Wednesday, October 21, 2020

Vulnerability Spotlight: A deep dive into WAGO’s cloud connectivity and the vulnerabilities that arise


Vulnerability Spotlight: A deep dive into WAGO’s cloud connectivity and the vulnerabilities that arise

Report and research by Kelly Leuschner.

WAGO makes several programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. Cisco Talos discovered 41 vulnerabilities in their PFC200 and PFC100 controllers. In accordance with our coordinated disclosure policy, Cisco Talos worked with WAGO to ensure that these issues were resolved and that a firmware update is available for affected customers.

Since a patch has been available to affected customers for some time, we wanted to take this opportunity to discuss several attack chains that exploit WAGO’s cloud connectivity client known as “dataagent” to gain root access to the device. You can also catch a technical presentation of these vulnerabilities at the virtual CS3Sthlm conference on Oct. 22, 2020. 

WAGO provides a cloud connectivity feature for users to access remote telemetry from their devices and even issue firmware updates remotely. Cloud connectivity provides an interesting attack vector, where the attack originates from a trusted cloud provider but the cloud instance itself is attacker-controlled. The scenario we will dive into today is one where the attacker has access to legitimate cloud infrastructure and can abuse WAGO’s custom protocol to gain root privileges on the device.

We’ll first dive into the technical details of each of the vulnerabilities themselves. Then we’ll discuss how these vulnerabilities can be combined in two distinct attack chains that result in the ability to gain root privileges on the device.

What to expect when you’re electing: A recap

We’re roughly two weeks out from Election Day in America, although millions of early and mail-in votes have already been cast. In the coming days, there’s sure to be a flurry of news stories about disinformation, allegations of voter fraud, the back-and-forth between parties and talks of when the results can be trusted, and someone can call the presidential race. 

While Cisco Talos can’t provide you all the answers, we can at least give you an idea of what American election officials at the state, local and national levels are currently facing. We at Talos and elsewhere across Cisco Secure have released several research papers, blog posts, graphics, videos and more discussing election security and disinformation this year. 

Here’s a complete list of everything we’ve covered so far. Please share this information with friends, family members and colleagues as we all try to keep up with the news cycle between now and Nov. 3 (and likely far beyond that). 

Tuesday, October 20, 2020

Vulnerability Spotlight: Code execution vulnerability in Google Chrome WebGL


Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Google Chrome web browser contains a vulnerability that could be exploited by an adversary to gain the ability to execute code on the victim machine. Chrome is one of the most popular web browsers currently available to users. Cisco Talos researchers recently discovered a bug in WebGL, which is a Chrome API responsible for displaying 3-D graphics.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers.

Dynamic Data Resolver - Version 1.0.1 beta

By Holger Unterbrink.

Cisco Talos is releasing a new beta version of Dynamic Data Resolver (DDR) today. This release comes with a new architecture for samples using multi-threading. The process and thread tracing has been completely reimplemented.

We also fixed a few bugs and memory leaks. Another new feature is that the DDR backend now comes in two flavors: a release version and a debugging version. The latter will improve code quality and bug hunting. It helps to detect memory leaks and minor issues which are silently handled by the underlying DynamoRIO framework in the release version. We also improved the installer and the IDA plugin is now installed to the user plugin directory instead to the IDA installation directory under Program Files. The IDA plugin and all its dependencies are also now automatically installed by a script.  

You can download DDR, version 1.0.1 beta here

Fantastic news! DDR has won the HexRays IDA plugin contest 2020

We would like to thank HexRays for recognizing this plugin and awarding it with the first prize in their IDA plugin contest. We hope HexRays keeps up the fantastic work they are doing with IDA. It makes our reverse-engineering lives a bit easier every day.

Friday, October 16, 2020

Threat Roundup for October 9 to October 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 9 and Oct. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Beers with Talos ep. #94: Nigel is marching on, victorious and glorious

Beers with Talos (BWT) Podcast episode No. 94 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Sept. 25, 2020

Today is Nigel’s last episode as a regular host of BWT. Join us in wishing him a happy transition to his next chapter. As we all know, Nigel won’t ever actually retire. Today’s show is us chatting with Nigel — about his career and his take on the industry as he entered, and now as he moves on to whatever comes next. Every aspect of Talos is better off because Nigel was here, as well as so many of the people he came across along the way.

We will all miss your daily presence, but we are excited to see what you come up with next. Cheers.

Thursday, October 15, 2020

Threat Source newsletter (Oct. 15, 2020)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In our latest entry into our election security series, we’re turning our attention to the professionals who are responsible for securing our elections. After months of research, we’ve compiled a series of recommendations for local, state and national officials to combat disinformation and secure Americans’ faith in the election system. 

Patch Tuesday was also this week, which as usual, brought with it a big Snort rule release and our breakdown of the important Microsoft vulnerabilities you need to know about. 

What to expect when you're electing: How election officials can counter disinformation


By Matthew Olney and the communications and public relations professionals at Cisco.

Editor's Note: For more on this topic, sign up for a Cisco Duo webinar on election security on Oct. 15 at 1 p.m. ET here.

In our work with our partners in the election security space, the most difficult question we’ve been asked is “What do we do about disinformation campaigns?” This isn’t something Talos usually specializes in, as it’s not a true technical security problem. However, one of the great benefits of working at Cisco is the incredible breadth of capability of our coworkers and partners. So, correctly framing the question as a communications issue, we worked with Cisco communications professionals and our outside communications partners to put together an outline of a communications plan for elections officials facing disinformation campaigns. 

To help the reader understand why we’re making the recommendations we are, we will summarize here the findings of our previous reports on elections security and disinformation. In short, we have found that while one of the goals of foreign adversaries may be to favor a particular candidate, the primary objective of both disinformation campaigns and election interference up to this point is to aggravate existing social, cultural and political divisions and sow doubt about the fairness and integrity of Western democracies. The driving goal here is to weaken the United States and other global democratic powers to allow foreign adversaries to more easily achieve their geopolitical objectives. Here's a similar set of recommendations specifically for voters.

Vulnerability Spotlight: Code execution, information disclosure vulnerabilities in F2FS toolset

Vulnerabilities discovered by a Cisco Talos researcher. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple code execution and information disclosure vulnerabilities in various functions of the F2FS toolset. F2FS is a filesystem toolset commonly found in embedded
devices that creates, verifies and/or fixes Flash-Friendly File System files. An attacker could provide a malicious file to the target to trigger these vulnerabilities, causing a variety of negative conditions for the target.

In accordance with Cisco’s coordinated disclosure policy, we are disclosing these vulnerabilities without an update from F2FS after the organization failed to meet the 90-day deadline.

Tuesday, October 13, 2020

Vulnerability Spotlight: Denial of service in AMD ATIKMDAG.SYS driver


Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in the ATIKMDAG.SYS driver for some AMD graphics cards. An attacker could send the victim a specially crafted D3DKMTCreateAllocation API request to cause an out-of-bounds read, leading to a denial-of-service condition. This vulnerability could be triggered from a guest account.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to disclose this vulnerability and ensure an update is available