Friday, September 25, 2020

Threat Roundup for September 18 to September 25


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 18 and Sept. 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 24, 2020

Threat Source newsletter for Sept. 24, 2020

    

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

After months (years?) in beta, an official release candidate is out now for Snort 3. Stay tuned for an officially official release in about a month. 

In other Snort rules, we also have a deep dive into our detection and prevention of Cobalt Strike. One of our researchers, Nicholas Mavis, did an amazing job breaking down what goes into writing Snort rules and ClamAV signatures, for those of you who really want to nerd out.

We also have new research out on fraudulent sites that claim to complete students' homework for them. This is easier for students to carry out now that many of them are learning from home. But these sites also sometimes come with malware.

The Internet did my homework



By Jaeson Schultz and Matt Valites.

As students return to school for in-person and virtual learning, Cisco Talos discovered an increase in DNS requests coming into Umbrella resolving domains we classify as "academic fraud." Data from Pew Research on back-to-school dates aligns with the growth we observed in queries to these malicious domains. The figure below shows that queries to academic fraud domains nearly quadrupled starting the week of Aug. 12, the most popular week to start schools in the US. When we compared these numbers with data from the same time last year, we noted an approximately 4x increase in requests for domains classified as "academic fraud." These sites have risen dramatically in popularity in 2020 as more and more students have moved to virtual learning.
A graph of DNS requests for "Academic Fraud"-related domain names.

Monday, September 21, 2020

New Snort, ClamAV coverage strikes back against Cobalt Strike



By Nick Mavis. Editing by Joe Marshall and Jon Munshaw.

Cisco Talos is releasing a new research paper called “The Art and Science of Detecting Cobalt Strike.”

We recently released a more granular set of updated SNORTⓇ and ClamAVⓇ detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries.

Cobalt Strike is a “paid software platform for adversary simulations and red team operations.” It is used by professional security penetration testers and malicious actors to gain access and control infected hosts on a victim network. Cobalt Strike has been utilized in APT campaigns and most recently observed in the IndigoDrop campaign and in numerous ransomware attacks.

Friday, September 18, 2020

Threat Roundup for September 11 to September 18


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 11 and Sept. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos ep. #92: Trending in Your Network — Disinformation


Beers with Talos (BWT) Podcast episode No. 92 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Aug. 26, 2020


Disinformation is front and center right now. As disinformation efforts constantly increase, platforms struggle to contain the problem without giving the appearance of censuring or controlling all information present. A Talos research team recently published some findings on the building blocks of disinformation campaigns. Special guest Kendall McKay joins us to discuss the research she co-authored with her team in Talos. We go over exactly what defines disinformation and the most pervasive sources. We also look at who these actors are and how they operate at scale while remaining hidden. 

Thursday, September 17, 2020

Threat Source newsletter for Sept. 17, 2020

   

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We’ve got a couple of vulnerabilities you should know about. Monday, we disclosed a bug in Google Chrome’s PDFium feature that opens the door for an adversary to execute remote code

Our researchers also discovered several vulnerabilities in the Nitro Pro PDF Reader. The software contains vulnerabilities that could allow adversaries to exploit a victim machine in multiple ways that would eventually allow them to execute code. 

Vulnerability Spotlight: Remote code execution vulnerability Apple Safari



Marcin "Icewall" Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Apple Safari web browser contains a remote code execution vulnerability in its Webkit feature. Specifically, an attacker could trigger a use-after-free condition in WebCore, the DOM-rendering system for Webkit used in Safari. This could give the attacker the ability to execute remote code on the victim machine. A user needs to open a specially crafted, malicious web page in Safari to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, September 15, 2020

Vulnerability Spotlight: Multiple vulnerabilities in Nitro Pro PDF reader

Cisco Talos researchers discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple code execution vulnerabilities in the Nitro Pro PDF reader. Nitro PDF allows users to save, read, sign and edit PDFs on their computers. The software contains vulnerabilities that could allow adversaries to exploit a victim machine in multiple ways that would eventually allow them to execute code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Nitro Pro to ensure that these issues are resolved and that an update is available for affected customers.

Monday, September 14, 2020

Vulnerability Spotlight: Memory corruption in Google PDFium

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Google Chrome's PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. Chrome is a popular, free web browser available on all operating

systems. PDFium allows users to open PDFs inside Chrome. We recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers.