Monday, August 19, 2019

Vulnerability Spotlight: Multiple bugs in OpenWeave and Nest Labs Nest Cam IQ indoor camera


Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs’ most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Weave and Nest Labs to ensure that these issues are resolved and that an update is available for affected customers.

Friday, August 16, 2019

Beers with Talos Ep. #59: The tardy episode




Beers with Talos (BWT) Podcast episode No. 59 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded 8/2/19 - Yes, I know what today’s date is. We got really busy last week and I am sorry that the podcast is late. Really, I wish I wasn’t writing these notes at 12:#0r4-j3pofw…. What? Anyway, we talk about malvertising and dig into that ecosystem a bit looking at some of the competing priorities (hint: none of them are your privacy). We also discuss BlueKeep making its debut in Canvas and surely soon to follow in other fine pen testing platforms. We use that opportunity to review a little bit of RDP knowledge and defense. We’re recording again tomorrow and I really don’t want to hear what my co-hosts will say if this isn’t out by then, so I’m going to go hit publish now.

Threat Roundup for August 9 to August 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 9 and Aug. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 15, 2019

Threat Source newsletter (Aug. 15)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Sorry we missed you last week, we were all away at Hacker Summer Camp. If you missed us at Black Hat, we have a roundup up on the blog of some of the “flash talks” from our researchers and analysts.

Patch Tuesday was also this week, and we’ve got you covered with Snort rules and coverage of some of the most critical bugs. 

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Wednesday, August 14, 2019

Talos Black Hat 2019 flash talk roundup


Talos went wall-to-wall at Hacker Summer Camp, showing up to Black Hat and DEFCON with talks, challenges, advice and education.

Over the course of two days at Black Hat, Cisco Security hosted more than 20 talks at our booth, many featuring Talos researchers and analysts.

In case you couldn't swing by the booth, we've got a quick recap of eight of those "flash talks" to give you a quick rundown of what our researchers wanted to get across. Click on each of these videos to hear each speaker give a quick recap, and stay tuned for a future Beers with Talos episode to hear all of them together.

Tuesday, August 13, 2019

Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 97 vulnerabilities, 31 of which are rated “critical," 65 that are considered "important" and one "moderate."

This month’s security update covers security issues in a variety of Microsoft services and software, including certain graphics components, Outlook and the Chakra Scripting Engine. For more on our coverage of these bugs, check out our Snort advisories here, covering all of the new rules we have for this release.

Friday, August 9, 2019

Threat Roundup for August 2 to August 9

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 2 and Aug. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Monday, August 5, 2019

Vulnerability Spotlight: Multiple vulnerabilities in NVIDIA Windows GPU Display Driver, VMware ESXi, Workstation and Fusion


Piotr Bania of Cisco Talos discovered these vulnerabilities.

Executive summary

VMware ESXi, Workstation and Fusion are affected by an out-of-bounds write vulnerability that can be triggered using a specially crafted shader file. This vulnerability can be triggered from a VMware guest, affecting the VMware host, leading to a crash (denial-of-service) of the vmware-vmx.exe process on the host (TALOS-2019-0757).

However, when the host/guest systems are using an NVIDIA graphics card, the VMware denial-of-service can be turned into a code execution vulnerability (leading to a VM escape), because of an additional security issue present in NVIDIA's Windows GPU Display Driver (TALOS-2019-0779).

Moreover, two out-of-bounds write vulnerabilities that could lead to arbitrary code execution have been found on NVIDIA Windows GPU Display Driver (TALOS-2019-0812, TALOS-2019-0813). These can be triggered by a specially crafted shader file.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NVIDIA and VMware to ensure that these issues are resolved and that updates available for affected customers.

Friday, August 2, 2019

Threat Roundup for July 26 to Aug. 2

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 26 and Aug. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 1, 2019

Threat Source newsletter (Aug. 1, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Are you heading to Vegas next week for Hacker Summer Camp? Talos will. We’ll be at Black Hat and DEFCON holding a series of talks, taking resumes, answering questions and hosting a number of challenges. Check out our talk lineup for Black Hat here and a rundown of our activities at DEFCON here.

Everyone on the internet has seen the ads on web pages that suck you in with enticing headlines, too-good-to-be-true sales or highly specific offers. But many times, these ads can lead to malware. We took a deep dive into adware to talk about a slew of recent campaigns we’ve seen that have targeted some of the most popular sites on the web.

If you work with Snort rules at all, you have to check out our new Re2PCAP tool, which allows you to generate a PCAP file in seconds just from a raw HTTP request or response.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.