Wednesday, May 23, 2018

New VPNFilter malware targets at least 500K networking devices worldwide


For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter." We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.  In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.

Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.

This post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some thoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the possible thought process and decisions made by the actor. We will also discuss how to defend against this threat and how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this point, although we are confident there are more that we have not seen.

Thursday, May 17, 2018

Beers with Talos EP29 - This is a PSA: Stop Clicking. There is No Prince.

Beers with Talos (BWT) Podcast Episode 29 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing:

EP29 Show Notes: 

Recorded May 11, 2018 - First and foremost, we recorded this episode one day before our "birthday." We want to thank everyone, especially the listeners, who have let us do this for the past year, racking up over half a million downloads! In this episode, we welcome special guest Nick Biasini from Talos Outreach. We set out to talk about several topics, but spend most of our time with Nick around the idea of building a stronger culture of cybersecurity and what it will take to get the baseline users on board. We are missing Matt this week, and hope he had an amazing time following the DMB tour up to Burlington, or whatever he was doing.

Wednesday, May 16, 2018

TeleGrab - Grizzly Attacks on Secure Messaging

This post was written by Vitor Ventura with contributions from Azim Khodjibaev


Over the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.

While the first version only stole browser credentials and cookies, along with all text files it can find on the system, the second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.
Talos intelligence research allowed the identification of the author behind this malware with high confidence. The author posted several YouTube videos with instructions on how to use the Telegram collected files to hijack Telegram sessions and how to package it for distribution.
The operators of this malware use several hardcoded accounts to store the exfiltrated information. This information is not encrypted, which means that anyone with access to these credentials will have access to the exfiltrated information.

The malware is mainly targeting Russian-speaking victims, and is intentionally avoiding IP addresses related with anonymizer services.

Tuesday, May 15, 2018

Vulnerability Spotlight: Multiple Adobe Acrobat Reader DC Vulnerabilities

Discovered by Aleksandar Nikolic of Cisco Talos

Update 05/15/18: The CVE for TALOS-2018-0517 has been corrected below.


Today, Talos is releasing details of a new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.

A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044. This stack overflow can lead to return address overwrite which can result in arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

Friday, May 11, 2018

Threat Roundup for May 04 - 11

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 4 and May 11. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Wednesday, May 9, 2018

Gandcrab Ransomware Walks its Way onto Compromised Sites

This blog post authored by Nick Biasini with contributions from Nick Lister and Christopher Marczewski.

Despite the recent decline in the prevalence of ransomware in the threat landscape, Cisco Talos has been monitoring the now widely distributed ransomware called Gandcrab. Gandcrab uses both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. While we've seen cryptocurrency miners overtake ransomware as the most popular malware on the threat landscape, Gandcrab is proof that ransomware can still strike at any time.

While investigating a recent spam campaign Talos found a series of compromised websites that were being used to deliver Gandcrab. This malware is the latest in a long line of examples of why stopping malware distribution is a problem, and shows why securing websites is both an arduous and necessary task. As a clear example of how challenging resolving these issues can be, one of the sites — despite being shut down briefly — was seen serving Gandcrab not once, but twice, over a few days.

Tuesday, May 8, 2018

Wipers - Destruction as a means to an end

This whitepaper post is authored by Vitor Ventura and with contributions from Martin Lee

In a digital era when everything and everyone is connected, malicious actors have the perfect space to perform their activities. During the past few years, organizations have suffered several kinds of attacks that arrived in many shapes and forms. But none have been more impactful than wiper attacks. Attackers who deploy wiper malware have a singular purpose of destroying or disrupting systems and/or data.
Unlike malware that holds data for ransom (ransomware), when a malicious actor decides to use a wiper in their activities, there is no direct financial motivation. For businesses, this often is the worst kind of attack, since there is no expectation of data recovery.
Another crucial aspect of a wiper attack is the fear, uncertainty and doubt that it generates. In the past, wiper attacks have been used by malicious actors with a dual purpose: Generate social destabilization while sending a public message, while also destroying all traces of their activities.
A wiper's destructive capability can vary, ranging from the overwriting of specific files, to the destruction of the entire filesystem. The amount of data impacted will be a direct consequence of the technique used. Which, of course, will have direct impact on the business — the harder the data/system recovery process becomes, the bigger the business impact.
The defense against these attacks often falls back to the basics. By having certain protections in place — a tested cyber security incident response plan, a risk-based patch management program, a tested and cyber security-aware business continuity plan, and network and user segmentation on top of the regular software security stack — an organization dramatically increases its resilience against these kind of attacks.

Download the full whitepaper here.

Microsoft Patch Tuesday - May 2018

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 67 new vulnerabilities, with 21 of them rated critical, 42 of them rated important, and four rated as low severity. These vulnerabilities impact Outlook, Office, Exchange, Edge, Internet Explorer and more.

In addition to the 67 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180008, which addresses the vulnerability CVE-2018-4944 described in the Adobe security bulletin APSB18-16.

Monday, May 7, 2018

Beers with Talos EP 28 - APT, BGP, RCEs, and an Old RAT

Beers with Talos (BWT) Podcast Episode 28 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing:

EP28 Show Notes: 

Recorded April 27 - We have a special guest intro this week, since Mitch came down with a case of "can't speak above a whisper" during production of the episode. We chat about what defines an “APT” — is it the actor, the technical complexity used, or something different altogether? We also discuss the recent BGP attacks — how they work and how you can prepare for them — and the progress of GravityRAT.  Matt has specific feelings about USB-C and his new computer.

Vulnerability Spotlight: MySQL Multi-Master Manager Remote Command Injection Vulnerability

Discovered by Matthew Van Gundy of Asig


Today, Talos is releasing details of a new vulnerability within MySQL Multi-Master Manager. This is used to perform monitoring, failover and management of MySQL master-master replication configurations. By using MySQL MMM (Multi-Master Replication Manager for MySQL) it ensures that only one node is writeable at a time. Using MySQL MMM an end user can also choose to move their Virtual IP addresses to different servers depending on their replication status.