Friday, December 6, 2019

Threat Roundup for November 29 to December 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 29 and Dec. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, December 5, 2019

Threat Source newsletter (Dec. 5, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope everyone had a safe and happy Thanksgiving in the U.S. The holiday shopping season is now in full swing, and there are plenty of deals to be had in stores and online. This also makes it a prime time for attackers to strike. For tips of how to stay safe when shopping this holiday season, check out our full blog post here.

This was also a busy week for vulnerabilities. We disclosed, and released protection, for bugs in the Forma learning management system, Accusoft ImageGear and EmbedThis’ GoAhead Web Server.

We also have a special surprise for you tomorrow. You’ll want to keep an eye on our blog, social media and your podcast feeds.

Vulnerability Spotlight: AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability


Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in a specific dll inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel
shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, December 3, 2019

ClamAV team shows off new Mussels dependency build automation tool


By Micah Snyder.

Today I'm very excited, and a little bit nervous, to unveil Mussels. Mussels is a cross-platform, general-purpose dependency build automation tool. You might compare it with Vcpkg, Conan, or Buildout. It serves a similar purpose, but the approach is a little different.

Mussels is intended to simplify the process of building complex applications that have lengthy dependency chains without having to write all new CMake, Meson, Bazel, XCode, or Visual Studio project files. Instead, you write (and share) simple recipes that leverage the original build systems intended by software authors of your external library dependencies.

For more on Mussels, and where to download it, read the complete post over at the ClamAV blog.

Monday, December 2, 2019

Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System


Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered three SQL injection vulnerabilities in the authenticated portion of the Formal Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Forma to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Accusoft ImageGear PNG IHDR width code execution vulnerability


Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Two vulnerabilities in EmbedThis GoAhead


A Cisco Talos researcher discovered these vulnerabilities. Blog by Jon Munshaw. 

EmbedThis’ GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition.

GoAhead Web Server is a popular embedded web server designed to be a fully customizable web application framework and server for embedded devices. It provides all the base HTTP server functionality and provides a highly customizable platform for developers of embedded web applications.

In accordance with our coordinated disclosure policy, Cisco Talos worked with EmbedThis to ensure that these issues are resolved and that an update is available for affected customers.

Monday, November 25, 2019

Best practices for staying safe online during the holiday shopping season


By Jon Munshaw.

This holiday shopping season, the basics of avoiding a malware infection boils down to: If it sounds too good to be true, it probably is.

While sometimes retailers do give out small-dollar gift cards, that $500 discount on a new iPhone is probably not real. If it is a scam, it will definitely not help you get your new iPhone 11 Pro Max.

With Black Friday and Cyber Monday, Talos researchers are hitting radio and television networks to alert customers of what to do to stay safe while shopping online. Common attack vectors this time of year include fake websites, coupons, invoices and more, all designed to get shoppers to click on malicious links that eventually lead to adversaries stealing login, banking or personal information.

Friday, November 22, 2019

Threat Roundup for November 15 to November 22

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 15 and Nov. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 21, 2019

Threat Source newsletter (Nov. 21, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s nearly holiday shopping season, which means it’s prime scam season. On the latest Beers with Talos episode, we run down the best ways to stay safe while shopping online and how to detect phony emails. It’s also election season, which makes for some good discussion.

And, as it’s time to look back on the year that was, we have a new feature from Talos Incident Response where we take a quarter-by-quarter look at the top threats we’ve seen in the wild. In Q4 of Cisco’s fiscal year, our IR analysts mainly saw ransomware and cryptocurrency miners.

IR also had another exciting announcement this week, with the unveiling of a new cyber range that can help train employees to avoid common scams that can lead to malware infection. The cyber range now comes with any IR retainer.

The Threat Source newsletter is getting a week off next week for the Thanksgiving holiday in the U.S., so we’ll talk to you again in December.