Friday, December 29, 2017

Beers with Talos EP 19: The "Best" of BWT

Beers with Talos (BWT) Podcast Episode 19 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing:

EP19 Show Notes: 

Quotes intended, we think you know why. Mitch takes control to present the best of the first (partial) year of the podcast. He covers some of our guests, some of our favorite non-security bits, and a look back at our in-the-moment view of some of the top stories of the year. 

Things you can look forward to: A few of our favorite bits from 2017, Mitch struggling through sailing solo with unnecessary ukulele music, and some of our questionable moments...but the clips are really good!


The Guests

02:06 - Bill Largent
04:30 - Sean Baird’s Fake News and Fake Joel/Fake Matt
08:35 - We finally get to Sean
15:30 - Dr. Adam J. O’Donnell, PhD. and Mitch is mortified

Fave Bits

20:55 - The Birth of Craig v. Robots
22:30 - 1994, The Year the Music Died

The Big Stories

31:10 - WannaCry - a look back at the first response
37:40 - Importance of Conveying Doubt
40:09 - Nyetya - Great breakdown and a look at supply chain attacks
49:24 - CCleaner - Supply chain security

The Links and Credits:

Ukulele song: Akashic Records - Hot Summer Ukelele - Provided by Jamendo
Confession song: Shady Dave - My love (piano loop)
Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).

Find all episodes:

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog:

Subscribe to the Threat Source newsletter:

Follow Talos on Twitter:

Give us your feedback and suggestions for topics:

Tuesday, December 19, 2017

Vulnerability Spotlight: VMWare VNC Vulnerabilities

UPDATE 03/15/2018: Added details for Talos-2017-0376/CVE-2018-6957 which has been recently patched.

Today, Talos is disclosing a pair of vulnerabilities in the VNC implementation used in VMWare's products that could result in code execution. VMWare implements VNC for its remote management, remote access, and automation purposes in VMWare products including Workstation, Player, and ESXi which share a common VMW VNC code base. The vulnerabilities manifest themselves in a way that would allow an attacker to initiate of VNC session causing the vulnerabilities to be triggered. Talos has coordinated with VMWare to ensure the issue was disclosed responsibly and patched by the vendor. Additionally, Talos has developed Snort signatures that can detect attempts to exploit these vulnerabilities.

These vulnerabilities were identified using the recently released Decept Proxy and Mutiny Fuzzers. By utilizing these tools fuzzing was quickly able to take place by generating VNC traffic, feeding it through the Decept Proxy, and finally fuzzing the resulting .fuzzer file via Mutiny. This all occurs without knowing anything about the VMWare specific protocol extensions. For more details about the Decept Proxy and Mutiny Fuzzers see our recent blog.

Virus Bulletin Publication And Presentation

Virus Bulletin conference is a well regarded intimate technical conference focused on malware research. It provides a good balance between listening to technical talks and spending time exchanging experiences with colleagues from different companies; all working on the same task of making our computing environments more secure.

This past October, Talos participated at the Virus Bulletin conference in Madrid with a talk presented by Warren Mercer and me, Paul Rascagneres. This talk covered the latest techniques used in the reconnaissance phase of attacks by APT actors. During the presentation, we demonstrated how the reconnaissance phase is executed as a part of the infection process in order to protect valuable zero-day exploits, malware frameworks, and other tools.

Friday, December 15, 2017

Beers with Talos EP 18: Kitties in My Blockchain, Obfuscating Pronunciations, and Other Security Stuff

Matt Olney, Earl of Ethereum - "Holy ****! We have a cat"

Beers with Talos (BWT) Podcast Episode 18 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing:

EP18 Show Notes: 

It’s the last full episode of the year! Thanks to you and the diligent work of Matt’s loving mother, the first 17 EPs of Beers with Talos were downloaded over 200,000 times in 2017! To show our gratitude, we are giving you not one, but TWO roundtables this week and even a special bonus rant! Also, Mitch can’t say words good, and Craig reads us stories from the blog! 

Make sure to subscribe on iTunes, Google Play, or Stitcher to make sure you don't miss an episode!

00:53 - Roundtable 1, mostly about Craig trying to burn yet another house down
17:40 - Christmas Present for Craig - special bonus rant
24:27 - PyREBox wins Volatility Plugin Contest
27:08 - Bonus Roundtable - Favorite Security stories of 2017
39:23 - Obfuscation in networks and samples OR Gear is more than cost and speed
50:55 - Back to Basics - Starting with Security
57:05 - OMG!! CRYPTOKITTIES!!! (Okay, we discuss/roast blockchain a bit, too)
1:08:40 - Closing shots and parting thoughts

If you read this far in the notes, send us an email with your t-shirt size and "Why does Craig mess with his mic so much?" in the subject line. One email will be picked randomly (this week only) and we will send you a BWT pint glass and t-shirt.  Maybe we'll pick a few... it's the holidays.
We have our winners for this week - Congrats Andre, Hunter, and Matt! Wear your tees and hoist your pints with pride, lads!

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Find all episodes:

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog:

Subscribe to the Threat Source newsletter:

Follow Talos on Twitter:

Give us your feedback and suggestions for topics:

Tuesday, December 12, 2017

Microsoft Patch Tuesday - December 2017

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 34 new vulnerabilities with 21 of them rated critical and 13 of them rated important. These vulnerabilities impact Edge, Exchange, Internet Explorer, Office, Scripting Engine, Windows, and more.

In addition to the 33 vulnerabilities addressed, Microsoft has also released an update for Microsoft Office which improves security by disabling the Dynamic Data Exchange (DDE) protocol. This update is detailed in ADV170021 and impacts all supported versions of Office. Organizations who are unable to install this update should consult the advisory for workaround that help mitigate DDE exploitation attempts.

Friday, December 8, 2017

Threat Round Up for Dec 01 - Dec 08

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between December 01 and December 08. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

Vulnerability Spotlight: TALOS-2017-0393 / CVE-2017-2886 - ACDSee Ultimate 10 Remote Code Execution Vulnerability

Vulnerability discovered by Piotr Bania of Cisco Talos.


Talos has discovered a remote code execution vulnerability in the ACDSee Ultimate 10 application from ACD Systems International Inc. Exploiting this vulnerabilities can potentially allow an attacker to gain full control over the victim's machine. If an attacker builds a specially crafted .PSD (Photoshop) file and the victim opens it with the ACDSee Ultimate 10 application, the attackers code could potentially be executed with the privileges of the local user.

Thursday, December 7, 2017

The Mutiny Fuzzing Framework and Decept Proxy

This blog post is authored by James Spadaro of Cisco ASIG and Lilith Wyatt of Cisco Talos.

Imagine a scenario where you, as a vulnerability researcher, are tasked with auditing a network application to identify vulnerabilities. By itself, the task may not seem too daunting until you learn of a couple conditions and constraints: you have very little information to work off of on how the network applications operates, how the protocols work, and you have a limited amount of time to conduct your evaluation. What do you do?

In these scenarios, searching for and identifying vulnerabilities in network applications can be a monumental task. Fuzzing is one testing method that researchers may use in these cases to test software and find vulnerabilities in an efficient manner. However, the question that then comes up is how does one fuzz quickly and effectively?

Enter the Mutiny Fuzzing Framework and the Decept Proxy.

Wednesday, December 6, 2017

Recam Redux - DeConfusing ConfuserEx

This post is authored by Holger Unterbrink and Christopher Marczewski


This report shows how to deobfuscate a custom .NET ConfuserEx protected malware. We identified this recent malware campaign in our Advanced Malware Protection (AMP) telemetry. Initial infection is via a malicious Word document, the malware ultimately executes in memory an embedded payload from the Recam family. Recam is an information stealer. Although the malware has been around for the past few years, there's a reason you won't see a significant amount of documentation concerning its internals. The authors have gone the extra mile to delay analysis of the sample, including multiple layers of data encryption, string obfuscation, piecewise nulling, and data buffer constructors. It also relies on its own C2 binary protocol which is heavily encrypted along with any relevant data before transmission.