Tuesday, December 20, 2016

IEC 104 Protocol Detection Rules

IEC 60870-5-104 Protocol Detection Rules

Cisco Talos has released 33 Snort rules which are used to analyze/inspect IEC 60870-5-104 network traffic. These rules will help Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) asset owners to allow the identification of both normal and abnormal traffic in their environments.

In order for these rules to be effective they should be selectively turned on/enabled. SIDS 41053-41077 will detect various TypeIDs, if that specific TypeID is not in use then the rule should be enabled. SIDS 41078-41079 will detect IEC 104 traffic entering/exiting the ICS network. If 104 traffic is not supposed to enter/exit the ICS network then these sids should be enabled.

The rules will require both Snort $EXTERNAL_NET and $HOME_NET variables to be correctly configured for some of the rules to be effective. If a network does not have IEC 104 traffic these rules should not be enabled as they are only intended to detect IEC 104 traffic and will likely result in false positives (FPs) on non-IEC 104 traffic.

What is IEC 104?

IEC 104 is a network protocol that is commonly used in ICS/SCADA environments. Various ICS/SCADA devices use IEC 104 to communicate with other ICS devices such as, but not limited to, Programmable Logic Controllers, Remote Terminal Unit, etc.

FirePower 6.1 enabling a SID
Read more on the snort blog here

Vulnerabiity Spotlight: Tarantool Denial of Service Vulnerabilities

Vulnerabilities discovered by Talos

Talos is disclosing two denial of service vulnerabilities (CVE-2016-9036 & CVE-2016-9037) in Tarantool. Tarantool is an open-source lua-based application server. While primarily functioning as an application server, it is also capable of providing database-like features and providing an in-memory database which can be queried using a protocol based around the MsgPack serialization format. Tarantool is used by various service providers such as Mail.RU, or Badoo.

Monday, December 19, 2016

In the Eye of the Hailstorm

This blog post was authored by Jakob Dohrmann, David Rodriguez, and Jaeson Schultz.

The Cisco Talos and Umbrella research teams are deploying a distributed hailstorm detection system which brings together machine learning, stream processing of DNS requests and the curated Talos email corpus.

Talos has discussed snowshoe spam before. Traditional snowshoe spam campaigns are sent from a large number of IP addresses, and a low volume of spam email per IP address. Using such techniques, snowshoe spammers intend to fly under the radar with respect to any reputation or volume-based metrics that could be applied by anti-spam systems. This post concerns "hailstorm" spam. Hailstorm spam is an evolution of snowshoe spam. Both snowshoe and hailstorm spam are sent using a large number of sender IP addresses, but unlike snowshoe spam, hailstorm campaigns are sent out in very high volume over a short timespan. In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response.

The images below, taken from Umbrella Investigate, nicely illustrate the difference between a typical snowshoe spam campaign versus a typical hailstorm spam campaign. The top image below illustrates what the DNS query volume looks like for a domain involved in a typical snowshoe attack. Note the maximum query rate is only 35 queries per hour for the snowshoe domain example. The bottom graph, in contrast, shows the DNS query volume for a domain involved in a typical hailstorm attack. In this graph, there is practically no query volume until suddenly when the DNS query volume spikes to over 75K queries per hour, then drops back down to nothing.

Typical DNS query volume patterns for traditional snowshoe spam (top) vs. hailstorm spam (bottom).

Wednesday, December 14, 2016

Vulnerability Spotlight: Local Denial of Service Bug in NVIDIA Windows Kernel Mode Drivers Fixed

Bugs are inevitable in complex systems and software. Operating systems and device drivers are prime examples where layers of abstraction help hide complexity and allow hardware and software to communicate. Thus, when bugs are identified that could compromise, disrupt, or bring systems to a halt, care must be taken to address them. Talos, in coordination with NVIDIA, is disclosing the existence of a local denial of service bug in the NVIDIA Windows Kernel Mode Driver: TALOS-2016-0217 (CVE-2016-8823).

TALOS-2016-0217 manifests as a deficiency in the handling of messages in the communication functionality of the NVIDIA Windows Kernel Mode Driver. Exploitation of this flaw could result in a denial of service condition where the system enters a bug check (blue screen crash). The execution of an application that sends a specifically crafted message to the driver could trigger this vulnerability.

Tuesday, December 13, 2016

Microsoft Patch Tuesday - December 2016

The final patch Tuesday of 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 12 bulletins addressing 48 vulnerabilities. Six bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Microsoft Graphics Components, Microsoft Uniscribe, and Adobe Flash Player. The remaining seven bulletins are rated important and address vulnerabilities in various Windows components including kernel, crypto driver, and installer.

Vulnerability Spotlight: Joyent SmartOS

Vulnerability discovered by Tyler Bohan


Talos is disclosing a series of vulnerabilities in Joyent SmartOS, specifically in the Hyprlofs filesystem. SmartOS is an open source hypervisor that is based on a branch of Opensolaris. Hyperlofs is a SmartOS in-memory filesystem that allows users to map files from various different locations under a single namespace. Additionally, hyperlofs allows the creation of new virtual file systems quickly and easily. There are three core vulnerabilities that are being disclosed. However, since they are found in both the 32 and 64-bit versions there are a total of six CVE related to six Talos reports. For all of the vulnerabilities discussed an attacker would need the PRIV_HYPRLOFS_CONTROL privilege in order for them to be exploitable.

Wednesday, December 7, 2016

Floki Bot Strikes, Talos and Flashpoint Respond

This blog post was authored by Ben Baker, Edmund Brumaghin, Mariano Graziano, and Jonas Zaddach

Executive Summary


Floki Bot is a new malware variant that has recently been offered for sale on various darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011. Rather than simply copying the features that were present within the Zeus trojan "as-is", Floki Bot claims to feature several new capabilities making it an attractive tool for criminals. As Talos is constantly monitoring changes across the threat landscape to ensure that our customers remain protected as threats continue to evolve, we took a deep dive into this malware variant to determine the technical capabilities and characteristics of Floki Bot.

During our analysis of Floki Bot, Talos identified modifications that had been made to the dropper mechanism present in the leaked Zeus source code in an attempt to make Floki Bot more difficult to detect. Talos also observed the introduction of new code that allows Floki Bot to make use of the Tor network. However, this functionality does not appear to be active for the time being. Finally, through the use of the FIRST framework during the analysis process, Talos was able to quickly identify code/function reuse between Zeus and Floki Bot. This made sample analysis more efficient and decreased the amount of time spent documenting various functions present within the Floki Bot samples we analyzed.

Talos worked in collaboration with Flashpoint during the analysis of Floki Bot. This collaborative effort allowed Talos and Flashpoint to quickly communicate intelligence data related to active campaigns distributing Floki Bot as well as data regarding the technical functionality present within the malware. Additionally, Talos is making scripts available to the open source community that will help malware analysts automate portions of the Floki Bot analysis process and make the process of analyzing Floki Bot easier to perform.

Tuesday, December 6, 2016

Vulnerability Spotlight: ImageMagick Convert Tiff Out of Bounds Write

Vulnerability discovered by Tyler Bohan 


Talos is disclosing TALOS-2016-0216 / CVE-2016-8707, an out of bounds write vulnerability in ImageMagick. ImageMagick is a photo editing software program that allows users to edit and manipulate various types of image files. This particular vulnerability lies in the convert utility that is bundled as part of ImageMagick. The utility is used to parse and convert images and other formats interchangeably. The vulnerability occurs when attempting to deflate an Adobe Deflate compressed Tiff image. The buffer that is created to hold decompressed data associated with the Tiff image is not large enough to hold the decompressed stream. This results in a controlled out of bounds write that under proper circumstances could be exploited into full remote code execution. The full details surrounding the vulnerability are available here.

Thursday, December 1, 2016

Project FIRST: Share Knowledge, Speed up Analysis

Project FIRST is lead by Angel M. Villegas. This post is authored by Holger Unterbrink.

Talos is pleased to announce the release of the Function Identification and Recovery Signature Tool (FIRST). It is an open-source framework that allows sharing of knowledge about similar functions used across file types that IDA Pro can analyze. The aim is to create a community for the infosec analysts and reverse engineers that promotes the sharing of information.

The main idea behind FIRST is to preserve an engineer’s analysis of certain functions (name, prototype, comment, etc) by using methods like opcode hashing, mnemonic hashing, locality sensitive hashing, etc. By collecting and storing these signatures centrally the framework can provide them later to the community via the API/Plugin. The goal is to provide quick lookups for similar functions (see Fig. A) to avoid losing time with analysing a function which was already analysed before in another sample or by another engineer.
Fig. A
For example, a researcher in Spain analyzed a sample. He annotated the analysed functions and uploaded the information to the server. Later, a researchers in California comes across a variant of the sample and he queries the FIRST server in order to find similarities with known binaries. He is lucky, someone has already analysed these functions and he does not need to reinvent the wheel, he can use the matches found in the framework and speed up his analysis.

Monday, November 28, 2016

Cerber Spam: Tor All the Things!

This post authored by Nick Biasini and Edmund Brumaghin with contributions from Sean Baird and Andrew Windsor.

Executive Summary

Talos is continuously analyzing email based malware always looking at how adversaries change and the new techniques that are being added on an almost constant basis. Recently we noticed some novel ways that adversaries are leveraging Google and Tor2Web proxies to spread a ransomware variant, Cerber 5.0.1.

This particular campaign looks to have started on November 24th and has been ongoing for the past several days. This campaign did not use advanced techniques that we sometimes see used by adversaries that include well written, professional looking emails, with legitimate signature blocks or other identifying characteristics. In this campaign, the emails were anything but professional. However, they did vary significantly with what we typically see from a ransomware distribution perspective.

Today, spam based ransomware infections are heavily skewed toward Locky. The majority of spam messages we see today are affiliates producing large amounts of spam that leverage various types of script-based file extensions to download the Locky executable and infect systems. This campaign looked different in that the messages didn't contain an attachment and were extremely short and basic. What we found was a potential next evolution for ransomware distribution that relies more heavily on Tor to obfuscate their activity and hinder the ability to shut down servers that are hosting the malicious content.

Talos Responsible Disclosure Policy Update

Responsible disclosure of vulnerabilities is a key aspect of security research. Often, the difficulty in responsible disclosure is balancing competing interests - assisting a vendor with patching their product and notifying the general public to prevent a 0-day situation. It is uncomfortable to acknowledge that if a white hat team has discovered a vulnerability in a high value target, it stands to reason their adversaries may also be trying to exploit the same issue. Researchers must carefully balance the needs and capabilities of vendors to fix a product with the safety and security of our customers and the community as a whole.

Talos has been measuring the timelines, industry responsiveness, and end results with regard to our responsible disclosure policy and today, we are announcing a few changes. The full text of the Vendor Vulnerability Reporting and Disclosure Policy can be found here:

These changes include timeline adjustments based on vendor feedback and industry changes since we last addressed our Disclosure Policy.

Tuesday, November 22, 2016

Fareit Spam: Rocking Out to a New File Type

This post authored by Nick Biasini

Talos is constantly monitoring the threat landscape including the email threat landscape. Lately this landscape has been dominated with Locky distribution. During a recent Locky vacation Talos noticed an interesting shift in file types being used to distribute another well known malware family, Fareit.

We've discussed Fareit before, it's a trojan used to steal credentials and distribute multiple different types of malware. The focus of this post will not be on Fareit but on a new way attackers are working to distribute it via email. Locky has been a case study in how to leverage different file extensions in email to distribute malware. The use of various file types such as .js, .wsf, and .hta have been used quite successfully for Locky. We've already noted other threats making use of .js for distribution largely due to Locky's success. Recently we observed another uncommon file type associated with email and decided to dig a little further on the infection chain.

Email Campaign

Thursday, November 17, 2016

Vulnerability Spotlight: Multiple File Parsing Bugs in HDF5 File Library Patched

These vulnerabilities were discovered by the Talos Vulnerability Development Team.

Today, Talos is disclosing the discovery of four vulnerabilities which have been identified in HDF5. HDF5 is a file format that is designed to be used for storage and organization of large amounts of scientific data and is used to exchange data between applications. In the GIS industry it used via libraries such as GDAL, OGR, or as part of software like ArcGIS. HDF5 is maintained by The HDF Group, a non-profit organization which Talos coordinated with to ensure these vulnerabilities were disclosed in a responsible manner. These vulnerabilities were patched in the HDF5 1.8.18 release.

The following is a list of the vulnerabilities that have been identified and patched:

Vulnerability Details


A vulnerability exists in the way HDF fails to check the number of dimensions for an array read to verify the file is within the bounds of the space allocated for it. When reading elements from the file into this array, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution in the context of the application using the library.


A buffer overflow vulnerability exists when the library is decoding data out of a dataset encoded with H5Z_NBIT. When calculating the precision of an encoded BCD number, the library will fail a bounds check leading the library to calculate an index outside the bounds of the space allocated for the BCD number. The library will then write outside the bounds of the buffer leading to a heap-based buffer overflow and possible code execution.


A vulnerability exists due to the library's failure to check if specific message types support a particular flag. When this flag is set, the library will cast the structure to an alternate structure and then assign to fields that aren't supported by the message type. The message type is not able to support this flag and the library will write outside the bounds of the heap buffer, which can lead to code execution.


This report details a heap based buffer overflow which manifests in the the H5O_dtype_decode_helper routine when parsing an HDF file. Due to an inadequate handling of certain values in memory while the file is being parsed, a user who opens a specifically crafted HDF file could exploit this flaw and achieve code execution in the context of the application using the library.

For the full details of each of these vulnerabilities, please visit our vulnerability reports here:



Talos has released rules that detect attempts to exploit these vulnerabilities to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 40791-40794, 40801-40810

Tuesday, November 15, 2016

Crashing Stacks Without Squishing Bugs: Advanced Vulnerability Analysis

This post is authored by Marcin Noga with contributions by Holger Unterbrink


Crash triaging can be a long and complicated process; by using proper tools and having an optimal approach, we can make this a bit easier and less time consuming. In this post we describe a triaging strategy and toolset based on two examples of vulnerability classes:

  • Stack based buffer overflow
  • Heap based buffer overflow / Heap corruption

As examples we will use real vulnerabilities found by Marcin Noga of Talos earlier this year.

LexMark Perceptive Document Filters XLS Convert Code Execution Vulnerability
Lexmark Perceptive Document Filters CBFF Code Execution Vulnerability

The tools we intend to use:
  • Valgrind
  • Gdb
  • Peda
  • DUMA
  • IDA
  • RR debugger

Tuesday, November 8, 2016

Microsoft Patch Tuesday - November 2016

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. For a detailed explanaiton of each of the categories listed below, please go to https://technet.microsoft.com/en-us/security/gg309177.aspx.

This month's release is packed full of goodies, but you don't want to wait to review them over Thanksgiving dinner as there are 14 unique bulletins addressing multiple vulnerabilities.

Critical bulletins address vulnerabilities in (alphabetically):

  • Adobe Flash Player
  • Edge
  • Graphics Component
  • Internet Explorer
  • Video Control
  • Windows

Thursday, November 3, 2016

Take the RIG Pill: Down the Rabbit Hole

This post is authored by Holger Unterbrink with contributions by Christopher Marczewski


Executive Summary

Talos is monitoring the big notorious Exploit Kits(EK) on an ongoing basis. Since Angler disappeared a few month ago, RIG is one EK which seems to be trying to fill the gap Angler has left. We see an ongoing development on RIG. This report gives more details about the complex infection process the adversaries behind RIG are using to infect their victims and how they attempt to bypass security software and devices.

The adversaries are leveraging Gates (e.g. EITest) to redirect the users to their Landing Page. This leads to a chain of redirects, before the victim finally gets on the landing page of the exploit kit. They are using different methods and stages to deliver the malware files. The same malware file often gets written and executed multiple times on the victim's PC. If one method doesn’t work or is blocked by an Anti-Malware solution, they have a couple of backup methods. All stages and methods are obfuscated, some more, some less.

Wednesday, November 2, 2016

Vulnerability Spotlight: Windows 10 Remote Denial of Service

Vulnerability discovered by Piotr Bania of Cisco Talos.


Talos is releasing an advisory for a remote denial of service attack vulnerability in Microsoft Windows 10 AHCACHE.SYS  (TALOS-2016-0191 / CVE-2016-3369)
An attacker can craft a malicious portable executable file, which if accessed causes AHCACHE.SYS to attempt to access out of scope memory. This triggers a bugcheck in the Windows kernel causing the system to crash, denying service to the user. Although AHCACHE.SYS is the driver that handles local cache compatibility information, if the vulnerability is exploited the attacker is unable to execute code or elevate user privileges.

Monday, October 31, 2016

Vulnerability Spotlight: Remotely Exploitable Bugs in Memcached Identified and Patched

Vulnerabilities identified by Aleksandar Nikolich of Talos.

Our efforts to make the internet safer and protect our customers involves, amongst many other things, researching and identifying zero-day vulnerabilities in the third-party software. As part of our effort to find and responsibly disclose vulnerabilities we identify through our programmatic methods, Talos is disclosing the identification of three vulnerabilities in Memcached. Memcached is an open-source, high-performance, distributed memory caching system used to speed up dynamic websites which rely on a database backend and is widely used in various online applications. Memcached developers have released a patch that address the vulnerabilities we are disclosing today.

Vulnerability Details

Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands.

Sundown EK: You Better Take Care

This post was authored by Nick Biasini

Over the last six months the exploit kit landscape has seen some major changes. These changes began with Nuclear ceasing operations in April/May and arrests in Russia coinciding with the end of Angler in June. Recently, Neutrino has been added to the list of exploit kits that have stopped being actively used in 2016.What remains is a group of smaller exploit kits vying for pole position in an industry that continues to generate millions of dollars from payloads such as ransomware and banking trojans.

It's now time to turn to another exploit kit that is active on the landscape, Sundown. The Sundown exploit kit has previously been part of a second tier of exploit kits that includes Magnitude and Sweet Orange. These kits successfully compromise users, but typically are not accompanied with the advanced techniques and wide-spread use of the other major exploit kits. It's not to say these kits aren't significant threats, but from a potential victim perspective they historically do not have the reach associated with other EKs from before such as Angler or RIG.

Wednesday, October 26, 2016

Vulnerability Spotlight: Iceni Argus Buffer Overflows

Vulnerabilities discovered by Marcin 'Icewall' Noga of Cisco Talos.

Talos has identified two stack-based buffer overflows (TALOS-2016-0200 & TALOS-2016-0202) in the Iceni Argus pdf content extraction software. This software is used to convert a pdf document into various tagged and xml-based formats (such as XHTML). Software, such as MarkLogic, uses Iceni Argus for pdf document conversions as part of their web based document search and rendering. Both vulnerabilities occur in the PDF to html converter functionality. An attacker can send or provide a specially crafted pdf file that can cause a buffer overflow to trigger either of these vulnerabilities resulting in arbitrary code execution.

CVE-2016-8333 (TALOS-2016-0200) Iceni Argus ipfSetColourStroke Code Execution

CVE-2016-8335 (TALOS-2016-0202) Iceni Argus ipNameAdd Code Execution


CVE-2016-8333 occurs when the `ipfSetColourStroke` function is executed. This function calls `getRealArgArray` which attempts to copy the elements of the `opStack` container without verifying if the source array is larger than the destination array. The maximum destination array is fixed at nine 4-byte array values. Since the data in the pdf header defines the elements of the `opStack`, a malformed pdf can create a situation in which the source contains larger than nine elements causing a buffer overflow which can lead to arbitrary code execution.

CVE-2016-8335 occurs in the ipNameAdd functionality of Iceni Argus. Examining this function, you can easily see the guilty line. The function includes the following line

strcpy(dest, src);

This occurs without any checking previous checking on the arguments. Everyone knows that this is a classic example of a buffer overflow. Surprisingly, the length check occurs after the strcpy call which makes it totally ineffective. But to take advantage of the overflow, the malformed pdf must define a `token` that is not a "regular" named object (objects that start with a `/`), since "regular" named objects never reach the strcpy line during execution.

Tested Versions


Iceni Argus Version 6.6.04 (Sep 7 2012) NK


Iceni Argus Version 6.6.04 (Sep 7 2012) NK - Linux x64
Iceni Argus Version 6.6.04 (Nov 14 2014) NK - Windows x64


Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 40336-40337, 40484-40487

Full Vulnerability Reports


Tuesday, October 25, 2016

Vulnerability Spotlight: LibTIFF Issues Lead To Code Execution

These Vulnerabilities were discovered by Tyler Bohan of Cisco Talos.

Talos is releasing multiple vulnerabilities (TALOS-2016-0187, TALOS-2016-0190 & TALOS-2016-0205) in the LibTIFF library . One vulnerability (TALOS-2016-0187) is an exploitable heap based buffer overflow that impacts the LibTIFF TIFF2PDF conversion tool. Another vulnerability (TALOS-2016-0190) impacts the parsing and handling of TIFF images ultimately leading to remote code execution. The final vulnerability (TALOS-2016-0205) is an exploitable heap based buffer overflow in the handling of compressed TIFF images in LibTIFF's PixarLogDecode API. An attacker who can trick a user into processing a malformed TIFF document can use one of these vulnerabilities to achieve remote code execution on the targeted system.

The Tagged Image File Format (TIFF)  was developed in the mid-1980’s as a common file format able to store image data in a lossless format for the burgeoning image manipulation industry. Since then TIFF files have been widely adopted within the graphic arts industry, and also by electronic fax systems.

Monday, October 24, 2016

Pumpkin Spiced Locky

This post was authored by Warren Mercer & Edmund Brumaghin


We had .locky, we had .odin and then we had .zepto but today we hit rock bottom and we now have Locky using .shit as their encrypted file extension. In today's latest wave of spam, Talos has observed three distinct spam campaigns distributing the newest version of Locky ransomware. This comes after a seeming vacation for Locky for around two weeks. Using the LockyDump utility that was previously released by Talos, we were able to determine that there are distinct differences in the characteristics of the malware campaigns that seem to correlate with the Affiliate ID associated with the Locky binaries that are delivered by each campaign.

The technical details associated with the Locky ransomware family itself has been extensively documented and reported on, so we won’t spend time providing an in-depth technical analysis of the ransomware family itself. This post highlights some of the distinct characteristics that we have observed for each campaign. We will summarize all Indicators of Compromise (IOCs) at the end of this post.

Wednesday, October 19, 2016

MBRFilter - Can't Touch This!

 This post was authored by Edmund Brumaghin and Yves Younan

Update: 10/20/2016 - MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments. 


Ransomware has become increasingly prevalent in the industry, and in many cases, unless there is a publicly released decryptor available, there is often not an easy means of retrieving encrypted files once a system has been infected. In addition to the creation and maintenance of regular system backups, it is increasingly important to focus on a multi-tiered defense-in-depth network architecture in an effort to prevent initial endpoint infection. This is often difficult in an evolving threat landscape where new ransomware families are being developed and deployed seemingly every day by threat actors of varying levels of sophistication.

While many ransomware families focus on the encryption of all or portions of a target system’s files others, such as Petya, rely on overwriting the contents of the Master Boot Record (MBR) to force a system reboot then only encrypt the Master File Table (MFT) of the hard drive on infected systems as a way to coerce users into paying the threat actors to retrieve the encryption keys required to decrypt their files.

To help combat ransomware that attempts to modify the MBR, Talos has released a new tool to the open source community, MBRFilter, a driver that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device.

Tuesday, October 18, 2016

Vulnerability Spotlight: Hopper Disassembler ELF Section Header Size Code Execution

Vulnerability Discovered by Tyler Bohan and Cory Duplantis of Cisco Talos

Talos has identified an exploitable out-of-bounds write vulnerability in the ELF Section Header parsing functionality of Hopper (TALOS-2016-0222/CVE-2016-8390). Hopper is a reverse engineering tool for macOS and Linux allowing the user to disassemble and decompile 32/64bit Intel-based Mac, Linux, Windows and iOS executables. During the parsing of ELF section headers, there is a user controlled size that is not validated, a malicious threat actor could craft an ELF file with specific section headers to trigger this vulnerability, potentially leading to remote code execution. A malicious threat actor could use a zip file containing the crafted executable to target threat researchers, sent via phishing or file sharing sites. This type of exploit can also be used as an anti-analysis measure in an attempt to defeat sandboxes and automated disassembly.

Hopper has been updated the changelog can be read at this URL: https://www.hopperapp.com/rss/html_changelog_v3.php

Vulnerability Spotlight: Foxit PDF Reader JBIG2 Parser Information Disclosure

Vulnerability discovered by Aleksandar Nikolic of Talos.

Talos has identified an information disclosure vulnerability in Foxit PDF Reader
(TALOS-2016-0201/CVE-2016-8334). A wrongly bounded call to `memcpy`, while parsing jbig2 segments within a PDF file, can be triggered in Foxit PDF Reader causing an out-of-bounds heap memory to be read into a buffer. The `memcpy` call is properly sized, but the source is smaller than the size argument, causing the adjacent memory to be copied into a buffer, where heap metadata, addresses and pointers can be copied and later reused, disclosing memory layout. Combined with another vulnerability, this information disclosure can be used to leak heap memory layout and bypass ASLR. Phishing campaigns commonly use PDF files, as malicious attachments or linked downloads, to deliver malware.

Thursday, October 13, 2016

LockyDump - All Your Configs Are Belong To Us

This post was authored by Warren Mercer and Matthew Molyett


Locky has continued to evolve since its inception in February 2016. This has made it difficult to track at times due to changes in the way in which it's distributed as well as various characteristics of the malware itself. The actors responsible for Locky have continuously attempted to improve operational security (OPSEC) in regards to the tracking of affiliates making use of the ransomware. This post will discuss a new Locky configuration extractor that Talos is releasing, which we are naming 'LockyDump'. This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky e.g. .locky, .zepto & .odin based ransomware.

Using LockyDump you can run a known Locky sample within a virtualized environment and it will extract and provide all of the configuration information for the sample, including the AffilID associated with the sample. The latest variant of Locky made this extraction process increasingly difficult. Once this config extraction changed Talos looked to reverse further Locky samples in an attempt to gain the all important AffilID information. Obtaining the affiliate information for individual samples allows the historical tracking of Locky affiliates to identify trends and other characteristics on an individual affiliate basis such as their primary distribution method of choice e.g. through the use of Exploit Kits (EKs) or spam/phishing email.

Tuesday, October 11, 2016

Microsoft Patch Tuesday - October 2016

Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.

Bulletins Rated Critical

The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127

MS16-118 and MS16-119 are this month's bulletins for Internet Explorer and Edge respectively. The Internet Explorer bulletin fixes 11 vulnerabilities while the Edge bulletin fixes 13 vulnerabilities. Seven vulnerabilities were found to affect both Edge and IE. The majority of the vulnerabilities fixed are memory corruption flaws that could lead to arbitrary code execution. Several privilege escalation and information disclosure flaws were also fixed in this month's release.

Monday, October 3, 2016

Vulnerability Spotlight: FreeImage Library XMP Image Handling Code Execution Vulnerability

This vulnerability was discovered by Yves Younan.

Talos, in coordination with FreeImage, is disclosing the discovery of TALOS-2016-0189 / CVE-2016-5684.


FreeImage is widely used software integrated into over 100 products ranging from free to paid licensing and include multimedia software, games, developer tools, PDF generators and more.  FreeImage makes use of a common file format created by Adobe, Extensible Metadata Platform (XMP) that allows real-time managing of metadata.  Per Adobe, the XMP file format, allows users to “embed metadata into files themselves during the content creation process”, and FreeImage’s 3.17.0 integration of this file format into its software is vulnerable to an overflow in the “Colors Per Pixel” value of an XMP image.  Generally speaking, when FreeImage 3.17.0 opens an XMP file with a large enough Colors Per Pixel value, i.e. the number is too large, it is not handled properly by follow-on code in the function that uses it. You can liken it to taking a 99 oz. glass, turning on the faucet, and filling it up with 100+ ounces of water.  The water spills over and gets into areas you don’t want it to be.  In technical terms, the large value is not properly validated during the code execution and it can trigger an out of bounds write.  This causes an arbitrary memory overwrite that can effectively result in remote code execution. This is likely to be exploited if someone sends you a maliciously crafted image file as an email attachment or possibly via an instant message.

Due to the widespread integration and the relative ease with which the vulnerability can be exploited, we strongly encourage anyone using software that integrates FreeImage to patch their platforms as soon as possible.  A list of software can be found on FreeImage’s site here.

FreeImage patched this vulnerability in CVS on August 7th, however they have not released a new version of the software. If you use FreeImage, it is recommended that you update to the CVS version to avoid being exposed to this vulnerability.

For the full technical details regarding this vulnerability, please refer to the vulnerability advisory which can be found on our website here.


Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 39883 & 39884

For further zero day or vulnerability reports and information visit: http://www.talosintelligence.com/vulnerability-reports/

Friday, September 30, 2016

Vulnerability Spotlight: OpenJPEG JPEG2000 mcc record Code Execution Vulnerability

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos


Talos has identified an exploitable out-of-bounds vulnerability in the JPEG 2000 image file format parser implemented in OpenJPEG library (TALOS-2016-0193/CVE-2016-8332). The JPEG 2000 file format is commonly used for embedding images inside PDF documents. This particular vulnerability could allow an out-of-bound heap write to occur, resulting in heap corruption and lead to arbitrary code execution. Talos has disclosed this vulnerability responsibily to the library maintainers to ensure a patch is available.

Exploitation of this vulnerability is possible if a user were to open a file containing a specifically crafted JPEG 2000 image that exploits this flaw. Examples where this could be achieved would be in an email attack, where a user opens an attachment in a spam/phishing email, or in a hosted content scenario where a user downloads a file from Google Drive or Dropbox.


Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 40314-40315

For further zero day or vulnerability reports and information visit:

Vulnerability Spotlight: Redis CONFIG SET client-output-buffer-limit Code Execution Vulnerability

Vulnerability Discovered by Cory Duplantis of Talos


Talos is disclosing TALOS-2016-0206/CVE-2016-8339, an out-of-bounds write vulnerability in Redis. Redis is a simple in-memory data structure store using a key-value model. Redis has been growing in popularity due to its ability to handle problems that other databases can't solve or are inherently slow at. This particular vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write, potentially resulting in code execution.

Thursday, September 29, 2016

Want Tofsee My Pictures? A Botnet Gets Aggressive

This post was authored by Edmund Brumaghin


Tofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013. It features a number of modules that are used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Once infected, systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Earlier this year, Talos published a blog post discussing how the RIG exploit kit was delivering this malware to compromised endpoints using malvertising. Malvertising is a technique commonly used by exploit kits to infect users that browse web sites that are serving compromised advertisements. This activity seemed to disappear in June, however Talos has recently observed a marked increase in the volume and velocity of spam email campaigns containing malicious attachments that are being used to distribute Tofsee.

Tuesday, September 27, 2016

Threat Spotlight: GozNym

This blog was authored by Ben Baker, Edmund Brumaghin and Jonah Samost.

Executive Summary

GozNym is the combination of features from two previously identified families of malware, Gozi and Nymaim. Gozi was a widely distributed banking trojan with a known Domain Generation Algorithm (DGA) and also contained the ability to install a Master Boot Record (MBR) rootkit. Nymaim emerged in 2013 as malware which was used to deliver ransomware and was previously distributed by the Black Hole exploit kit. The code had various anti-analysis techniques, such as the obfuscation of Win32 API calls.

There have been multiple instances in which the source code of the Gozi trojan has been leaked. Due to these leaks it was possible for the GozNym authors to make use of the ‘best of breed’ methodologies incorporated into Gozi and create a significantly more robust piece of malware which was now capable of utilizing strengthened persistence methods and ultimately becoming a powerful banking trojan.

Given the recent success of the GozNym trojan and the number of targeted attacks seeking to infect victims with this malware, Talos decided to take a deep look at the inner workings of this particular malware family. Talos started by examining the binaries associated with GozNym as well as the distribution mechanisms. Additionally, we were able to successfully reverse engineer the DGA associated with a GozNym command and control (C2) infrastructure and sinkhole that botnet. This gave Talos great visibility into the size and scope of this threat and the number of infected systems beaconing to C2 servers under adversarial control.

Wednesday, September 21, 2016

The Rising Tides of Spam

This blog post was authored by Jaeson Schultz.

For the past five years we have enjoyed a relatively calm period with respect to spam volumes. Back at the turn of the decade the world was experiencing record-high volumes of spam. However, with the evolution of new anti-spam technologies, combined with some high-profile takedowns of spam-related botnets, voluminous and indiscriminate spam attacks fell precipitously in popularity with spammers. Subsequently, having lower volumes of spam to contend with, anti-spam systems had the luxury of dedicating more computer processing resources to analyzing fewer messages for email-based threats. But, as the fashion industry adage goes, "everything old is new again." Spam volumes are back on the rise.

Tuesday, September 13, 2016

Microsoft Patch Tuesday - September 2016

This post was authored by Jaeson Schultz.

Well it's Microsoft Patch Tuesday, again, and that must mean we are girding our systems against another round of security vulnerabilities. This month Microsoft has released fourteen (14) bulletins covering fifty (50) security vulnerabilities. There are seven bulletins in the set whose severity is considered "Critical". These "Critical" bulletins affect Internet Explorer, Microsoft Edge, Microsoft Graphics Component, Microsoft Exchange Server, Microsoft Office, OLE Automation for VBScript Scripting Engine, and the Adobe Flash Player. The remaining seven bulletins impact products such as Silverlight, Windows, Windows Kernel, Windows Lock Screen, Windows Secure Kernel Mode, Windows SMBv1 Server, and the Microsoft Windows PDF Library.

Tuesday, September 6, 2016

Vulnerability Spotlight: Kaspersky Unhandled Windows Messages Denial of Service Vulnerability

Vulnerability discovered by Marcin 'Icewall' Noga of Cisco Talos.


Talos is disclosing the presence of TALOS-2016-0175 / CVE-2016-4329, a local denial of service vulnerability within Kaspersky anti-virus. A system user is able to cause a denial of service attack against Kaspersky’s avpui.exe process by executing malicious code on a system. As a result, avpui.exe process protected by Kaspersky Self-Protection dies.

Thursday, September 1, 2016

Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted

This blog authored by Nick Biasini.

Exploit kits are a class of threat that indiscriminately aims to compromise all users. Talos has continued to monitor this threat over time resulting in large scale research and even resulting in a large scale takedown. The focus of this investigation is on the tools and techniques being used to drive users to the exploit kits. This blog looks at the anatomy of a global malvertising campaign and how users interact with exploit kit gates, regardless of the sites they visit and the countries they reside.

Talos observed a large malvertising campaign affecting potentially millions of users visiting sites in North America, Europe, Asia Pac, and the Middle East. The research culminated in a joint effort with GoDaddy to mitigate the threat by taking back the registrant accounts used to host the activity, and taking down all applicable subdomains. This is yet another example of how organizations work together to stop threats affecting users around the globe. If you are a provider or online ad company that would like to work with Talos, please contact us.

Online advertising is a key component of the Internet today, especially for sites that provide content free of charge. In this blog we will be discussing a global malvertising campaign that has affected a wide array of websites. These websites don't bear responsibility for these malicious ads; it is just the nature of online advertising. As security organizations get better at identifying and shutting down malicious content, adversaries are going to continue to move and stay agile. The advantage to malicious advertising is if you visit the same site twice you are unlikely to receive the same content from an advertising perspective. This is where protections like ad blockers, browsers with advanced sandboxing technologies, and detection/prevention technologies are paramount to ensure protection from this type of content.

Friday, August 26, 2016

Vulnerability Spotlight: Kaspersky Unhandled Windows Messages Denial of Service Vulnerability

Vulnerability discovered by Marcin ‘Icewall’ Noga of Cisco Talos.


Talos is disclosing the presence of TALOS-2016-0175 / CVE-2016-4329, a local denial of service vulnerability within Kaspersky anti-virus. A system user is able to cause a denial of service attack against Kaspersky’s avpui.exe process by executing malicious code on a system. As a result, avpui.exe process protected by Kaspersky Self-Protection dies.

The vulnerability can only be exploited by a user who is already present on the system. Nevertheless, such a vulnerability potentially may be exploited by a malicious user who wished to cause anti-virus scanning to stop informing users about potential malicious activities. This may comprise a step in a longer sequence of malicious activity. Administrators should ensure that the latest version of Kaspersky is installed to remove the vulnerability.
As part of our commitment to responsible disclosure, on discovering the vulnerabilities we notified Kasperksy. We have ensured that a patch to remedy the vulnerabilities was available before publication.


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort rules: 39918,39919

Vulnerability Spotlight: Kernel Information Leak & Multiple DOS Issues Within Kaspersky Internet Security Suite

Vulnerability discovered by Piotr Bania and Marcin ‘Icewall’ Noga of Cisco Talos.


Talos has discovered multiple vulnerabilities in Kaspersky’s Internet Security product which can be used by an attacker to cause a local denial of service attack or to leak memory from any machine running Kaspersky Internet Security software.


To provide anti-virus functionality, Kaspersky’s software hooks into the Windows API via a driver named KLIF. Talos has identified two vulnerabilities in the way that the driver handles intercepted NtUserCreateWindowEx and NtAdjustTokenPrivileges calls. In both cases a malicious application on a machine with Kaspersky’s KLIF driver installed is able to execute a malicious API call using invalid parameters. This can cause an attempt to access inaccessible memory by the driver resulting in a system crash.

A further local denial of service attack is possible through Kaspersky’s KL1 driver. A malicious user can send a specially crafted IOCTL call to the KL1 driver. Under certain conditions, this can causing the driver to read memory outside of an allocated buffer. This may provoke a memory access violation resulting in a system crash.

Monday, August 15, 2016

Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within Lexmark Perceptive Document Filters.

Vulnerabilities discovered by Tyler Bohan & Marcin Noga of Cisco Talos

Talos are today releasing three new vulnerabilities discovered within the Lexmark Perceptive Document Filters library. TALOS-2016-0172, TALOS-2016-0173 and TALOS-2016-0183 allow for a remote code execution using specifically crafted files.


These vulnerabilities are present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

The three vulnerabilities disclosed today allow for remote code execution using specifically crafted files such as XLS, Bzip2 & Compound Binary File Format (MS-CFB). This can provide an attacker with the capability to perform remote code execution within your environment and potentially offers the adversary full control of the attacked resource.

Friday, August 12, 2016

Vulnerability Spotlight: Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability

This vulnerability was discovered by Patrick DeSantis.


Talos recently discovered a vulnerability in Allen-Bradley Rockwell Automation MicroLogix 1400 Programmable Logic Controllers (PLCs) related to the default configuration that is shipped with devices running affected versions of firmware. This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations. Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.

In addition to the default, documented SNMP community string of ‘public’ (read) and ‘private’ (read/write), an undocumented community string of ‘wheel’ (read/write) also exists, which enables attackers to make unauthorized device changes, such as modification of settings or conducting malicious firmware updates. It is possible that this community string allows access to other OIDs, however Talos tested specific use cases.

Wednesday, August 10, 2016

Vulnerability Spotlight: BlueStacks App Player Privilege Escalation

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos

Talos is releasing an advisory for a vulnerability in BlueStacks App Player. (TALOS-2016-0124/CVE-2016-4288). The BlueStacks App Player is designed to enable Android applications to run on Windows PCs and Macintosh computers. It’s commonly used to run popular Android games on these platforms.


A weak registry key permission vulnerability exists in the BlueStacks application. By default the BlueStack installer sets a weak permission to the registry key, which contains InstallDir reg value, this can be used later by the BlueStacks service component. This default configuration gives a malicious user the ability to modify this value, which can lead to privilege escalation.

 Let’s examine the BlueStacks registry key where vulnerable "InstallDir" value is located:

As we can see the "Users" group has full access permissions to this key.

Vulnerability Spotlight: MS Edge/Windows PDF Library Arbitrary Code Execution Vulnerability Identified and Patched

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos.

Yesterday, Microsoft released its monthly set of security bulletins and patches for various flaws within currently supported products. Two of the bulletins in yesterday's release are rated critical and address CVE-2016-3319, a arbitrary code execution vulnerability in Microsoft Edge and in the Windows PDF library. With Microsoft's bulletin release, Talos is disclosing the details of this vulnerability we identified through our research efforts on our Vulnerability Report portal.

CVE-2016-3319 (TALOS-2016-0170)

CVE-2016-3319 is an arbitrary code execution vulnerability which manifests in Microsoft Edge and in the Windows PDF library. A user who opens a specifically crafted PDF file on a vulnerable system could result in the system executing arbitrary code of an attacker's choosing. On Windows 10 systems that are configured to use Microsoft Edge as the default browser, this vulnerability could be triggered by simply browsing to a website hosting a malicious PDF, as Edge will attempt to render the file contents automatically. Note that this vulnerability affects Windows 8.1, Windows Server 2012 (and R2), and Windows 10.

Tuesday, August 9, 2016

Microsoft Patch Tuesday - August 2016

This post was authored by Edmund Brumaghin and Jonah Samost

Today is Patch Tuesday for August 2016, and Microsoft has released several security bulletins and associated patches to resolve security issues across their products. This month’s patch release includes 9 bulletins addressing 28 vulnerabilities. Five of the bulletins Microsoft has released are rated Critical and address vulnerabilities in Internet Explorer, Edge, Windows Graphics Component, Microsoft Office, and the Windows PDF library. The remaining four bulletins are rated Important and address vulnerabilities in Windows Kernel-Mode Drivers, Secure Boot, Windows Authentication Methods, and ActiveSyncProvider.

Bulletins Rated Critical

Microsoft has listed bulletins MS16-095, MS16-096, MS16-097, MS16-099, MS16-102 as critical in this month’s release.

MS16-095 and MS16-096 are this month’s bulletins addressing security vulnerabilities associated with Microsoft Internet Explorer and Edge. The Internet Explorer bulletin addresses a total of nine vulnerabilities, including five memory corruption bugs and four information disclosure vulnerabilities. The Edge bulletin covers a total of eight vulnerabilities, including a remote code execution vulnerability, four memory corruption bugs and three information disclosure vulnerabilities. The Internet Explorer bulletin is rated Critical for affected Windows clients and Moderate for affected Windows Servers.

Thursday, August 4, 2016

Vulnerability Spotlight: Multiple Arbitrary Code Execution Vulnerabilities Identified in Hancom Hangul Office

Vulnerabilities discovered by the Talos Vulnerability Development Team. Blog post authored by Alex Chiu.

Securing your network and environment is a challenging task, especially when organizations need to keep track of various software packages that are used on a daily basis. Productivity suites, such as Hancom Hangul Office, are an example of critical software that organizations need to track and patch amongst other things such as operating systems, browsers, and antivirus. Talos is committed to helping our customers be as secure as possible through a variety of means, such as identifying zero-day vulnerabilities in critical software packages. Today, Hancom is disclosing 8 arbitrary code execution vulnerabilities identified and reported by Talos. Hancom has released a software update that addresses these vulnerabilities and Talos would like to sincerely thank Hancom for their cooperation.

Hancom Office is commonly used in parts of the world and is known to be used in various government organizations, public institutions, and non-governmental organizations in South Korea. In fact, the South Korean government previously made Hancom Office its official productivity suite for use on government systems. By some estimates, Hancom has around 30% of the productivity suite market share in South Korea.

The fact that there is a sizeable installation base of Hancom Office makes it an attractive target for adversaries to leverage and exploit. It's believed that the North Korean government is behind several targeted attacks that exploited vulnerabilities in the Hangul word processor. Other companies have previously documented these incidents in 2013 and 2015. In addition, Hancom is actively looking to expand its market share in South Korea and abroad.

Tuesday, August 2, 2016

Macro Intruders: Sneaking Past Office Defenses

This blog was written by Matthew Molyett with contributions from Martin Lee .


Macros have been used since the mid 1990s to spread malware and infect systems. Increased user awareness of the need to disable the macro function within Microsoft Word during the late 90s and early 2000s sent these malware into decline. However, a change in Microsoft (MS) Office file formats dating from 2007 is now being actively exploited to hide the presence of macros and distribute malware at an increasing rate.

In this article, I show how MS Office file formats are being abused and obfuscated, and the extent of distribution of macro malware.

Monday, July 25, 2016

Ransomware: Because OpSec is Hard?

This blog was authored by Edmund Brumaghin and Warren Mercer


Talos recently published research regarding a new variant of destructive ransomware, which we dubbed Ranscam. During further analysis of Ranscam samples, we discovered several indicators of compromise (IOCs) that piqued our curiosity as to which malware this threat actor might be involved in or responsible for besides Ranscam. We began to expand the scope of our research into other destructive "ranscamware" in an effort to determine if they had any shared characteristics that might indicate the same threat actor or group might be responsible for multiple variants. We found several interesting ties between known destructive ransomware variants such as Jigsaw and AnonPop which correlated with the threat actor we believe to be responsible for Ranscam.

Thursday, July 21, 2016

Vulnerability Spotlight: OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability

This vulnerability was discovered by Richard Johnson and Yves Younan of Cisco Talos.

Talos is releasing an advisory for a vulnerability in OpenOffice Impress. (TALOS-2016-0051/CVE-2016-1513). Talos has discovered an exploitable out-of-bounds vulnerability which exists in OpenOffice when handling MetaActions. A specially crafted OpenDocument Presentation .ODP or Presentation Template .OTP file can cause an out-of-bounds read/write resulting in denial-of-service (memory corruption and application crash) and possible execution of arbitrary code.


OpenOffice is an open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and other office functions. It works on various operating systems and is available in a host of languages. It uses an international open standard format for the common file types and can also read and write files from other common office software packages, such as Microsoft Office. It’s flexibility and open source nature has led to wide adoption. 

OpenOffice currently reports a user base of over 84 million, over 125 million downloads, 87% of which runs Microsoft Windows. An attacker could trigger this vulnerability by enticing an end user to open a malicious file specially crafted to exploit this vulnerability. This could be accomplished by directing a user to open a file hosted on a web server, sent as an attachment in a phishing email, or any other means that could be used to convince a user to open the malicious file.


In the attached sample the out of bounds vulnerability occurs when replacing a Polygon in the PolyPolygon object when performing a MetaPolyPolygonAction. In this case, the position in the array is 512, while the array containing Polygons (mpPolyAry) is only 2 in size. This will result in the deletion of a pointer which is read out of bounds at line 228 of file main\tools\source\generic\poly2.cxx. This will be immediately followed by an out-of-bounds write, writing a new pointer which is obtained by creating a new Polygon at that location. This provides an attacker with multiple ways to exploit this vulnerability: through a free of an invalid pointer, but if that fails, the writing of a new pointer out of bounds could provide a second opportunity for exploitation. Below are line 217-230 of main\tools\source\generic\poly2.cxx:

While there is a check to ensure that npos is smaller than the array size, at line 220, it is simply an assert that is only enabled in debug mode.

The value is read from the sample file in the function MetaPolyPolygonAction::Read in the file main\vcl\source\gdi\metaact.cxx at line 1189:

Here is the call stack when the problem occurs:


Finding and responsibly disclosing zero-day vulnerabilities helps improve the overall security of the software people use on a day-to-day basis. Talos is committed to this effort by developing programmatic ways to identify vulnerabilities that could be otherwise exploited by malicious adversaries. This helps secure the platforms and software customers use and also helps provide insight into how Cisco can improve its own processes to develop better, more secure products. 

In addition, Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort Rules:35828-35829.

For further zero day or vulnerability reports and information visit:

Wednesday, July 20, 2016

Vulnerability Spotlight: Oracle's Outside In Technology, Turned Inside-Out

Vulnerabilities discovered by Aleksandar Nikolic. Blog post authored by Jaeson Schultz and Aleksandar Nikolic.

One of the most fundamental tasks performed by many software programs involves the reading, writing, and general processing of files. In today's highly networked environments, files and the programs that process them can be found just about everywhere: FTP transfers, HTTP form uploads, email attachments, et cetera.

Because computer users interact with files of so many different varieties on such a regular basis, Oracle Corporation has designed tools to assist programmers with writing software that will support these everyday tasks: Outside In Technology (OIT). From the OIT website: "Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats."

In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle. The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in this post, is severe because so many third-party products use Oracle's OIT to parse and transform files. A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle's Outside In SDK includes:

Tuesday, July 19, 2016

Vulnerability Spotlight: Apple Remote Code Execution With Image Files

Vulnerabilities discovered by Tyler Bohan of Cisco Talos.

Many of the wide variety of file formats are designed for specialized uses within specific industries. Apple offers APIs as interfaces to provide a definitive way to access image data for multiple image formats on the Apple OS X platform. Talos is disclosing the presence of five remote code execution vulnerabilities in Apple OS X related to processing image formats: TALOS-2016-0171, TALOS-2016-0180,TALOS-2016-0181, TALOS-2016-0183, TALOS-2016-186.

Tuesday, July 12, 2016

Microsoft Patch Tuesday - July 2016

This post was authored by William Largent

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is has 11 bulletins addressing 49 vulnerabilities. 6 of these bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Print Spooler, Office and Adobe Flash Player.  The remaining bulletins are rated important and address vulnerabilities in Windows Kernel, Office, Kernel-Mode Drivers, .NET Framework, and Secure Boot.

Bulletins Rated Critical


Microsoft bulletins MS16-084 through MS16-088, and MS16-093 are rated as critical in this month's release.

MS16-084 and MS16-085 are this month's Internet Explorer and Edge security bulletins respectively.  The IE security bulletin addresses vulnerabilities in Internet Explorer versions 9, 10, & 11. The IE bulletin covers 15 vulnerabilities in total and resolves 9 memory corruption bugs, 1 security feature bypass bug, 3 information disclosure, and 2 spoofing bugs. The Edge bulletin addresses 13 vulnerabilities in total and resolves 7 memory corruption bugs, 1 security feature bypass, 3 information disclosure and 2 spoofing bugs. The IE bugs are rated critical on affected Windows clients but only Moderate on affected Windows Servers.

Monday, July 11, 2016

When Paying Out Doesn't Pay Off

This blog post was authored by Edmund Brumaghin and Warren Mercer


Talos recently observed a new ransomware variant targeting users. This ransomware shows that new threat actors are continuing to enter the ransomware market at a rapid pace due to the lucrative nature of this business model. As a result, greater numbers of unique ransomware families are emerging at a faster rate. This sometimes results in complex variants emerging or in other cases, like this one, less sophisticated ones. In many cases these new ransomware threats share little resemblance to some of the more established operations in their approach to infecting systems, encrypting/removing files, or the way in which they attempt to coerce victims into complying with their ransom demands.

Ranscam is one of these new ransomware variants. It lacks complexity and also tries to use various scare tactics to entice the user to paying, one such method used by Ranscam is to inform the user they will delete their files during every unverified payment click, which turns out to be a lie. There is no longer honor amongst thieves. Similar to threats like AnonPop, Ranscam simply delete victims’ files, and provides yet another example of why threat actors cannot always be trusted to recover a victim’s files, even if the victim complies with the ransomware author’s demands. With some organizations likely choosing to pay the ransomware author following an infection,  Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy. Not only does having a good backup strategy in place help ensure that systems can be restored, it also ensures that attackers are no longer able to collect revenue that they can then reinvest into the future development of their criminal enterprise.

Vulnerability Spotlight: Local Code Execution via the Intel HD Graphics Windows Kernel Driver

This vulnerability was discovered by Piotr Bania.

Talos, in coordination with Intel, is disclosing the discovery of TALOS-2016-0087, a local arbitrary code execution vulnerability within the Intel HD Graphics Windows Kernel Driver. This vulnerability exists in the communication functionality of the driver and can be exploited if a specially crafted message is sent to the driver, resulting in a denial of service or arbitrary code execution. Note that exploitation of this vulnerability is only achievable in local contexts. This vulnerability has been responsibly disclosed to Intel in accordance with our Vulnerability Reporting and Disclosure guidelines. 

Friday, July 8, 2016

Vulnerability Spotlight: Symantec Norton Security IDSvix86 PE Remote System Denial of Service

Vulnerability discovered by Piotr Bania of Cisco Talos

Talos is disclosing the presence of a denial of service vulnerability (CVE-2016-5308 / TALOS-2016-0182) in the Portable Executable file scanning functionality of Symantec Norton Security.  A specially crafted PE file can cause an access violation in the IDSvix86 kernel driver when parsing PE files resulting in a denial of service. 

A malicious attacker could trigger this vulnerability by emailing the victim a crafted file with a large SizeOfRawData field in a section header. The parser does not check to make sure that this is within the bounds of the file, or MD5Compress which is the function that causes the segfault, therefore if the parameter is big enough, it can cause the MD5Compress function to access memory which is currently unavailable causing the machine to crash. 

Talos has worked with Symantec to responsibly disclose this vulnerability. Uncovering new 0-day vulnerabilities not only helps improve the overall security of the software that our customers use, but it also enables us to directly improve the procedures in our own security development lifecycle, which improves the security of all of the products that Cisco produces. 

This vulnerability is detected by sids 39466 and 39467.

For the most up to date list, please refer to Defense Center for FireSIGHT Management Center. For further 0-day or vulnerability reports and information visit:

Full details for the advisory can be found at TALOS-2016-0182

Thursday, July 7, 2016

Connecting the Dots Reveals Crimeware Shake-up

This Post Authored by Nick Biasini

For a couple of weeks in June the threat landscape was changed. Several high profile threats fell off the scene, causing a shake-up that hadn't been seen before. For a period of three weeks the internet was safer, if only for a short time. Still to date the Angler exploit kit has not returned and the threat outlook appears to be forever changed. This post will discuss a series of connections tying back to a banking trojan called lurk and a registrant account with ties that were far reaching across crimeware.

Thursday, June 30, 2016

Gotta be SWIFT for this Spam Campaign!

This blog post was authored by Warren Mercer


Talos have observed a large uptick in the Zepto ransomware and have identified a method of distribution for the Zepto ransomware, Spam Email. Locky/Zepto continue to be well known ransomware variants and as such we will focus on the spam email campaign. We found 137,731 emails in the last 4 days using a new attachment naming convention. It was just coincidence that the number is a palindrome. The naming choice this time for this spam campaign is "swift [XXX|XXXX].js", where 'X' is some combination of letter/numbers we have seen both 3 and 4 char strings after the "swift" name. This began Monday 27th June with approx 4000 emails being caught within our Email Security Appliances (ESA) & Cloud Email Security platform (CES). This started to ramp up over the next few days, with spikes occurring around 7-10pm UTC and 7-10am over the next 4 days.

Wednesday, June 29, 2016

Detecting DNS Data Exfiltration

This blog was co-authored by Martin Lee and Jaeson Schultz with contributions from Warren Mercer.

The recent discovery of Wekby and Point of Sale malware using DNS requests as a command and control channel highlights the need to consider DNS as a potentially malicious channel. Although a skilled analyst may be able to quickly spot unusual activity because they are familiar with their organisation’s normal DNS activity, manually reviewing DNS logs is typically time consuming and tedious. In an environment where it might be unclear what malicious DNS traffic looks like, how can we identify malicious DNS requests?

We all have subconscious mental models that shape our perceptions of the environment and help us to identify the unusual. An outlandish or unusual happening in the local neighbourhood piques our curiosity and make us want to find out what is going on. We compare our expectations of normality with our observations, if the two don’t match we want to know why. A similar approach can be applied to DNS logs. If we can construct a baseline or model of ‘normality’ we can compare our observations to the model and spot if reality as we see it, is wildly different from that which we would expect.

Tuesday, June 28, 2016

Vulnerability Spotlight: LibreOffice RTF Vulnerability

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos.

Talos is disclosing the presence of CVE-2016-4324 / TALOS-2016-0126, a Use After Free vulnerability within the RTF parser of LibreOffice. The vulnerability lies in the parsing of documents containing both stylesheet and superscript tokens. A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be able to be used to execute arbitrary code. This vulnerability requires user interaction to open the file.

Rich Text Format (RTF) was designed as a cross platform format for interchanging documents. Although the format standard has not evolved since 2008, the format remains widely supported by word processing suites. Attackers have previously exploited RTF parser vulnerabilities in MS Office, and used RTF files as a vector for embedding other malicious objects. Exploiting vulnerabilities such as these requires the user to interact with and open the file in order to trigger the attack. Raising awareness of the existence of vulnerabilities such as these with users can help in reminding people not to open unexpected or suspicious emails or files. Although currently, we have no evidence to suggest that this vulnerability is being exploited in the wild.  We recommend that administrators upgrade systems to the latest version of LibreOffice to remove the vulnerability.

Snort rules: 39148, 39149

Tuesday, June 21, 2016

Vulnerability Spotlight: Pidgin Vulnerabilities

These vulnerabilities were discovered by Yves Younan.

Pidgin is a universal chat client that is used on millions of systems worldwide. The Pidgin chat client enables you to communicate on multiple chat networks simultaneously. Talos has identified multiple vulnerabilities in the way Pidgin handles the MXit protocol. These vulnerabilities fall into the following four categories.

  • Information Leakage
  • Denial Of Service
  • Directory Traversal 
  • Buffer Overflow

The following vulnerabilities were identified (listed numerically by CVE):

CVE-2016-2365 - Pidgin MXIT Markup Command Denial of Service Vulnerability
CVE-2016-2366 - Pidgin MXIT Table Command Denial of Service Vulnerability
CVE-2016-2367 - Pidgin MXIT Avatar Length Memory Disclosure Vulnerability
CVE-2016-2368 - Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerability
CVE-2016-2369 - Pidgin MXIT CP SOCK REC TERM Denial of Service Vulnerability
CVE-2016-2370 - Pidgin MXIT Custom Resource Denial of Service Vulnerability
CVE-2016-2371 - Pidgin MXIT Extended Profiles Code Execution Vulnerability
CVE-2016-2372 - Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability
CVE-2016-2373 - Pidgin MXIT Contact Mood Denial of Service Vulnerability
CVE-2016-2374 - Pidgin MXIT MultiMX Message Code Execution Vulnerability
CVE-2016-2375 - Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability
CVE-2016-2376 - Pidgin MXIT read stage Ox3 Code Execution Vulnerability
CVE-2016-2377 - Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability
CVE-2016-2378 - Pidgin MXIT get_utf8_string Code Execution Vulnerability
CVE-2016-2380 - Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability
CVE-2016-4323 - Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability