Friday, November 20, 2020

Threat Roundup for November 13 to November 20


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 13 and Nov. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 19, 2020

Threat Source newsletter (Nov. 19, 2020)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In case you hadn’t already realized, Snort somehow became a meme this week, so that was fun. 

As 2020 (finally...or already...I can’t decide which) comes to an end, we’re going to start doing a look back at the year that was in malware. And although Emotet has been around long before this year, 2020 was particularly peculiar for the botnet because it went virtually dormant over the summer before coming back over the few months. After we obtained ownership of several C2 domains that are part of Emotet, we looked at this threat’s trends and recent changes. 

We also released a new decryptor tool for the Nibiru ransomware. Any victims can use this to safely recover any files locked up as part of an infection. 

Wednesday, November 18, 2020

Back from vacation: Analyzing Emotet’s activity in 2020



By Nick Biasini, Edmund Brumaghin, and Jaeson Schultz.

Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems attempting to infect new systems with Emotet to continue growing the size of the botnets associated with this threat. Emotet is often the initial malware that is delivered as part of a multi-stage infection process and is not targeted in nature. Emotet has impacted systems in virtually every country on the planet over the past several years and often leads to high impact security incidents as the network access it provides to adversaries enables further attacks, such as big-game hunting and double-extortion ransomware attacks.

Cisco Talos obtained ownership of several domains that Emotet uses to send SMTP communications. We leveraged these domains to sinkhole email communications originating from the Emotet botnets for the purposes of observing the characteristics of these email campaigns over time and to gain additional insight into the scope and profile of Emotet infections and the organizations being impacted by this threat. Emotet has been observed taking extended breaks over the past few years, and 2020 was no exception. Let's take a look at what Emotet has been up to in 2020 and the effect it's had on the internet as a whole.

Tuesday, November 17, 2020

Nibiru ransomware variant decryptor



Nikhil Hegde developed this tool.

Weak encryption

The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant.

Ransomware

Nibiru ransomware is a poorly executed ransomware variant. It traverses directories and encrypts files with Rijndael-256. The files are given an extension, .Nibiru, after encryption. The ransomware targets numerous common file extensions but skips critical directories like Program Files, Windows and System Volume Information.

Extensions targeted by Nibiru:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .jpeg, .png, .psd, .txt, .zip, .rar, .html, .php, .asp, .aspx, .mp4, .avi, .3gp, .wmv, .MOV, .mp3, .wav, .flac, .wma, .mov, .raw, .apk, .encrypt, .crypted, .ahok, .cs, .vb.

Compiling

We've tested the Nibiru Ransomware Variant Decryptor tusing Visual Studio Community 2019, version 16.7.6 on Windows 10 running .NET Framework, version 4.8.03752. No additional packages are necessary to compile.

You can download the decryptor over at the Talos GitHub.

Example hash:

e0a681902f4f331582670e535a7d1eb3d6eff18d3fbed3ffd2433f898219576f

Friday, November 13, 2020

Threat Roundup for November 6 to November 13


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 6 and Nov. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 12, 2020

Vulnerability Spotlight: Multiple vulnerabilities in Pixar OpenUSD affects some versions of macOS



Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Aleksandar Nikolic and Jon Munshaw.

Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions. 

OpenUSD stands for “Open Universal Scene Descriptor.” Pixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. This stands at odds with security considerations. 

The USD file format itself is used as an interchange file format inside Apple’s ARKit (Augmented Reality), SceneKit (3-D scene composition) and ModelIO (3-D modeling and animation) frameworks. Apple’s decision to use USD as the basis of its augmented reality platform makes it a potentially interesting attack surface. With the expansion of AR applications on both macOS and iOS platforms, this becomes more important for researchers to look at. 

Threat Source newsletter (Nov. 12, 2020)


Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We’re back after a few-week hiatus! And to celebrate, we just dropped some new research on the CRAT trojan that’s bringing some ransomware friends along with it. This blog post has all the details of this threat along with what you can do to stay protected. 

We also had Microsoft Patch Tuesday this week. The company disclosed about 120 vulnerabilities this month that all users should patch now. Our blog post has a rundown of the most prominent bugs and you can check out the Snort rule update for all defenses against the exploitation of these vulnerabilities.  

And if you missed it last week, we recently put out an advisory alerting health care organizations of a recent spike in ransomware. If you have a customer that has been impacted by an attack, ransomware or otherwise, the first course of action is to engage Cisco Talos Incident Response Services (CTIR).  Please head to this page and follow the instructions for contacting IR at the top right of the page. 

CRAT wants to plunder your endpoints



By Asheer Malhotra.

  • Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT.
  • Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint.
  • One of the plugins is a ransomware known as "Hansom."
  • CRAT has been attributed to the Lazarus APT Group in the past.
  • The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions, along with static detection evasion.
  • The attack also employs a multitude of anti-infection checks to evade sandbox based detection systems.

What's new?

Cisco Talos has recently discovered a new version of the CRAT malware family. This version consists of multiple RAT capabilities, additional plugins and a variety of detection-evasion techniques. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector.

Indicators and tactics, techniques and procedures (TTPs) discovered by this investigation resemble those of the Lazarus Group.

How did it work?

The attack consists of a highly modular malware that can function as a standalone RAT and download and activate additional malicious plugins from its C2 servers. Cisco Talos has discovered multiple plugins so far, consisting of ransomware, screen-capture, clipboard monitoring and keylogger components.

So what?

This attack demonstrates how the adversary operates an attack that:
  • Uses obfuscation and extensive evasion techniques to hide its malicious indicators.
  • Has evolved across versions to achieve effectiveness of their attack.
  • Employs a highly modular plugin framework to selectively infect targeted endpoints.
  • Most importantly, it deploys RAT malware to ransack the endpoint, followed by deployment of ransomware to either extort money or burn infrastructure of targeted entities.

Tuesday, November 10, 2020

Microsoft Patch Tuesday for Nov. 2020 — Snort rules and prominent vulnerabilities

 

By Jon Munshaw, with contributions from Joe Marshall.

Microsoft released its monthly security update Tuesday, disclosing just over 110 vulnerabilities across its products. This is a slight jump from last month when Microsoft disclosed one of their lowest vulnerability totals in months.  

Eighteen of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important,” with two also considered of “low” importance. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.  

The security updates cover several different products and services, including the HEVC video file extension, the Azure Sphere platform and Microsoft Exchange servers.

Friday, November 6, 2020

Threat Roundup for October 30 to November 6


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 30 and Nov. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.