Monday, February 29, 2016

Tax Scams Gone International

Tax time in the US is quickly approaching. Everyone should be on the lookout for scams that are designed to trick you out of your money and personal information. The IRS is warning users about an increase in the number of email scams being used this year. However, these attacks are no longer limited to just the United States.  Earlier this year we notice tax phishing campaigns targeting Ireland. Therefore, we decided to take a look back over the last year and see how widespread tax scams have become. We quickly realized that tax scams have gone international and now impact numerous countries across the world.

To give you an idea of the scope of the problem that we uncovered, our post will look at tax phishing campaigns from the following perspectives:
  • Tax Related Domains
  • Countries Impacted
  • Attack Techniques
  • Timing of Attacks
  • Interesting Twists

Wednesday, February 24, 2016

Operation Blockbuster: Coverage for the Lazarus Group

The threat landscape is in constant flux. In many situations, the entire security community must work together to combat some of today’s larger threats. Novetta researched a group of malware families that all appear to be related to the same group of threat actors dubbed “The Lazarus Group” (Group 77). According to Novetta’s analysis, which was released in a report titled “Operation Blockbuster”,  these malware families have been behind multiple high profile attacks over the last nine years. By working with Novetta, Talos was able to ensure that our customers were protected against this threat.

Talos examined the various malware families involved in the research through the samples provided to us to verify that we have coverage for all of the malware families. 

Tuesday, February 9, 2016

Bedep Lurking in Angler's Shadows

This post is authored by Nick Biasini.

In October 2015, Talos released our detailed investigation of the Angler Exploit Kit which outlined the infrastructure and monetary impact of an exploit kit campaign delivering ransomware. During the investigation we found that two thirds of Angler's payloads were some variation of ransomware and noted one of the other major payloads was Bedep. Bedep is a malware downloader that is exclusive to Angler. This post will discuss the Bedep side of Angler and draw some pretty clear connections between Angler and Bedep.

Adversaries continue to evolve and have become increasingly good at hiding the connections to the nefarious activities in which they are involved. As security researchers we are always looking for the bread crumbs that can link these threats together to try and identify the connections and groups that operate. This is one of those instances were a couple of crumbs came together and formed some unexpected connections. By tying together a couple of registrant accounts, email addresses, and domain activity Talos was able to track down a group that has connections to threats on multiple fronts including: exploit kits, trojans, email worms, and click fraud. These activities all have monetary value, but are difficult to quantify unlike a ransomware payload with a specific cost to decrypt.

Microsoft Patch Tuesday - February 2016

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains twelve bulletins addressing 37 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Internet Explorer, Edge, Windows Journal, Office and Windows PDF. The remaining seven bulletins are rated important and address vulnerabilities in the Network Policy Server (NPS), Active Directory, Windows, Remote Desktop Protocol, WebDAV, Kernel Mode Driver and the .NET Framework.

Bulletins Rated Critical

Microsoft bulletins MS16-009, MS16-011 through MS16-013, and MS16-015 are rated as critical in this month's release.

MS16-009 and MS16-011 are this month's Internet Explorer and Edge security bulletin respectively. In total, sixteen vulnerabilities were addressed with four vulnerabilities impacting both browsers. The vulnerabilities impacting both browsers include three critical memory corruption issues (CVE-2016-0060, CVE-2016-0061 and CVE-2016-0062) along with CVE-2016-0077 that addresses a critical spoofing vulnerability. 
  • MS16-009 is the IE bulletin for IE versions 9 through 11. Three critical memory corruption issues specific to Internet Explorer are addressed (CVE-2016-0063, CVE-2016-0067 and CVE-2016-0072). 
  • MS16-011 is the Edge bulletin. A critical memory corruption issues specific to Edge is addressed (CVE-2016-0084). 

Monday, February 8, 2016

The Internet of Things Is Not Always So Comforting

This post is authored by Alex Chiu.

Over the past few years, the Internet of Things (IoT) has emerged as reality with the advent of smart refrigerators, smart HVAC systems, smart TVs, and more. Embedding internet-enabled devices into everything presents new opportunities in connecting these systems to each other, making them "smarter," and making our lives more convenient than ever before.

Despite the new possibilities, there are major concerns about the IoT which inspire a legitimate question: "What happens if it's not 'done right' and there are major vulnerabilities with the product?"

The unfortunate truth is that securing internet-enabled devices is not always a high priority among vendors and manufacturers. Some manufactures do not have the necessary infrastructure to inform the public about security updates or to deliver them to devices. Other manufacturers are unaccustomed to supporting products past a certain time, even if a product's lifespan may well exceed the support lifecycle. In other cases, the lack of a secure development lifecycle or a secure public portal to report security defects makes it near impossible for researchers to work with a vendor or manufacturer. These problems expose users and organizations to greater security risks and ultimately highlight a major problem with the Internet of Things.

What does this mean for the average user? For starters, a smart device on their home or office network could contain unpatched vulnerabilities. Adversaries attacking the weakest link could exploit a vulnerable IoT device, then move laterally within an organization's network to conduct further attacks. Additionally, patching vulnerable devices can be complicated, if not impossible, for the average user or for those who are not technically savvy. For organizations that maintain large amounts of IoT devices on their network, there may not be a way to update a device that scales, creating a nightmare scenario.

Friday, February 5, 2016

Vulnerability Spotlight: Libgraphite Font Processing Vulnerabilities

Vulnerabilities Discovered by Yves Younan of Cisco Talos.

Talos is releasing an advisory for four vulnerabilities that have been found within the Libgraphite library, which is used for font processing in Linux, Firefox, LibreOffice, and other major applications. The most severe vulnerability results from an out-of-bounds read which the attacker can use to achieve arbitrary code execution. A second vulnerability is an exploitable heap overflow. Finally, the last two vulnerabilities result in denial of service situations. To exploit these vulnerabilities, an attacker simply needs the user to run a Graphite-enabled application that renders a page using a specially crafted font that triggers one of these vulnerabilities. Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server (since Graphite supports both local and server-based fonts). 

In this post, we will discuss the following vulnerabilities:
  • CVE-2016-1521 
  • CVE-2016-1522 
  • CVE-2016-1523
  • CVE-2016-1526