Friday, March 5, 2021

Threat Roundup for February 26 to March 5


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 26 and March 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #43: What you should know about the Microsoft Exchange Server zero-days

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We put this episode together quickly this week to address the zero-day vulnerabilities Microsoft disclosed earlier this week in Exchange Server. The company says a state-sponsored APT was exploiting these vulnerabilities in the wild to steal emails. 

We cover this incident in quick detail, covering what you should know, what these vulnerabilities mean in the broad sense and why this is another example of patching being king. For more coverage of this topic and all the Cisco Secure protections in place, click here.

Thursday, March 4, 2021

Threat Source newsletter (March 4, 2021)

Newsletter compiled by Jon Munshaw.

Of course, we will start things off talking about the Microsoft Exchange Server zero-day vulnerabilities disclosed earlier this week. Microsoft said in a statement that a threat actor is exploiting these vulnerabilities in the wild to steal users’ emails, understandably causing a lot of panic in the security community. 

Thankfully, patches are already available for the product, so updated asap. We also have a ton of coverage across Cisco Secure products to keep users protected, including SNORT® rules, additions to Talos’ blocklist and Cisco Secure Endpoint.  

Elsewhere in the malware space, we also have a new breakdown of ObliqueRAT, which is a threat we’ve been following for a while. This new campaign utilizes updated macro code to download and deploy its payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites.

There are also several other vulnerabilities we disclosed this week that you should know about. Check out our Vulnerability Spotlights for WebKit, Epignosis eFront and Accusoft ImageGear

Threat Advisory: HAFNIUM and Microsoft Exchange zero-day

Microsoft released patches for four vulnerabilities in Exchange Server on March 2, disclosing that these vulnerabilities were being exploited by a previously unknown threat actor, referred to as HAFNIUM.

The vulnerabilities in question — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 — affect Microsoft Exchange Server 2019, 2016, 2013 and the out-of-support Microsoft Exchange Server 2010. The patches for these vulnerabilities should be applied as soon as possible. Microsoft Exchange Online is not affected.

Wednesday, March 3, 2021

Vulnerability Spotlight: Remote code execution vulnerability in WebKit WebAudio API



Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The WebKit browser engine contains a remote code execution vulnerability in its WebAudio API interface. A malicious web page code could trigger a use-after-free error, which could lead to arbitrary code execution. An attacker could exploit this vulnerability by tricking the user into visiting a specially crafted, malicious web page to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that this issue is resolved and that an update is available for affected customers.

Vulnerability Spotlight: Password reset vulnerability in Epignosis eFront

Richard Dean, CX security advisory, EMEAR, discovered this vulnerability. Blog by Jon Munshaw.

Epignosis eFront contains a vulnerability that could allow an adversary to reset the password of any account of their choosing. eFront is a learning management system platform that allows users to create training courses, post courses and more. An attacker could exploit this vulnerability by predicting a password reset seed to generate the correct password reset for a one-time token. 

In accordance with our coordinated disclosure policy, Cisco Talos worked with Epignosis to ensure that this issue is resolved and that an update is available for affected customers.

Tuesday, March 2, 2021

ObliqueRAT returns with new campaign using hijacked websites



By Asheer Malhotra.

  • Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT.
  • This campaign targets organizations in South Asia.
  • ObliqueRAT has been linked to the Transparent Tribe APT group in the past.
  • This campaign hides the ObliqueRAT payload in seemingly benign image files hosted on compromised websites.

What's new?

Cisco Talos recently discovered another new campaign distributing the malicious remote access trojan (RAT) ObliqueRAT. In the past, Talos connected ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT. These two malware families share similar maldocs and macros. This new campaign, however, utilizes completely different macro code to download and deploy the ObliqueRAT payload. The attackers have also updated the infection chain to deliver ObliqueRAT via adversary-controlled websites.

How did it work?

Historically, this RAT is dropped to a victim's endpoint using malicious Microsoft Office documents (maldocs). These new maldocs, however, do not contain the ObliqueRAT payload directly embedded in the maldoc, as observed in previous campaigns. Instead, the attackers utilize a technique novel to their infection chain to infect targeted endpoints by pointing users instead to malicious URLs. New core technical capabilities of ObliqueRAT include:

  • The maldocs-based infection chain.
  • Changes/updates to its payload.
  • Additional links to previously observed malware attacks in the wild.

So what?

This new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections. Modifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms. While file-signature and network-based detection is important, it can be complemented with system behavior analysis and endpoint protections for additional layers of security.

Vulnerability Spotlight: Memory corruption vulnerability in Accusoft ImageGear

Emmanuel Tacheau discovered this vulnerability. Blog by Jon Munshaw.

Accusoft ImageGear contains a vulnerability that could allow an attacker to corrupt the software's memory, potentially allowing them to execute arbitrary code on the victim machine. The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others. An adversary could send a target a specially crafted malformed file to cause an out-of-bounds condition and memory corruption.  

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that this issue is resolved and that an update is available for affected customers.

Friday, February 26, 2021

Threat Roundup for February 19 to February 26


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 19 and Feb. 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #42: Seriously folks, save your logs

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

When Pierre Cadieux steps into a Cisco Talos Incident Response engagement, the first thing he wants to do is check out the customer's logs. But if there are no logs to be found, he'll be pretty limited in the kinds of insights he can provide.

This has come up several times during the SolarWinds era, when customers are wanting to know if they were targeted in the widespread supply chain attack. So in this episode of Talos Takes, Pierre joins the show to discuss why it's so important to keep logs for everything — log-ins, events, applications and more.