Monday, November 29, 2021

An Azure Sphere kernel exploit — or how I learned to stop worrying and love the IoT

By Claudio Bozzato and Lilith [^.^];.

As part of our continued research into Microsoft Azure Sphere, there are two vulnerabilities we discovered that we feel are particularly dangerous. For a full rundown of the 31 vulnerabilities we’ve discovered over the past year, check out our full recap here

This blog post documents the entirety of our second Azure Sphere local privilege escalation bug chain (see our first one here). This LPE is a full Azure Sphere kernel exploit that was written without access to a kernel debugger. This work was presented at Hitcon 2021.

Wednesday, November 24, 2021

Talos Takes Ep. #78: Attackers would love to buy you a non-existent PS5 this holiday season

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We know this episode comes around every year, but people keep falling for scams, so we have to remind people how to avoid them.

Tuesday, November 23, 2021

Attackers exploiting zero-day vulnerability in Windows Installer — Here’s what you need to know and Talos’ coverage

Cisco Talos is releasing new SNORTⓇ rules to protect against the exploitation of a zero-day elevation of privilege vulnerability in Microsoft Windows Installer. This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator. This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.

Monday, November 22, 2021

A review of Azure Sphere vulnerabilities: Unsigned code execs, kernel bugs, escalation chains and firmware downgrades

Summary of all the vulnerabilities reported by Cisco Talos in Microsoft Azure Sphere

By Claudio Bozzato and Lilith [>_>].

In May 2020, Microsoft kicked off the Azure Sphere Security Research Challenge, a three-month initiative aimed at finding bugs in Azure Sphere. In the first three months, Cisco Talos reported 16 vulnerabilities. Our analysis continued intermittently, and eventually, we discovered and reported a total of 31 published vulnerabilities, two of which were present in the Linux kernel itself.

We already released several blog posts about Azure Sphere (see blog posts 1, 2, 3, 4, 5). Today, we’re putting a bow on our research by summarizing what we’ve found and how attackers could exploit them, and what that would mean for the user. We also have another blog post coming next week that will detail how we exploited a chain of two vulnerabilities to gain arbitrary kernel code execution.

Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet

Yuri Kramarz discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software. 

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications. 

TALOS-2021-1366 (several CVEs, please refer to advisory for more information), TALOS-2021-1365 (CVE-2021-21920, CVE-2021-21921, CVE-2021-21922, CVE-2021-21923), TALOS-2021-1363 (CVE-2021-21915, CVE-2021-21916, CVE-2021-21917) and TALOS-2021-1364 (CVE-2021-21918, CVE-2021-21919) are SQL injection vulnerabilities that exist in various R-SeeNet pages.

Back from the dead: Emotet re-emerges, begins rebuilding to wrap up 2021

Executive summary

Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an environment. These email campaigns exhibit characteristics previously described here. International police announced a takedown campaign to disrupt Emotet in early 2021, effectively removing the botnet from the threat landscape. But as of last week, Emotet has re-emerged and has been observed establishing the infrastructure and distribution required to rebuild the botnets. While the current distribution campaigns are not at the same volumes as those previously observed when Emotet was at full strength, this is likely the beginning of a resurgence in Emotet activity that will continue to amplify as more systems become infected and are leveraged for spam distribution.

Vulnerability Spotlight: PHP deserialize vulnerability in CloudLinux Imunity360 could lead to arbitrary code execution

Marcin “Icewall” Noga of Cisco Talos. Blog by Jon Munshaw. 

Cisco Talos recently discovered a vulnerability in the Ai-Bolit functionality of CloudLinux Inc Imunify360 that could lead to arbitrary code execution. 

Imunify360 is a security platform for web-hosting servers that allows users to configure various settings for real-time website protection and web server security.

Friday, November 19, 2021

Threat Roundup for November 12 to November 19

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 12 and Nov. 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Beers with Talos, Ep. #111: We say goodbye to Craig and his killer robots

Beers with Talos (BWT) Podcast episode No. 111 is now available. Download this episode and subscribe to Beers with Talos:


If iTunes and Google Play aren't your thing, click here.

We apologize for holding onto this for so long, but we wanted to formally bid farewell to Craig once we were ready to move on to the next act for Beers with Talos. So the good news is, we'll have a new host come the next episode! The bad news is, we have to say goodbye to Craig for now.

We spent a good chunk of this episode reminiscing with Craig, but also touched on new internet-sharing applications that are suddenly the next hot thing in malware. 

Talos Takes Ep. #77: How to connect to (and safely use) public WiFi


By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Whenever we walk into a bar or restaurant, it's almost a given that we're going to ask the bartender or server: "What's the WiFi password?"