Tuesday, June 25, 2019

Beers with Talos Ep. #55: Live from San Diego!



Beers with Talos (BWT) Podcast Ep. #55 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded June 12, 2019 — God knows why, but we bring you another live episode from the Talos Threat Research Summit at Cisco Live U.S. in San Diego, California. We are joined by TTRS keynote speaker (as is tradition) Liz Wharton.

Catch the highlights of the show and stick around for hot takes from the live audience. Thanks to everyone who showed up to the recording, especially those brave enough to step up to the mic at the end.

This is our annual reminder of why we don’t do this more often. We think you'll whole-heartedly agree.

Friday, June 21, 2019

Threat Roundup for June 14 to June 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 14 and June 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 20, 2019

Threat Source newsletter (June 20, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This week, we disclosed two vulnerabilities in KCodes’ NetUSB kernel module contains that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. An attacker could send specific packets on the local network to exploit vulnerabilities in NetUSB, forcing the routers to disclose sensitive information and even giving the attacker the ability to remotely execute code.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Monday, June 17, 2019

Vulnerability Spotlight: Two bugs in KCodes NetUSB affect some NETGEAR routers



Dave McDaniel of Cisco Talos discovered these vulnerabilities.

Executive summary

KCodes’ NetUSB kernel module contains two vulnerabilities that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. Specific models of these routers utilize the kernel module from KCodes, a Taiwanese company. The module is custom-made for each device, but they all contain similar functions.

The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices. An attacker could send specific packets on the local network to exploit vulnerabilities in NetUSB, forcing the routers to disclose sensitive information and even giving the attacker the ability to remotely execute code.

In accordance with our coordinated disclosure policy, Cisco Talos reached out to KCodes and NETGEAR regarding this vulnerability. After working with KCodes, they provided an update to NETGEAR, which is scheduled to release an update. Talos decided to release the details of our vulnerability after surpassing our 90-day deadline.

Friday, June 14, 2019

Threat Roundup for June 7 to June 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 07 and June 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, June 11, 2019

Microsoft Patch Tuesday — June 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 88 vulnerabilities, 18 of which are rated “critical," 69 that are considered "important" and one "moderate." This release also includes a critical advisory regarding security updates to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra scripting engine, the Jet database engine and Windows kernel. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

Monday, June 10, 2019

How Cisco Talos helped Howard County recover from a call center attack


On Aug. 11, 2018 the 911 non-emergency call center in Howard County, Maryland was in crisis — not for the types of calls flooding into dispatchers, but simply for the sheer numbers. The center, which usually receives 300 to 400 calls a day was now getting 2,500 in a 24-hour span of time. The center, which takes calls for everything from home security alarms going off to cats getting stuck in trees was overwhelmed. What was going on?

James Cox, a network-server team manager for the Howard County government was tasked with answering that question. It turns out, a lone foreign actor created this crisis. “The phone system doesn’t care who you are,” Cox explained. “You hit that 10-digit number and the phone rings. There’s no check and there’s no balance.”

Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580


Jared Rittle of Cisco Talos discovered these vulnerabilities.

Executive summary

There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, including denial of service and the disclosure of sensitive information. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs we will discuss exist in UMAS requests made while operating the hardware.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider Electric to ensure that these issues are resolved and that an update is available for affected customers.

The sights and sounds from the Talos Threat Research Summit


More than 250 threat hunters, network defenders and analysts gathered ahead of Cisco Live for the second annual Talos Threat Research Summit on Sunday.

The conference by defenders, for defenders, returned this year after the inaugural event in 2018 to San Diego, where speakers passed on their knowledge of writing detection, stopping phishing attacks responding to ransomware, and more.

Friday, June 7, 2019

Know before you go: Talos Threat Research Summit


We are now just 48 hours away from the second annual Talos Threat Research Summit. After last year's success in Orlando, we are back and better than ever from San Diego on Sunday.

If you plan on attending, here's what you need to know before Sunday morning. Can't make it out? You can still stream our keynote address from Elizabeth Wharton at 8:10 a.m. PT by following us on Twitter.