Thursday, March 31, 2016

Vulnerability Spotlight: Lhasa Integer Underflow Exploit

Vulnerability discovered by Marcin Noga of Cisco Talos.

Talos is disclosing the discovery of vulnerability TALOS-2016-0095 / CVE-2016-2347 in the Lhasa LZH/LHA decompression tool and library. This vulnerability is due to an integer underflow condition. The software verifies that header values are not too large, but does not check for a too small header length. Decompressing a LHA or LZH file containing an under-value header size leads to the decompression software allocating a pointer to point to released memory on the heap. An attacker controlling the length and content of such a file can use the vulnerability to overwrite the heap with arbitrary code.

An evident attack vector is to trick users into opening malicious files and exploiting the vulnerability to execute malicious code on the user’s device. An alternative, and less obvious vector is to exploit file scanning systems that use the Lhasa library to read the contents of LZH and LHA files. Supporting the ability to scan less commonly used file formats is often required of systems that scan incoming email attachments, files downloaded over the internet etc. Frequently these scanning systems use standard open-source libraries to parse and extract the contents of these files. The opening and scanning of files in these formats does not require user interaction and is often overlooked as a means by which malicious adversaries can execute code remotely. Vulnerabilities similar to this may be a means by which security controls are circumvented to gain access to organisations’ systems.

Wednesday, March 23, 2016

SamSam: The Doctor Will See You, After He Pays The Ransom

Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits. This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom. A particular focus appears to have been placed on the healthcare industry.

Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.

Technical Details

Upon compromising the system the sample will launch a samsam.exe process which begins the process of encrypting files on the system.

Tuesday, March 22, 2016

Vulnerability Spotlight: Apple OS X Graphics Kernel Driver Local Privilege Escalation Vulnerability

Vulnerability discovered by Piotr Bania of Cisco Talos.

Cisco Talos, in conjunction with Apple’s security advisory issued on Mar 22, is disclosing the discovery of a local vulnerability in the communication functionality of the Apple Intel HD3000 Graphics kernel driver. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple.

There is a local privilege escalation vulnerability in the Apple Intel HD3000 Graphics kernel driver (TALOS-2016-0088/CVE-2016-1743) which Talos has identified on OS X 10.11. Exploitation of this vulnerability requires user interaction, such as executing a malicious executable received via email or downloaded and run on the user's Mac. With OS X becoming more common in the workplace this can be especially impactful as the common user accounts often do not have root-level permissions.

Advisory Summary

This vulnerability can be triggered by sending specially crafted IOConnectCallMethod request to the Apple Intel HD3000 Graphics driver, the faulting code is in the IOGen575Shared::new_texture function.

Successful exploitation can result in an escalated privilege for the attacker, who can then use root-level access for further malicious activity.

Monday, March 21, 2016

Malware Word Search: Identifying Angler's Dictionary

This post authored by Steve Poulson with contributions from Nick Biasini.

Exploit kits are constantly evolving and changing. We recently wrote about some subtle Angler changes but then Angler changed drastically on March 8. In this blog post, we will briefly cover these changes, examining different characteristics of the URL structure for Angler and the origins of the words being leveraged to create them.

New Angler
Beginning on March 8, Talos noticed some major changes to the URL structure for Angler. These changes were drastic and have altered every part of the URL for the landing pages. Let's first look at the old syntax

Wednesday, March 16, 2016

TeslaCrypt 3.0.1 - Tales From The Crypt(o)!

This post is authored by Andrea Allievi and Holger Unterbrink

Executive Summary

Ransomware is malicious software that is designed to hold users' files (such as photos, documents, and music) for ransom by encrypting their contents and demanding the user pay a fee to decrypt their files. Typically, users are exposed to ransomware via email phishing campaigns and exploit kits. TeslaCrypt is one well-known ransomware variant, infecting many victims worldwide. It is in the top 5 of ransomware we see most often in our analysis systems. The core functionality of TeslaCrypt 3 remains the same as it continues to encrypt users’ files and then presents a message demanding the user to pay a ransom. 

While the Information Security community has responded to the ransomware threat by disrupting distribution mechanisms and developing better detection methods, adversaries realize they must also continue to adapt and evolve their capabilities. Unfortunately, this has lead adversaries to iterating and improving upon previous releases of TelsaCrypt, leading to the release of TelsaCrypt 3. In response to this latest TeslaCrypt variant which is compromising users, Talos reversed engineered TeslaCrypt 3 to better understand its functionality, how it works, and what's changed since the last release.

The former variant had a weakness in its way to store the encryption key, which enabled researchers to provide a tool for decryption of the files encrypted by TeslaCrypt [1]. Unfortunately, so far we are not aware of any tool which can do the same for this variant of TeslaCrypt.

This analysis gives an overview about the encryption algorithm used by TeslaCrypt 3.0.1. which is the latest as of the writing of this article. To improve readability, we will refer to this as TeslaCrypt 3 for the remainder of the blog. We will explain the cryptographic details in a way that they can be understood using high school mathematics. Nevertheless, expect a tough cryptographic journey.

Tuesday, March 8, 2016

Microsoft Patch Tuesday - March 2016

Patch Tuesday for March 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 13 bulletins addressing 44 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Edge, Graphic Fonts, Internet Explorer, Windows Media Player, and Window PDF. The remaining eight bulletins are rated important and address vulnerabilities in .NET, Office, and several other Windows components.

Bulletins Rated Critical

Microsoft bulletins MS16-023, MS16-024, MS16-026 through MS16-028, and MS16-036 are rated as critical in this month's release.

MS16-023 and MS16-024 are this month's Internet Explorer and Edge security bulletin respectively. In total, 24 vulnerabilities between the two bulletins were addressed with five vulnerabilities in common (meaning that both Edge and IE are affected by the same five vulnerabilities). The IE security bulletin addresses 13 memory corruption vulnerabilities while the Edge bulletin addresses 10 memory corruption flaws and one information disclosure bug that manifests as a result of Edge improperly handling referrer policy, potentially leaking the user's request content or browsing history.

Tuesday, March 1, 2016

Angler Attempts to Slip the Hook

This post authored by Nick Biasini with contributions from Joel Esler, Erick Galinkin and Melissa Taylor
Talos has discussed at length the sophistication of the Angler exploit kit. One thing that always makes Angler stand apart is the speed with which they develop and implement new techniques. Angler is constantly working to maintain its lead in the exploit kit arms race, whether its domain shadowing, 302 cushioning, encrypted payloads, or quick exploit development.

Recently we noticed some changes in Angler.