Thursday, August 5, 2021

Threat Source newsletter (Aug. 5, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We hope everyone is enjoying BlackHat and/or DEFCON this week, regardless of if you're attending virtually or in person. In case you missed any of our talks from BlackHat, you can check them out here, along with some other Cisco Secure offerings.

And if you didn't hear enough of our voices after that, there's a new Beers with Talos episode out this week. The guys got together for a retrospective on the Kaseya supply chain incident and follow-on ransomware attacks.

Wednesday, August 4, 2021

Beers with Talos, Ep. #108: Kaseya it ain't so



Beers with Talos (BWT) Podcast episode No. 108 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Who needed a summer vacation anyway? The whole Beers with Talos family was trying to take some time off or just go fishing for a few hours, but the bad guys have had other ideas. In the latest episode, we're dissecting the Kaseya incident and associated ransomware campaigns.

We give some unsolicited advice to Kaseya's leadership, discuss best patching practices and cover other lessons learned from this event.

Also, we have an exciting announcement: Cisco is letting us take over their Twitter account! Join the BWT guys live tomorrow, Thursday, Aug. 5, as they recap some of the year's top threats and respond to your hottest security takes. There may or may not be an episode No. 109 after this – who can say?

Vulnerability Spotlight: Use-after-free vulnerability in tinyobjloader



Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a use-after-free vulnerability in a specific function of tinyobjloader. An adversary could trick a user into opening a specially crafted file, causing a use-after-free condition, and potentially code execution. Tinyobjloader is an open-source loader for embedding the .obj loader into graphics-rendering projects.

In accordance with our coordinated disclosure policy, Cisco Talos worked with tinyobjloader to ensure that this issue is resolved and that an update is available for affected customers.

Tuesday, August 3, 2021

Updates to the Cisco Talos Email Status Portal

Cisco Talos is rolling out several changes to the Email Status Portal that adds new features and makes the Portal even easier to use. 

The Talos Email Status Portal allows users to view mail samples submitted and their statuses, analyze graphical displays of submission metrics, administer domains and user access and generate reports of this data.

Friday, July 30, 2021

Threat Roundup for July 23 to July 30


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 23 and July 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 29, 2021

Threat Source newsletter (July 29, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Thanks to everyone who joined us live yesterday for our talk on business email compromise. If you missed us live, the recording is up on our YouTube page now. Nick Biasini from Talos Outreach provided some great advice on avoiding business email compromise and detecting these malicious campaigns.

If you want a shorter version of Nick's talk, you can also listen to last week's episode of Talos Takes.

We also have new research out on the Solarmarker information stealer and keylogger. Find out how this threat is growing and how you can defend against it using Cisco Secure products.

Threat Spotlight: Solarmarker

By Andrew Windsor, with contributions from Chris Neal.

Executive summary

  • Cisco Talos has observed new activity from Solarmarker, a highly modular .NET-based information stealer and keylogger.
  • A previous staging module, "d.m," used with this malware has been replaced by a new module dubbed "Mars."
  • Another previously unreported module named "Uranus" has been identified.
  • The threat actor behind Solarmarker continues to evolve while remaining relatively undetected.
  • Cisco Talos has created full coverage in response to this evolving threat, protecting Cisco customers

Talos is actively tracking a malware campaign with the Solarmarker information-stealer dating back to September 2020. Some DNS telemetry and related activity even point back to April 2020. At the time, we discovered three primary DLL components and multiple variants utilizing similar behavior.


 




First, the initial malicious executable injects the primary component, typically named "d.m." This serves as a stager on the victim host for command and control (C2) communications and further malicious actions. The second component, commonly referred to as "Jupyter," was observed being injected by the stager and possesses browser form and other information-stealing capabilities. Another secondary module, named "Uran" (likely in reference to Uranus), is a keylogger and was discovered on some of the older campaign infrastructure. Uran was previously undiscovered despite deep analysis on Solarmarker and the Jupyter module.

Tuesday, July 27, 2021

Vulnerability Spotlight: Use-after-free vulnerabilities in Foxit PDF Reader

Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple use-after-free vulnerabilities in the Foxit PDF Reader.  

Foxit PDF Reader is one of the most popular PDF document readers currently available. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms.

TALOS-2021-1294 (CVE-2021-21831), TALOS-2021-1307 (CVE-2021-21870) and TALOS-2021-1336 (CVE-2021-21893) are all use-after-free vulnerabilities that exist in the PDF Reader that could lead to an adversary gaining the ability to execute arbitrary code on the victim machine. An attacker needs to trick a user into opening a specially crafted, malicious PDF to exploit these vulnerabilities.

Monday, July 26, 2021

Vulnerability Spotlight: Unsafe deserialization vulnerabilities in CODESYS Development System



Patrick DeSantis discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the CODESYS Development System. 

The CODESYS Development System is the IEC 61131-3 programming tool for industrial control and automation technology, available in 32- and 64-bit versions.  

This software contains multiple unsafe deserialization vulnerabilities that could allow an attacker to execute arbitrary code on the victim machine. These issues exist across a variety of the software’s functions.

Friday, July 23, 2021

Threat Roundup for July 16 to July 23


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 16 and July 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.