Monday, September 17, 2018

Beers with Talos EP 37: Snort 3 Beta Uses Multithreading. It’s Super Effective!



Beers with Talos (BWT) Podcast Ep. #37 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. #37 show notes: 

Recorded Sept. 7, 2018 — We have Joel back this week (and he is very happy to have himself back), but we lost Matt and we’re still wishing Nigel a speedy recovery from becoming bionic. This episode, we cover the latest findings in our research into a malicious mobile device management (MDM) campaign that's targeting iPhones and go over the exciting changes in the newly released Snort 3 beta (your move, Valve). Bill reprises his role from last week as sentient seat-filler that makes good jokes.

Friday, September 14, 2018

Threat Roundup for September 7 to September 14


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 7 and 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 13, 2018

SigAnalyzer: Signature analysis with CASC

Executive summary



ClamAV Signature Creator (CASC) is an IDA Pro plugin that assists in the creation of ClamAV pattern signatures. We have enhanced this plugin to also analyze these signatures. The plugin highlights matching parts in a binary when its given a particular signature. This function is helpful when evaluating automatically generated signatures, e.g., from the BASS framework. As a larger number of signatures is automatically generated, it becomes ever more important to gain a quick understanding about the effects of these signatures. This functionality will allow us to check the accuracy of our signatures faster, and allow us to deliver a better product to our users.

You can read the the complete post and see the associated video on the Clam AV blog



Tuesday, September 11, 2018

Microsoft Patch Tuesday - September 2018

Microsoft released its monthly set of security updates today for a variety of its products that address a variety of bugs. The latest Patch Tuesday covers 61 vulnerabilities, 17 of which are rated "critical," 43 that are rated "important" and one that is considered to have "moderate" severity.

The advisories cover bugs in the Internet Explorer web browser, Jet Database Engine and the Chakra scripting engine, among other products and software.

This update also includes two critical advisories, one of which covers security updates to Adobe Flash, and another that deals with a denial-of-service vulnerability in the Microsoft Windows operating system.


Friday, September 7, 2018

Threat Roundup for August 31 to September 7


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 31 and Sept. 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: CVE-2018-3952 / CVE-2018-4010 - Multi-provider VPN Client Privilege Escalation Vulnerabilities

Discovered by Paul Rascagneres.


Overview


Cisco Talos has discovered two similar vulnerabilities in the ProtonVPN and NordVPN VPN clients. The vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user. The vulnerabilities were assigned to the CVE IDs TALOS-2018-0622 / CVE-2018-3952 (NordVPN) and TALOS-2018-0679 / CVE-2018-4010 (ProtonVPN).

The vulnerabilities are similar to a bug previously discovered by VerSprite in April 2018: CVE-2018-10169. That same month, both clients released similar patches to fix this flaw. However, we identified a way to bypass that patch. Despite the fix, it is still possible to execute code as an administrator on the system. The details section later on in this post will explain the first patch, why it was not successful, and how the editors finally fixed the problem.

Thursday, September 6, 2018

Vulnerability Spotlight: TALOS-2018-0560 - ERPNext SQL Injection Vulnerabilities

Vulnerabilities discovered by Yuri Kramar from the Cisco Security Advisor Team


Overview

Talos is disclosing multiple SQL injection vulnerabilities in the Frappe ERPNext Version 10.1.6 application. Frappe ERPNext is an open-source enterprise resource planning (ERP) cloud application. These vulnerabilities enable an attacker to bypass authentication and get unauthenticated access to sensitive data. An attacker can use a normal web browser to trigger these vulnerabilities — no special tools are required.

Wednesday, September 5, 2018

Malicious MDM: Let's Hide This App

This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Nick Biasini

Summary


Since our initial discovery of a malicious mobile device management (MDM) platform that was loading fake applications onto smartphones, we have gained greater insight into the attacker's methods. We now know how the attacker took advantage of a common MDM feature and used an iOS profile to hide and disable the legitimate versions of the apps to force the use of the malicious stand-ins.

Cisco Talos previously published two articles (here and here) on the subject. In the aforementioned campaigns, the attackers enrolled iOS devices into the MDM and used the devices to control the victim's devices, deploying malicious apps disguised as the messaging services WhatsApp, Telegram and Imo, as well as the web browser Safari.

After additional research, we now know that the attacker deployed the malicious apps after the actor deployed a profile on the enrolled devices and abused the age rating restriction functionality that exists on iOS devices. The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively. After the age rating limit was set to 9-plus, the installed legitimate applications disappeared from the device:

Friday, August 31, 2018

Threat Roundup for August 24-31


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 24 and 31. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 30, 2018

Beers with Talos EP 36: There Are Few Shades in the Grey Market



Beers with Talos (BWT) Podcast Ep. #36 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. #36 show notes: 

Recorded Aug. 24, 2018 — We’re finally back in the studio after Hacker Summer Camp! Sadly, due to summer vacations and becoming bionic, we are missing Joel and Nigel, respectively. We end up discussing most of our topics through the lens of Matt’s frequent Twitter polls. We also find out he bribes followers with free sporks. Craig brings the discussion on the details of Remcos, and goes through some interesting points on the emerging grey markets in security software and "vuln disco." The crew closes this episode discussing the hypothetical merits of perfect patching versus perfect visibility.