

Sextortion spammers continue blasting away at high volume. The success they experienced with several high-profile campaigns last year has led these attackers to continue transmitting massive amounts of sextortion email. These sextortion spammers have been doing everything they can to keep their approach fresh. Not only does this help sextortionists evade spam filters, increasing their chances of landing in recipients' inboxes, but it also ups their chances of finding a message that has language that resonates, convincing potential victims that the perceived threat is indeed real. Let's take a look at some of the recent changes we've seen in the sextortion email landscape.

Sextortion profits decline sharply