Tuesday, May 30, 2017

BWT EP5 - It Has Been 0-days Since This Term was Abused

Beers with Talos Episode 5 "It Has Been 0-days Since This Term was Abused" is now available

Listen here:

Listen via iTunes
Listen directly on the Talos Podcasts page.

Episode Notes:

The crew talks about the potential of Samba echoing WannaCry and blocking SMB ports (but you already did that, RIGHT?). We discuss some history lessons and give proper usage guidance on words like 0-days, backdoors, and other terms that the industry loves to hype and abuse for extra clicks.
What we learn in the Roundtable this week: Joel struggles to resolve the conflicts inherent in his design choices, Nigel’s daughter steals high-end electronics, Matt gaslights first responders in a major American city, Craig learns the JRE sandbox is a silver bullet, and Mitch issues a passive aggressive non-apology for just trying to make you happy.

Friday, May 26, 2017

Threat Round-up for May 19 - May 26

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 19 and May 26. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Thursday, May 25, 2017

Samba Vulnerability: Dancing Its Way to a Network Near You


Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. CVE-2017-7494 has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file.  This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package.  This currently affects all versions of Samba 3.5.0 (released March of 2010) and later. To emphasize the severity and low complexity: a metasploit one-liner can be used to trigger this vulnerability.

A patch has already been released to address the issue.  Additionally, there is a mitigation available within the configuration of Samba itself. Adding the argument "nt pipe support = no" to the global section of the smb.conf file and restarting the service will also mitigate the threat.  This threat is only beginning to be recognized by potential attackers with POC code having already been released on the Internet. It is only a matter of time before adversaries begin to use it more widely to compromise additional systems, both externally and internally. 

Wednesday, May 24, 2017

File2pcap - The Talos Swiss Army Knife of Snort Rule Creation

This post was authored by Martin Zeiser with contributions by Joel Esler

At Talos we are constantly on the lookout for threats to our customers networks, and part of the protection process is creating Snort rules for the latest vulnerabilities in order to detect any attacks.

To improve your understanding of the rule development process, consider a theoretical remotely exploitable vulnerability in server software Server2010. A proof-of-concept exploit is developed, the server software set up on a virtual machine, traffic is captured on  the network between attacker and victim, rule development can start, right?

But what if months or years later, the rule needs to be re-inspected, because circumstances have changed? This requires another vulnerable version of Server2010 to be found, reinstalled and reconfigured to the vulnerable parameters, to run tests again and again, so that network traffic can be inspected. Then when the server is installed, the particular exploit used does not work anymore, because the language it was written in has since changed and the code needs to be fixed accordingly. All this requires plenty of time, which is why it doesn’t happen that way. Instead, a vulnerability is identified, an exploit is written, the exploit is ran, and the attack captured using Wireshark. From then on, the traffic in said pcap file can be used to develop a correct rule. The traffic recorded in a pcap file can easily be put back on the wire using a tcp replay utility, or read directly by Snort. This is why rule developers generally work with pcaps of attacks, instead of exploits.

Regarding file-based vulnerabilities, the original process used to involve starting a local webserver and using a browser to download the exploit file, while recording the transfer using Wireshark. File2pcap revolutionized this requirement by simulating the traffic and creating the proper pcap without any hassles.

Tuesday, May 23, 2017

Modified Zyklon and plugins from India


Streams of malicious emails Talos inspects every day usually consist of active spamming campaigns for various ransomware families, phishing campaigns and the common malware family suspects such as banking Trojans and bots.. It is however often more interesting to analyze campaigns smaller in volume as they might contain more interesting malware. A few weeks ago I became interested in just such a campaign with a smaller number of circulating email messages. The email, first of them submitted from Middle East, purports to be coming from a Turkish trading company, which might further indicate the geographic area where the attacks were active. Analyzing malware is often like solving a puzzle, you have to do it piece by piece to reach the final image. In this case I spent more time analyzing the campaign than I initially planned. The campaign has many stages of the infection chain and all needed to be unraveled before the final payload level was reached. Furthermore, each of the stages used different development platform and was obfuscated in a different way. But let us start from the beginning.

Monday, May 22, 2017

Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks

When the WannaCry attack was launched a little over a week ago, it was one of the first large scale attacks leveraging the data that was leaked by the Shadow Brokers. At the time the real concern was how quickly we would begin to see other threats leverage the same vulnerabilities. Over the past couple of weeks, Talos has observed other malware variants that are using the ETERNALBLUE and DOUBLEPULSAR exploits from the Shadow Brokers release as part of their campaigns. Among them were Adylkuzz, Uiwix, and EternalRocks.

Adylkuzz is a piece of malware that uses ETERNALBLUE and DOUBLEPULSAR to install cryptocurrency mining software on the infected system. This attack actually pre-dates the WannaCry attack and has continued to deliver the cryptocurrency miner.

Uiwix uses a similar technique to install ransomware on the infected system. When the files are encrypted, the file names include "UIWIX" as part of the file extension. The key difference with this malware is that, unlike WannaCry, the Ransomware doesn't "worm itself." It only installs itself on the system.

Thursday, May 18, 2017

Terror Evolved: Exploit Kit Matures

This post is authored by Holger Unterbrink and Emmanuel Tacheau

Executive Summary

Talos is monitoring the major Exploit Kits(EK) on an ongoing basis. While investigating the changes we recently observed in the RIG EK campaigns, we identified another well known candidate: Terror Exploit Kit.

Terror EK is one of the new players who showed up after the big Exploit Kit market consolidation last year. When Angler and friends disappeared new EKs started to try their luck. Many of them were far from Angler’s quality. One of these was Terror EK which appeared end of last year. It started with a very simple version,carpet bombing the victims with many exploits at the same time, no matter if the exploit matched the victim's browser environment or not. Unfortunately, they improved the kit step by step and we saw a fast evolution up to the latest version analysed in this report.

We identified a potentially compromised legitimate web site acting as a malware gate, redirecting visitors initially to a RIG exploit kit landing page, then switching to Terror exploit kit one day later.

This may indicate how these campaigns collaborate and share resources, or possibly one campaign pirating another. Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim's environment and then picks potentially successful exploits depending on the victim's operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.

It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.

Wednesday, May 17, 2017

Beers with Talos Podcast Now Available

The first episodes of Beers with Talos are now available on iTunes and directly on talosintelligence.com/podcasts.

When Talos decided to make a threat intelligence podcast, we wanted to make it different than your typical buttoned down, subdued security podcast. The BWT crew: Craig, Joel, Nigel, and Mitch, decided to do that by making a podcast that is a lot like the discussions that you would have after work with colleagues - if your colleagues were both ridiculously opinionated and hyper-focused on security research. Occasionally we’ll even have some special guests join us.

At its core, Beers with Talos is four people from Talos unpacking some of the biggest recent security stories from various perspectives and making (terrible) jokes the whole time. It doesn’t matter if you are a grizzled SOC vet, a researcher, an executive, or you just want to stay informed about the threat landscape, everyone can take something away with them at the end of an episode. Check out the episodes we have released and let us know what you think and what topics you might want to hear covered or guest you would like us to invite for future episodes.

You can listen and subscribe on iTunes (or directly to our RSS feed if that’s your style). We would love to hear your feedback and ideas for future episodes - tweet @TalosSecurity using #BWT or you can email us at BeersWithTalos@cisco.com.

Tuesday, May 16, 2017

Arbitrary Code Execution Vulnerabilities in MuPDF Identified and Patched

Talos is disclosing the presence of two vulnerabilities in the Artifex MuPDF renderer. MuPDF is a lightweight PDF parsing and rendering library featuring high fidelity graphics, high speed, and compact code size which makes it a fairly popular PDF library for embedding in different projects, especially mobile and web applications. Both of these vulnerabilities, if exploited, could lead to arbitrary code execution of an attacker's choice on the target device. Both of these vulnerabilities have been responsibly disclosed and Artifex has released software updates to address these vulnerabilities.

Vulnerability Details

Two memory corruption vulnerabilities exist within Artifex MuPDF render that could result in arbitrary code execution if exploited. These two vulnerabilities manifest as a result of improperly parsing and handling parts of a PDF file.

Friday, May 12, 2017

Player 3 Has Entered the Game: Say Hello to 'WannaCry'

This post was authored by Martin Lee, Warren Mercer, Paul Rascagneres, and Craig Williams.

Executive Summary

A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.

Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.

WannaCry appears to primarily utilize the ETERNALBLUE modules and the DOUBLEPULSAR backdoor. The malware uses ETERNALBLUE for the initial exploitation of the SMB vulnerability. If successful it will then implant the DOUBLEPULSAR backdoor and utilize it to install the malware. If the DOUBLEPULSAR backdoor is already installed the malware will still leverage this to install the ransomware payload. This is the cause of the worm-like activity that has been widely observed across the internet

Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.

Please note this threat is still under active investigation, the situation may change as we learn more or as our adversary responds to our actions. Talos will continue to actively monitor and analyze this situation for new developments and respond accordingly. As a result, new coverage may be developed or existing coverage adapted and/or modified at a later date. For current information, please refer to your Firepower Management Center or Snort.org.

Threat Round-up for May 05 - May 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 05 and May 12. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

Jaff Ransomware: Player 2 Has Entered The Game

This post was written by Nick Biasini, Edmund Brumaghin and Warren Mercer with contributions from Colin Grady


Talos is constantly monitoring the email threat landscape and tracking both new threats as well as changes to existing threats. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. While Cisco customers were already automatically protected against this threat, we decided to take a deeper look at this threat and its possible implications across the threat landscape. We have outlined the infection process and additional relevant information regarding this threat in detail below.

Vulnerability Spotlight: Hangul Word Processor Remote Code Execution Vulnerability

Vulnerability discovered by a member of Talos.


Published by Hancom inc. the Hangul Office Suite, of which Hangul Word Processor is part, is the leading word processing and office productivity suite in South Korea. This vulnerability allows attackers to craft a malicious document that when opened, allows the attacker to cause arbitrary code to be executed on the victim’s system.

Tuesday, May 9, 2017

Microsoft Patch Tuesday - May 2017

Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 56 vulnerabilities with 15 of them rated critical and 41 rated important. Impacted products include .NET, DirectX, Edge, Internet Explorer, Office, Sharepoint, and Windows.

In addition to the coverage Talos is providing for the normal monthly Microsoft security advisories, Talos is also providing coverage for CVE-2017-0290, the MsMpEng Malware Protection service vulnerability in Windows reported by Natalie Silvanovich and Tavis Ormandy of Google Project Zero. Snort rule SIDs for this specific vulnerability are 42820-42821.

Monday, May 8, 2017

Vulnerability Spotlight: WolfSSL library X.509 Certificate Text Parsing Code Execution Vulnerability

Discovered by Aleksandar Nikolic of Cisco Talos


Talos is disclosing TALOS-2017-0293 / CVE 2017-2800, a code execution vulnerability in WolfSSL. WolfSSL is a lightweight SSL/TLS library targeted specifically for embedded and RTOS (Real-Time Operating System) environments, due largely to its small size and performance. WolfSSL is used in a wide range of products including ICS and IoT devices.

This particular vulnerability is related to the use of x.509 certificates and the code that deals with string fields in DER certificates. Specifically the code responsible for parsing 'commonName', 'countryName', 'localityName', 'stateName', 'orgName', and 'orgUnit'. A specially crafted x.509 certificate can cause a single out-of-bounds overwrite that could result in certificate validation issues, denial of service, or remote code execution. To trigger this vulnerability, the adversary needs to supply a malicious x.509 certificate to either the server or client application that is making use of this library. The full details surrounding the vulnerability are available here.

Friday, May 5, 2017

Vulnerability Spotlight: Power Software PowerISO ISO Code Execution Vulnerabilities

These vulnerabilities were discovered by Piotr Bania of Cisco Talos.

Today, Talos is releasing details of a new vulnerability discovered within the Power Software PowerISO disk imaging software. TALOS-2017-0318 and TALOS-2017-0324 may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted ISO image is opened and parsed by the PowerISO software.


The vulnerabilities are present in the Power Software PowerISO disk imaging utility, used by Windows users to create, edit, mount and convert various popular disk image file formats. The software is commonly used by home users to mount ISO disk images since this capability is not included by default in Windows versions prior to version 8.

ISO (9660) disk image format is a file system within a single file. Essentially, it is a binary copy of the file system used by the standard software CD-ROM installation disks. Today, most of the installation disks for popular software and operating systems are distributed using the ISO file format.

Thursday, May 4, 2017

Vulnerability Spotlight: AntennaHouse DMC Library Arbitrary Code Execution Flaws

These vulnerabilities were discovered by Marcin 'Icewall' Noga of Talos.

Today, Talos is disclosing several vulnerabilities that have been identified in the AntennaHouse DMC library which is used in various products for web-based document searching and rendering. These vulnerabilities manifest as a failure to correctly parse Microsoft Office documents and could be exploited to achieve arbitrary code execution. These vulnerabilities are being disclosed in coordination with AntennaHouse.

Vulnerability Details

Multiple heap corruption vulnerabilities exist within AntennaHouse DMC HTMLFilter that could be exploited to achieve arbitrary code execution on the targeted machine. These vulnerabilities manifest due to improper handling of Microsoft Office documents, such as Word and PowerPoint files. An adversary that passes a specifically crafted document to the converter could exploit one of these vulnerabilities. Note that the method that an adversary could compromise a vulnerable machine varies as this library is known to be incorporated into other third-party products.

Wednesday, May 3, 2017

Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful

This post authored by Sean Baird and Nick Biasini

Attackers are always looking for creative ways to send large amount of spam to victims. A short-lived, but widespread Google Drive themed phishing campaign has affected a large number of users across a variety of verticals. This campaign would be bcc'd to a target while being sent to hhhhhhhhhhhhhhhh@mailinator[.]com, to make this email appear legitimate the sender would be someone who had the target in their address book.

Mailinator is a "free, public, email system where you can use any inbox you want," often used for throwaway accounts. In this instance, the Mailinator inbox in question could have been used by the spammer to monitor whether or not the email was successfully sent. The use of Mailinator, however, is not what made this campaign unique.

KONNI: A Malware Under The Radar For Years

This blog was authored by Paul Rascagneres

Executive Summary

Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI.

Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution: