Monday, August 10, 2020

Barbervisor: Journey developing a snapshot fuzzer with Intel VT-x


By Cory Duplantis.

One of the ways vulnerability researchers find bugs is with fuzzing. At a high level, fuzzing is the process of generating and mutating random inputs for a given target to crash it. In 2017, I started developing a bare metal hypervisor for the purposes of snapshot fuzzing: fuzzing small subsets of programs from a known, static starting state. This involved working on a custom kernel that could be booted on bare metal. Having not done any operating system development before, I thought this would be a great way to learn new techniques while gaining a new tool for the tool bag. This is the story of the project in the hopes that others could learn from this experience.

The source code for barbervisor can be found here.

Friday, August 7, 2020

Threat Roundup for July 31 to August 7


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 31 and Aug. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 6, 2020

Threat Source newsletter for Aug. 6, 2020



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We spend a lot of time talking about what you should do to keep your data safe, and how other organizations should be prepared for the worst. But what happens if the worst happens to you? 

In the latest Beers with Talos episode, we walk you through what to do if you’re the one who gets owned — even if it’s not your fault at all. 

We also have the details out on several vulnerabilities in Microsoft Azure Sphere. Our researchers will even receive an award later this year for their work on these. We also have a new Threat Roundup to give you insight into the IOCs you should be on the lookout for.   

Tuesday, August 4, 2020

Vulnerability Spotlight: Two vulnerabilities in SoftPerfect RAM Disk


A Cisco Talos researcher discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered that a specific driver in the SoftPerfect RAM disk could allow an adversary to delete files on an arbitrary basis and disclose sensitive information. SoftPerfect
RAM Disk is a high-performance RAM disk application that allows the user to store a disk from their computer on the device’s space. An attacker could exploit TALOS-2020-1121 to point to a specific filepath and then delete that file. The other vulnerability could lead to the disclosure of sensitive information.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SoftPerfect to ensure that these issues are resolved and that an update is available for affected customers.

Beers with Talos Ep. #89: What to do when you're the pwnd one



Beers with Talos (BWT) Podcast episode No. 88 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded July 17, 2020


The gang's all back this week, and we take on what happens when you get pwnd, hacked, or your data is leaked. It happens to all of us eventually, one quick moment connecting to public WiFi, clicking on a bad link when you just aren’t paying enough attention, or your account data is leaked through no real fault of your own. So, what do you do first when it happens to you? Sure, this is a fundamental review for some, but you can thank us the next time your brother’s co-worker’s uncle calls you because “these hackers” — and you can just send a link to this episode. (If your niece or nephew sent you this link, I’m sorry you had to find out this way, but no worries, we got you).

Friday, July 31, 2020

Vulnerability Spotlight: Microsoft issues security update for Azure Sphere

Claudio Bozzato, Lilith >_> and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered seven vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected SoC platform designed specifically with IoT application security in mind. The infrastructure around the Azure Sphere platform is Microsoft’s Azure Sphere cloud, which takes care of secure updates, app deployment, and periodically verifying the device integrity. Internally, the SoC is made up of a set of several ARM cores that have different roles.


Talos discovered two chainable vulnerabilities within Azure Sphere that, assuming an attacker could flash a malicious application, would allow for arbitrary writing to anywhere in the /mnt/config partition, resulting in further privilege escalation. These vulnerabilities were also discovered in tandem by McAfee Advanced Threat Research.

Our researchers also discovered two vulnerabilities in the platform that could allow an adversary to execute arbitrary shellcode in the restricted Linux userland of the A7 core, which normally provides a guarantee that only signed code can be executed on the device (excluding ROP gadgets). Talos also discovered an information disclosure that may be used to leak sensitive data by reading the kernel message ring buffer, a denial-of-service vulnerability via resource exhaustion in the Pluton ring buffer, and a memory corruption vulnerability in the Azure Sphere AZSPIO socket kernel driver.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. However, Microsoft declined to assign CVEs to these vulnerabilities.

Threat Roundup for July 24 to July 31


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 24 and July 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 30, 2020

Threat Source newsletter for July 30, 2020



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Adversaries love to use headlines as part of their spam campaigns. From COVID-19, to Black Lives Matter and even Black Friday every year, the bad guys are wanting to capitalize on current events. Why is this the case, and when do they decide to jump on headlines? 

In our latest blog post, we look at this technique and examine the advantages and disadvantages of trying to leverage the biggest news.  

Wednesday, July 29, 2020

Adversarial use of current events as lures

By Nick Biasini.

The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them.

This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events.

In today's world, everyone's thoughts immediately go to COVID-19 and Black Lives Matter, since both stories have dominated the threat landscape over the last several months, but this is something that organically happens frequently on the threat landscape. So much so that organizations should include it in their threat hunting activities. This blog is going to walk through the why and how.

Friday, July 24, 2020

Threat Roundup for July 17 to July 24


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 17 and July 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.