Thursday, June 30, 2016

Gotta be SWIFT for this Spam Campaign!

This blog post was authored by Warren Mercer


Talos have observed a large uptick in the Zepto ransomware and have identified a method of distribution for the Zepto ransomware, Spam Email. Locky/Zepto continue to be well known ransomware variants and as such we will focus on the spam email campaign. We found 137,731 emails in the last 4 days using a new attachment naming convention. It was just coincidence that the number is a palindrome. The naming choice this time for this spam campaign is "swift [XXX|XXXX].js", where 'X' is some combination of letter/numbers we have seen both 3 and 4 char strings after the "swift" name. This began Monday 27th June with approx 4000 emails being caught within our Email Security Appliances (ESA) & Cloud Email Security platform (CES). This started to ramp up over the next few days, with spikes occurring around 7-10pm UTC and 7-10am over the next 4 days.

Wednesday, June 29, 2016

Detecting DNS Data Exfiltration

This blog was co-authored by Martin Lee and Jaeson Schultz with contributions from Warren Mercer.

The recent discovery of Wekby and Point of Sale malware using DNS requests as a command and control channel highlights the need to consider DNS as a potentially malicious channel. Although a skilled analyst may be able to quickly spot unusual activity because they are familiar with their organisation’s normal DNS activity, manually reviewing DNS logs is typically time consuming and tedious. In an environment where it might be unclear what malicious DNS traffic looks like, how can we identify malicious DNS requests?

We all have subconscious mental models that shape our perceptions of the environment and help us to identify the unusual. An outlandish or unusual happening in the local neighbourhood piques our curiosity and make us want to find out what is going on. We compare our expectations of normality with our observations, if the two don’t match we want to know why. A similar approach can be applied to DNS logs. If we can construct a baseline or model of ‘normality’ we can compare our observations to the model and spot if reality as we see it, is wildly different from that which we would expect.

Tuesday, June 28, 2016

Vulnerability Spotlight: LibreOffice RTF Vulnerability

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos.

Talos is disclosing the presence of CVE-2016-4324 / TALOS-2016-0126, a Use After Free vulnerability within the RTF parser of LibreOffice. The vulnerability lies in the parsing of documents containing both stylesheet and superscript tokens. A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be able to be used to execute arbitrary code. This vulnerability requires user interaction to open the file.

Rich Text Format (RTF) was designed as a cross platform format for interchanging documents. Although the format standard has not evolved since 2008, the format remains widely supported by word processing suites. Attackers have previously exploited RTF parser vulnerabilities in MS Office, and used RTF files as a vector for embedding other malicious objects. Exploiting vulnerabilities such as these requires the user to interact with and open the file in order to trigger the attack. Raising awareness of the existence of vulnerabilities such as these with users can help in reminding people not to open unexpected or suspicious emails or files. Although currently, we have no evidence to suggest that this vulnerability is being exploited in the wild.  We recommend that administrators upgrade systems to the latest version of LibreOffice to remove the vulnerability.

Snort rules: 39148, 39149

Tuesday, June 21, 2016

Vulnerability Spotlight: Pidgin Vulnerabilities

These vulnerabilities were discovered by Yves Younan.

Pidgin is a universal chat client that is used on millions of systems worldwide. The Pidgin chat client enables you to communicate on multiple chat networks simultaneously. Talos has identified multiple vulnerabilities in the way Pidgin handles the MXit protocol. These vulnerabilities fall into the following four categories.

  • Information Leakage
  • Denial Of Service
  • Directory Traversal 
  • Buffer Overflow

The following vulnerabilities were identified (listed numerically by CVE):

CVE-2016-2365 - Pidgin MXIT Markup Command Denial of Service Vulnerability
CVE-2016-2366 - Pidgin MXIT Table Command Denial of Service Vulnerability
CVE-2016-2367 - Pidgin MXIT Avatar Length Memory Disclosure Vulnerability
CVE-2016-2368 - Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerability
CVE-2016-2369 - Pidgin MXIT CP SOCK REC TERM Denial of Service Vulnerability
CVE-2016-2370 - Pidgin MXIT Custom Resource Denial of Service Vulnerability
CVE-2016-2371 - Pidgin MXIT Extended Profiles Code Execution Vulnerability
CVE-2016-2372 - Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability
CVE-2016-2373 - Pidgin MXIT Contact Mood Denial of Service Vulnerability
CVE-2016-2374 - Pidgin MXIT MultiMX Message Code Execution Vulnerability
CVE-2016-2375 - Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability
CVE-2016-2376 - Pidgin MXIT read stage Ox3 Code Execution Vulnerability
CVE-2016-2377 - Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability
CVE-2016-2378 - Pidgin MXIT get_utf8_string Code Execution Vulnerability
CVE-2016-2380 - Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability
CVE-2016-4323 - Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability

The Poisoned Archives

Vulnerabilities discovered by Marcin “Icewall” Noga. Blog post authored by Marcin Noga and Jaeson Schultz.

Update 2016-08-01: Talos has produced a video demonstrating how flaws in libarchive can be exploited using Splunk 6.4.1 as an attack vector. Release 3.2.1 of Libarchive addresses these issues, and Splunk has released patches.

libarchive is an open-source library that provides access to a variety of different file archive formats, and it’s used just about everywhere. Cisco Talos has recently worked with the maintainers of libarchive to patch three rather severe bugs in the library. Because of the number of products that include libarchive in their handling of compressed files, Talos urges all users to patch/upgrade related, vulnerable software.

Tuesday, June 14, 2016

Microsoft Patch Tuesday - June 2016

This post was authored by Warren Mercer.

Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.

Bulletins Rated Critical

Microsoft bulletins MS16-063, MS16-068 through MS16-071, and MS16-083 are rated as critical in this release.

MS16-063 and MS16-068 are this month's bulletins for Microsoft Internet Explorer and Edge browsers. The IE security bulletin addresses vulnerabilities in Internet Explorer versions 9, 10, & 11. The IE bulletin covers 10 vulnerabilities in total and resolves eight memory corruption bugs, seven of which are critical, a XSS filter vulnerability, and a WPAD vulnerability. The Edge bulletin addresses eight vulnerabilities, consisting of four memory corruption bugs, two information disclosure, one security feature bypass and a PDF remote code execution vulnerability.

Thursday, June 9, 2016

TeslaCrypt: The Battle is Over

Talos has updated its TeslaCrypt decryptor tool, which now works with any version of this variant of ransomware. You can download the decryptor here.

When Talos first examined TeslaCrypt version 1.0 in April of 2015, we articulated how this ransomware operated and were able to develop a decryptor.  Soon thereafter, TeslaCrypt version 2.0 was released, improving the encryption process so our original decryptor no longer worked. 

Wednesday, June 8, 2016

Vulnerability Spotlight: PDFium Vulnerability in Google Chrome Web Browser

This vulnerability was discovered by Aleksandar Nikolic of Cisco Talos.

PDFium is the default PDF reader that is included in the Google Chrome web browser. Talos has identified an exploitable heap buffer overflow vulnerability in the Pdfium PDF reader. By simply viewing a PDF document that includes an embedded jpeg2000 image, the attacker can achieve arbitrary code execution on the victim’s system. The most effective attack vector is for the threat actor to place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising.

Vulnerability Spotlight: ESnet iPerf3 JSON parse_string UTF Code Execution Vulnerability

This vulnerability was discovered by Dave McDaniel, Senior Research Engineer.


iPerf is a network testing application that is typically deployed in a client/server configuration and is used to measure the available network bandwidth between the systems by creating TCP and/or UDP connections. For each connection, iPerf reports maximum bandwidth, loss, and other performance related metrics. It is commonly used to evaluate and quantify the impact of network optimizations and for obtaining baseline metrics related to network performance.

iPerf3, developed by ESnet and Lawrence Berkeley National Laboratory, is a complete redesign of the original iPerf application and uses a forked cJSON library. Cisco Talos recently discovered that the forked version of the cJSON library contains a vulnerability that can lead to Remote Code Execution (RCE) on systems running the iPerf3 server daemon. This vulnerability is related to the way in which the forked cJSON library parses UTF-8/16 strings. There are currently several public iPerf3 servers that are accessible from the internet that may be susceptible to remote exploitation using this vulnerability. While the authors of the underlying cJSON library have since released a patch that resolves this vulnerability, the version of cJSON shipped with iPerf3 3.1-1 is vulnerable. The updated version of the iPerf3 application can be obtained here.

Wednesday, June 1, 2016

Research Spotlight: ROPMEMU - A Framework for the Analysis of Complex Code-Reuse Attacks

The post was authored by Mariano Graziano.

Executive Summary

Attacks have grown more and more complex over the years. The evolution of the threat landscape has demonstrated this where adversaries have had to modify their tactics to bypass mitigations and compromise systems in response to better mitigations. Code-reuse attacks, such as return-oriented programming (ROP), are part of this evolution and currently present a challenge to defenders as it is an area of research that has not been studied in depth. Today, Talos releases ROPMEMU, a framework to analyze complex code-reuse attacks. In this blog post, we will identify and discuss the challenges and importance of reverse engineering these code-reuse instances. We will also present the techniques and the components of the framework to dissect these attacks and simplify analysis.

Code-reuse attacks are not new or novel. They've been around since 1997 when the first ret2libc attack was demonstrated. Since then, adversaries have been moving towards code-reuse attacks as code injection scenarios have gotten much more difficult to successfully leverage due to the increasing number of software and hardware mitigations. Improved defenses have resulted in more complex attacks being developed to bypass them. In recent years, malware writers have also started to adopt return-oriented programming (ROP) paradigms to hide malicious functionality and hinder analysis. For readers who are not familiar with ROP and want to learn more, we invite you to please read Shacham's formulation.

Unfortunately, the analysis of code reuse attacks, such as ROP, has been completely overlooked. While there are a small number of publicly available examples that demonstrate how complex these attacks can be, the trend is clear that adversaries will continue to leverage these types of attacks in the future. For defenders, the general lack of tooling available to help dissect these threats was one of the primary motivations for developing ROPMEMU.