Monday, November 19, 2018

Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN


Vulnerabilities discovered by Jared Rittle of Cisco Talos.

Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.

Overview


There are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authenticated session. The remote code execution is done under the context of HTTPD However, since the HTTPD process is running under root, an attacker can run code with elevated privileges.

All vulnerabilities were found on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3, except for TALOS 2018-0620, which was found only on HWv3 FRNv1.3.0.

Friday, November 16, 2018

Threat Roundup for Nov. 9 to Nov. 16



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 09 and Nov. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, November 14, 2018

Beers with Talos Ep. #41: Sex, money and malware



Beers with Talos (BWT) Podcast Ep. #41 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #41 show notes: 

Recorded Nov. 9, 2018 — We tried to make this episode last week, but thanks to some technical difficulties, we ended up calling that one a practice run. Here is take two, focused on recent sextortion scams and the pending machine learning apocalypse. We also review why vulnerability discovery and red teams are the most import line items in your security budget by looking a recent story where a breach cost dozens of lives.

Tuesday, November 13, 2018

Microsoft Patch Tuesday — November 2018: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 53 vulnerabilities, 11 of which are rated "critical," 40 that are rated "important” and one “moderate” and “low” vulnerability, each.

The advisories cover bugs in the Chakra scripting engine, Microsoft Outlook and DirectX.

This update also includes three advisories. One covers vulnerabilities in Adobe Flash Player, and another covers important bugs in the Microsoft Surface tablet. Additionally, there is guidance for how users should configure BitLocker in order to properly enforce software encryption.

For more on our coverage for these vulnerabilities, check out the SNORTⓇ blog post here.

Friday, November 9, 2018

Threat Roundup for November 2 to November 9


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 02 and Nov. 09. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 8, 2018

Metamorfo Banking Trojan Keeps Its Sights on Brazil

This blog post was authored by Edmund Brumaghin, Warren Mercer, Paul Rascagneres, and Vitor Ventura.

Executive Summary


Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card information and login credentials for various online banking and financial services websites so this data can be monetized by the attackers. Cisco Talos recently identified two ongoing malware distribution campaigns being used to infect victims with banking trojans, specifically financial institutions' customers in Brazil. Additionally, during the analysis of these campaigns, Talos identified a dedicated spam botnet that is currently delivering malicious spam emails as part of the infection process.

Distribution campaigns


While analyzing these campaigns, Talos identified two separate infection processes that we believe attackers have used between late October and early November. These campaigns used different file types for the initial download and infection process, and ultimately delivered two separate banking trojans that target Brazilian financial institutions. Both campaigns used the same naming convention for various files used during the infection process and featured the abuse of link-shortening services to obscure the actual distribution servers used. The use of link shorteners also allows some additional flexibility. Many organizations allow their employees to access link shorteners from corporate environments, which could enable the attacker to shift where they are hosting malicious files, while also enabling them to leverage these legitimate services in email-based campaigns.

Monday, November 5, 2018

Persian Stalker pillages Iranian users of Instagram and Telegram

This blog post is authored by Danny Adamatis, Warren Mercer, Paul Rascagneres, Vitor Ventura and with the contributions of Eric Kuhla.

Introduction

State-sponsored actors have a number of different techniques at their disposal to remotely gain access to social media and secure messaging applications. Starting in 2017 and continuing through 2018, Cisco Talos has seen different techniques being used to attack users and steal their private information. These techniques used fake login pages, malicious apps disguised as their legitimate counterparts and BGP hijacking, and were specifically targeting Iranian users of the secure messaging app Telegram and the social media site Instagram.

Telegram has become a popular target for greyware in Iran, as the app is used by an estimated 40 million users. While it's mostly used for daily communication, protest organizers also used it in the past to organize demonstrations against the Iranian government, specifically in December 2017. In a few instances, the Iranian government asked Telegram to shut down certain channels for "promoting violence." The tactics outlined in this post have been in use since 2017 in an effort to gather information about Telegram and Instagram users. The campaigns vary in complexity, resource needs and methods. Below, we outline examples of a network attack, application clones and classic phishing. It is our belief that these campaigns were used to specifically target Iranian users of the Telegram app in an effort to steal personal and login information.

Friday, November 2, 2018

Threat Roundup for Oct. 26 to Nov. 2



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 26 and Nov. 02. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 1, 2018

CyberVets U.S.A.: The mission after transition

Christopher Marshall, a veteran of the U.S. Navy, currently serves as Director of Cybersecurity Research for Cisco Talos Intelligence Group.

As a veteran of the U.S. Navy, I’ve had the opportunity to use some of the greatest technology this country has to offer — from night vision goggles, to thermal cameras, to radio and satellite command and control equipment — even the care and feeding of nuclear reactors. When it was time for me to transition from the military to the civilian world, my post-military career led me to work for the Cisco Talos Intelligence Group, where I’ve found that many who served are also excellent teammates in the fast-paced, ever-shifting domain of cybersecurity. These men and women exhibit leadership, teamwork, inclusion, integrity, efficiency, and (importantly) the ability to acquire technical prowess. These are highly desirable traits in any industry, especially one that is predicated on trust and a willingness to always learn and evolve.

Talos Vulnerability Deep Dive - TALOS-2018-0636 / CVE-2018-3971 Sophos HitmanPro.Alert vulnerability

Marcin Noga of Cisco Talos discovered this vulnerability.

Introduction


Sophos patched two vulnerabilities in Sophos HitmanPro.Alert in version 3.7.9.759. We publicly disclosed these issues last week here, Cisco Talos will show you the process of developing an exploit for one of these bugs. We will take a deep dive into TALOS-2018-0636/CVE-2018-3971 to show you the exploitation process.

Sophos HitmanPro.Alert is a threat-protection solution based on heuristic algorithms that detect and block malicious activity. Some of these algorithms need kernel-level access to gather the appropriate information they need. The software's core functionality has been implemented in the `hmpalert.sys` kernel driver by Sophos. This blog will show how an attacker could leverage TALOS-2018-0636 to build a stable exploit to gain SYSTEM rights on the local machine.

Wednesday, October 31, 2018

Vulnerability Spotlight: Multiple Vulnerabilities in Yi Technology Home Camera

Vulnerabilities Discovered by Lilith [x_x] of Cisco Talos.

Overview



Cisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the firmware is available to users. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device.

The Yi Home Camera is an internet-of-things (IoT) home camera sold globally. The 27US version is one of the newer models sold in the U.S. and is the most basic model out of the Yi Technology camera lineup.

It includes all the functions that one would expect from an IoT device, including the ability to view the camera's feed from anywhere, offline storage, subscription-based cloud storage and easy setup.

There are many consequences to a security vulnerability within the firmware of this security camera. An attacker could exploit these vulnerabilities to:

  • Disable the camera to prevent it from recording.
  • Delete stored videos on the camera.
  • View video feeds from the camera.
  • Potentially launch attacks against the camera owner's phone app.
  • Act as a foothold into the home network to attack other devices inside.


This list is not complete, and many other consequences could occur, so Talos highly recommends that the devices are patched as soon as possible via the Yi Home application.

Anatomy of a sextortion scam

This blog was written by Jaeson Schultz.

Since this July, attackers are increasingly spreading sextortion-type attacks across the internet. Cisco Talos has been investigating these campaigns over the past few months. In many cases the spammers harvested email addresses and passwords from a publicly available data breach, and then used this data to facilitate their sextortion attacks. While the attackers do not actually have any compromising videos showing the victim, the emails claim to have explicit videos that they will distribute if the victim doesn't pay the extortion payment by a certain time. By including the recipient's password along with their demands for payment, the attackers hope to legitimize their claims about having compromising material concerning the victim. While these attacks have been in the wild for months, Talos wanted to take a closer look at some of these campaigns to see why users were being tricked into sending the attackers large amounts of bitcoin despite the attackers' empty threats. By examining some of the sextortion spam campaigns in detail, our researchers were able to gain insight into how these criminals operate.

Tuesday, October 30, 2018

Talos Vulnerability Discovery Year in Review - 2018


Introduction


Cisco Talos' Vulnerability Discovery Team investigates software and operating system vulnerabilities in order to discover them before malicious threat actors. We provide this information to vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone. Once these patches become available, the Talos detection content becomes public, as well. You can find all of the release information via the Talos vulnerability information page here.

Over the past several years, our research team has improved the pace at which we disclose vulnerabilities. Talos increased the number of vulnerabilities it disclosed 22 percent year-over-year, and we hope to continue to grow that number. As of Oct. 23, Cisco has updated it's vendor vulnerability and discovery policy. You can read the complete details here.

Monday, October 29, 2018

GPlayed's younger brother is a banker — and it's after Russian banks

This blog post is authored by Vitor Ventura.

Introduction


Cisco Talos published its findings on a new Android trojan known as "GPlayed" on Oct. 11. At the time, we wrote that the trojan seemed to be in the testing stages of development, based on the malware's code patterns, strings and telemetry visibility. Since then, we discovered that there's already a predecessor to GPlayed, which we are calling "GPlayed Banking." Unlike the first version of GPlayed, this is not an all-encompassing banking trojan. It is specifically a banking trojan that's looking to target Sberbank AutoPay users, a service offered by the Russian state-owned bank.

GPlayed Banking is spread in a similar way to the original GPlayed. It's disguised as a fake Google app store, but actually installs the malware once it's launched. This further illustrates the point that Android users need to be educated on how to spot a malicious app, and that they should be careful as to what privileges they assign to certain programs.
The malicious application is on the left-hand side.

Friday, October 26, 2018

Threat Roundup for October 19 to October 26


Today, Talos is is publishing a glimpse into the most prevalent threats we've observed between Oct. 19 and Oct. 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: Talos-2018-0694 - MKVToolNix mkvinfo read_one_element Code Execution Vulnerability





Piotr Bania, Cory Duplantis and Martin Zeiser of Cisco Talos discovered this vulnerability.

Overview


Today, Cisco Talos is disclosing a vulnerability that we identified in the MKVToolNix mkvinfo utility that parses the Matroska file format video files (.mkv files).

MKVToolNix is a set of tools to create, alter and inspect Matroska files on Linux, Windows and other operating systems.

Matroska is a file format for storing common multimedia content, like movies or TV shows, with implementations consisting of mostly of open-source software. Matroska file extensions are MKV for video, MK3D for stereoscopic video, MKA for audio-only files and MKS for subtitle-only files.

Thursday, October 25, 2018

Vulnerability Spotlight: TALOS-2018-0635/0636 - Sophos HitmanPro.Alert memory disclosure and code execution vulnerabilities

Marcin Noga of Cisco Talos discovered this vulnerability.


Overview

Cisco Talos is disclosing two vulnerabilities in Sophos HitmanPro.Alert, a malware detection and protection tool. Both vulnerabilities lie in the input/output control (IOCTL) message handler. One could allow an attacker to read kernel memory contents, while the other allows code execution and privilege escalation. Both vulnerabilities were patched by Sophos in version 3.7.9.759.

Wednesday, October 24, 2018

Beers with Talos EP40: BWT XL feat. SuperMicro, Giant Patches, and More Mobile Malware



Beers with Talos (BWT) Podcast Ep. #40 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #40 show notes: 

Recorded Oct. 19, 2018 — In celebration of episode No. 40 and hitting over 1 million downloads(!!!), we go XL. This episode is a bit long, but we go a bit deeper than usual to discuss a few things that are highly unusual — namely, the extra-large patches dropped by Oracle, and the extra-large questions surrounding the Bloomberg/Super Micro story. We also talk about a few mobile threats we have seen and what we have brewing in the mobile threat space.

Friday, October 19, 2018

Threat Roundup for October 12 to October 19


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 12 and 19. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos EP 39: VB 2018 Rundown and Prevalent Problems with PDF



Beers with Talos (BWT) Podcast Ep. #39 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #39 show notes: 

Recorded Oct. 5, 2018 - We start out with a quick chat to get to know this week’s special guests from the Talos Outreach team: Paul Rascagneres, Vanja Svajcer and Warren Mercer. We discuss everyone’s work that was presented at Virus Bulletin, as well as Paul and Warren being nominated for the Péter Szőr Award. We also cover a lot of vulnerability discovery work that we recently released around various PDF software.

Thursday, October 18, 2018

Tracking Tick Through Recent Campaigns Targeting East Asia

This blog post is authored by Ashlee Benge and Jungsoo An, with contributions from Dazhuo Li.

Summary



Since 2016, an advanced threat group that Cisco Talos is tracking has carried out cyberattacks against South Korea and Japan. This group is known by several different names: Tick, Redbaldknight and Bronze Butler.

Although each campaign employed custom tools, Talos has observed recurring patterns in the actor's use of infrastructure, from overlaps in hijacked command and control (C2) domains to differing campaign C2s resolving to the same IP. These infrastructure patterns indicate similarities between the Datper, xxmm backdoor, and Emdivi malware families. In this post, we will dive into these parallels and examine the methods used by this actor.

Vulnerability Spotlight: Live Networks LIVE555 streaming media RTSPServer code execution vulnerability



These vulnerabilities were discovered by Lilith Wyatt of Cisco Talos.

Cisco Talos is disclosing a code execution vulnerability that has been identified in Live Networks LIVE555 streaming media RTSPServer.

LIVE555 Streaming Media is a set of open-source C++ libraries developed by Live Networks Inc. for multimedia streaming. The libraries support open standards such as RTP/RTCP and RTSP for streaming, and can also manage video RTP payload formats such as H.264, H.265, MPEG, VP8, and DV, and audio RTP payload formats such as MPEG, AAC, AMR, AC-3 and Vorbis. It is used internally by well-known software such as VLC and MPlayer.

An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library, which is not part of media players, but interacts with them. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

Tuesday, October 16, 2018

Vulnerability Spotlight: Linksys ESeries Multiple OS Command Injection Vulnerabilities



These vulnerabilities were discovered by Jared Rittle of Cisco Talos.

Cisco Talos is disclosing several vulnerabilities in the operating system on the Linksys E Series of routers.

Multiple exploitable OS command injection vulnerabilities exist in the Linksys E Series line of routers. An attacker can exploit these bugs by sending an authenticated HTTP request to the network configuration. An attacker could then gain the ability to arbitrarily execute code on the machine.

Monday, October 15, 2018

Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox

This blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Emmanuel Tacheau.


Executive Summary


Cisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan called "Agent Tesla," and other malware such as the Loki information stealer. Initially, Talos' telemetry systems detected a highly suspicious document that wasn't picked up by common antivirus solutions. However, Threat Grid, Cisco's unified malware analysis and threat intelligence platform, identified the unknown file as malware. The adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that antivirus solutions don't detect it. In this post, we will outline the steps the adversaries took to remain undetected, and why it's important to use more sophisticated software to track these kinds of attacks. If undetected, Agent Tesla has the ability to steal user's login information from a number of important pieces of software, such as Google Chrome, Mozilla Firefox, Microsoft Outlook and many others. It can also be used to capture screenshots, record webcams, and allow attackers to install additional malware on infected systems.

Friday, October 12, 2018

Threat Roundup for October 5 to October 12


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 5 and 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 11, 2018

GPlayed Trojan - .Net playing with Google Market

This blog post is authored by Vitor Ventura.

Introduction

In a world where everything is always connected, and mobile devices are involved in individuals' day-to-day lives more and more often, malicious actors are seeing increased opportunities to attack these devices. Cisco Talos has identified the latest attempt to penetrate mobile devices — a new Android trojan that we have dubbed "GPlayed." This is a trojan with many built-in capabilities. At the same time, it's extremely flexible, making it a very effective tool for malicious actors. The sample we analyzed uses an icon very similar to Google Apps, with the label "Google Play Marketplace" to disguise itself.

The malicious application is on the left-hand side.

Wednesday, October 10, 2018

Microsoft WindowsCodecs.dll SniffAndConvertToWideString Information Leak Vulnerability

These vulnerabilities were discovered by Marcin Noga of Cisco Talos.

Today, Cisco Talos is disclosing a vulnerability in the WindowsCodecs.dll component of the Windows operating system.

WindowsCodecs.dll is a component library that exists in the implementation of Windows Imaging Component (WIC), which provides a framework for working with images and their data. WIC makes it possible for independent software vendors (ISVs) and independent hardware vendors (IHVs) to develop their own image codecs and get the same platform support as standard image formats (ex. TIFF, JPEG, PNG, GIF, BMP and HDPhoto).

Tuesday, October 9, 2018

Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

Today, Cisco Talos is disclosing a vulnerability in VMware Workstation that could result in denial of service. VMware Workstation is a widely used virtualization platform designed to run alongside a normal operating system, allowing users to use both virtualized and physical systems concurrently.

TALOS-2018-0589

Discovered by Piotr Bania of Cisco Talos

Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, 12 of which are rated "critical," 34 that are rated "important,” two that are considered to have “moderate” severity and one that’s rated as “low.”

The advisories cover bugs in the Chakra scripting engine, the Microsoft Edge internet browser and the Microsoft Office suite of products, among other software.

This update also includes a critical advisory that covers updates to the Microsoft Office suite of products.

Please visit the SNORTⓇ blog here if you would like to know more about the coverage we have for these vulnerabilities.

Vulnerability in the Intel Unified Shader compiler for the Intel Graphics Accelerator

Vulnerabilities discovered by Piotr Bania of Cisco Talos

Talos is disclosing a pointer corruption vulnerability in the Intel Unified Shader compiler for the Intel Graphics Accelerator.


Overview

In order for the graphics to be produced, the graphics accelerators need to process the OpenGL scripts into actual graphics. That process is named "shader compilation." On the Intel Graphics accelerator, this is done inside the igdusc64 dynamic linked library (DLL), and this is where the vulnerability exists.

Friday, October 5, 2018

Threat Roundup Sept 28 - Oct 5

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 28 and Oct. 5. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, October 3, 2018

Vulnerability Spotlight: Google PDFium JBIG2 Image ComposeToOpt2WithRect Information Disclosure Vulnerability


Discovered by Aleksandar Nikolic of Cisco Talos

Overview


Cisco Talos is releasing details of a new vulnerability in Google PDFium's JBIG2 library. An exploitable out-of-bounds read on the heap vulnerability exists in the JBIG2-parsing code in Google Chrome, version 67.0.3396.99. A specially crafted PDF document can trigger an out-of-bounds read, which can possibly lead to an information leak. That leak could be used as part of an exploit. An attacker needs to trick the user into visiting a malicious site to trigger the vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos has worked with Google to ensure that these issues have been resolved and that an update has been made available for affected users. It is recommended that this update is applied as quickly as possible to ensure that systems are no longer affected by this vulnerability.

Tuesday, October 2, 2018

BruCON Primer: 10 Years and Cisco Talos Talks

Cisco Talos will have a significant presence at the 10th edition of BruCON, which kicks off this week. Below, you will find the presentations that Talos researchers will give, along with a brief overview of the topics they will discuss. We are fortunate to have multiple speakers presenting this year: Benny Ketelslegers, Jared Rittle and Lilith Wyatt.

Vulnerability Spotlight: Adobe Acrobat Reader DC Collab reviewServer Remote Code Execution Vulnerability

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Today, Cisco Talos is releasing details of a new vulnerability within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a large user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. The one method call required to trigger this vulnerability is privileged and can only be called from trusted functions or a trusted location. Additionally, the use-after-free condition is only triggered upon closing the application.

Monday, October 1, 2018

Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader


Vulnerabilities discovered by Aleksandar Nikolic of Cisco Talos

Overview


Cisco Talos is disclosing eightteen vulnerabilities in Foxit PDF Reader, a popular free program for viewing, creating and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin.

Vulnerability Spotlight: Multiple vulnerabilities in Atlantis Word Processor

Vulnerabilities discovered by Cory Duplantis of Cisco Talos.


Overview


Cisco Talos is disclosing several vulnerabilities discovered in Atlantis Word Processor. Atlantis Word Processor is a portable word processor that is also capable of converting any TXT, RTF, ODT, DOC, WRI, or DOCX document into an eBook in the ePub format.

Friday, September 28, 2018

Beers with Talos Ep. #38 — More fun with VPNFilter; Getting pwnd via spreadsheet



Beers with Talos (BWT) Podcast Ep. #38 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #38 show notes: 

Recorded Sept. 21, 2018 — The whole crew is back together! On the agenda today is VPNFilter part III, now with more known third-stage payloads. As much as we have talked about multi-part posts, you know we wouldn’t post if it wasn’t important (on the blog, that is. That rule obviously doesn’t apply here). We are also releasing a related open-source tool: Winbox Protocol Dissector. Finally, we delve into an antivirus-avoiding remote access tool (RAT).

Threat Roundup Sept 21 - 28


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 21 and 28. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, September 26, 2018

VPNFilter III: More Tools for the Swiss Army Knife of Malware

Summary


VPNFilter — a multi-stage, modular framework that has infected hundreds of thousands of network devices across the globe — is now known to possess even greater capabilities. Cisco Talos recently discovered seven additional third-stage VPNFilter modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices from footholds on compromised network devices. The new functions also include data filtering and multiple encrypted tunneling capabilities to mask command and control (C2) and data exfiltration traffic. And while we believe our work, and the work of our international coalition of partners, has mostly neutralized the threat from VPNFilter, it can still be difficult to detect in the wild if any devices remain unpatched.

Talos has been researching VPNFilter for months. Our initial findings are outlined here, and a description of additional modules used by the framework is here. As part of our continued investigation, we developed a technique to examine a key protocol used by MikroTik networking devices to hunt for possible exploitation methods used by the actor.

As we followed the thread of VPNFilter infections, it became clear that MikroTik network devices were heavily targeted by the threat actor, especially in Ukraine. Since these devices seemed to be critical to the actor's operational goals, this led us to try to understand how they were being exploited. Part of our investigation included the study of the protocol used by MikroTik's Winbox administration utility. In this blog, we'll share how and why we studied this protocol, as well as the decoder tool we developed as a way of helping the security community look into this protocol for potential malicious actor activity.

The sophistication of VPNFilter drives home the point that this is a framework that all individuals and organizations should be tracking. Only an advanced and organized defense can combat these kinds of threats, and at the scale that VPNFilter is at, we cannot afford to overlook these new discoveries.

Tuesday, September 25, 2018

Vulnerability Spotlight: Epee Levin Packet Deserialization Code Execution Vulnerability

This vulnerability was discovered by Lilith (>_>) of Cisco Talos.

Overview


The Epee library, which is leveraged by a large number of cryptocurrencies, contains an exploitable code execution vulnerability in the Levin deserialization functionality. An attacker can send a specially crafted network packet to cause a logic flaw, resulting in remote code execution.

In accordance with our coordinated disclosure policy, Cisco Talos has worked with the developers of Monero 'Lithium Luna' to ensure that these issues have been resolved and that an update has been made available for affected users. It is recommended that this update is applied as quickly as possible to ensure that systems are no longer affected by this vulnerability.

IDA-minsc Wins Second Place in Hex-Rays Plugins Contest

Introduction


Ali Rizvi-Santiago of Cisco Talos recently tied for second place in the IDA plugin contest with a plugin named "IDA-minsc." IDA is a multi-processor disassembler and debugger created by the company Hex-Rays and this year there were a total of four winners with nine submissions total. Every year, the company invites researchers to submit plugins that improve their products, and Talos determined that IDA-minsc would improve users' experience enough that it deserved consideration for this year's awards.

This plugin aims to make it easier for people to reverse and annotate binaries. We believe that this plugin expedites the annotation process and allows the user to work more efficiently. This is done by introducing a few concepts that change the way most users develop Python, which allows the user to treat the parts that they are reversing as more of a dataset that can be used to query and annotate as they see fit. This, combined with the plugin's various components that automatically determine a function's parameters based on the user's current selection, allows the user to very quickly write code that can be used to mark and annotate the different parts of the database.

Monday, September 24, 2018

Adwind Dodges AV via DDE

This blog post is authored by Paul Rascagneres, Vitor Ventura and with the contribution of Tomislav Pericin and Robert Perica from ReversingLabs.

Introduction


Cisco Talos, along with fellow cybersecurity firm ReversingLabs, recently discovered a new spam campaign that is spreading the Adwind 3.0 remote access tool (RAT), targeting the three major desktop operating systems (Linux, Windows and Mac OSX). This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs has written their own blog on this issue here.

The majority of the targets in this campaign are in Turkey, according to data from the Cisco Umbrella cloud security platform. After our research, we have discovered important details about this attack, as well as the malicious, forged Microsoft Office documents that the attackers are using.

Saturday, September 22, 2018

Threat Roundup for September 14 to September 21


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 14 and 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, September 19, 2018

Cyber Threat Alliance Releases Cryptomining Whitepaper

This post is authored by Ashlee Benge.

Despite the recent devaluation of some cryptocurrencies, illicit cryptocurrency miners remain a lucrative and widespread attack vector in the threat landscape. These miners are easy to deploy, and attackers see it as a quick way to steal other users' processing power to generate cryptocurrency. These attacks are harder to notice than a traditional denial-of-service or malware campaign, resulting in reduced risk and a more stable foothold for a malicious actor. The Cyber Threat Alliance, with contributions from Cisco Talos and other CTA members, has released a whitepaper detailing the rise of cryptomining attacks that outlines what you — and your organization — should know about these kinds of campaigns.

This paper covers the fact that there is a low technical barrier to entry for attackers, and that there are accessible patches to protect users from many of these attacks. Because cryptomining campaigns are easy to launch, a broader set of actors have engaged in this activity, resulting in a higher rate of attacks. Talos often observes multiple actors with illicit cryptomining software on the same compromised box. The use of well-known vulnerabilities by attackers essentially turns this problem into a canary-in-the-coalmine situation for defenders. If you discover unauthorized cryptomining software on one of your assets, there is a high likelihood that other actors have also leveraged the weaknesses in your systems to gain access — potentially for more damaging purposes.

Prior Coverage


Snort signatures exist to provide coverage for a variety of miner downloads, malware variants related to cryptocurrency miners and to block protocols commonly used by miners.

The following SIDs detect incoming clients and miner downloads:

44692-44693, 45265-45268, 45809-45810, 45949-45952, 46365-46366 and 46370-46372.

The following SIDs detect malware variants known to be associated with miners:

20035, 20057, 26395, 28399, 28410-28411, 29493 - 29494, 29666, 30551- 30552, 31271- 31273, 31531 - 31533, 32013, 33149, 43467 - 43468, 44895 - 44899, 45468 - 45473, 45548, 45826 - 45827, 46238 - 46240.

The following SIDs detect Stratum protocols used by cryptocurrency workers:

26437, 40840 - 40842, 45417, 45549 - 45550, 45825, 45955.

Additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.

Monday, September 17, 2018

Beers with Talos EP 37: Snort 3 Beta Uses Multithreading. It’s Super Effective!



Beers with Talos (BWT) Podcast Ep. #37 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. #37 show notes: 

Recorded Sept. 7, 2018 — We have Joel back this week (and he is very happy to have himself back), but we lost Matt and we’re still wishing Nigel a speedy recovery from becoming bionic. This episode, we cover the latest findings in our research into a malicious mobile device management (MDM) campaign that's targeting iPhones and go over the exciting changes in the newly released Snort 3 beta (your move, Valve). Bill reprises his role from last week as sentient seat-filler that makes good jokes.

Friday, September 14, 2018

Threat Roundup for September 7 to September 14


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 7 and 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 13, 2018

SigAnalyzer: Signature analysis with CASC

Executive summary



ClamAV Signature Creator (CASC) is an IDA Pro plugin that assists in the creation of ClamAV pattern signatures. We have enhanced this plugin to also analyze these signatures. The plugin highlights matching parts in a binary when its given a particular signature. This function is helpful when evaluating automatically generated signatures, e.g., from the BASS framework. As a larger number of signatures is automatically generated, it becomes ever more important to gain a quick understanding about the effects of these signatures. This functionality will allow us to check the accuracy of our signatures faster, and allow us to deliver a better product to our users.

You can read the the complete post and see the associated video on the Clam AV blog



Tuesday, September 11, 2018

Microsoft Patch Tuesday - September 2018

Microsoft released its monthly set of security updates today for a variety of its products that address a variety of bugs. The latest Patch Tuesday covers 61 vulnerabilities, 17 of which are rated "critical," 43 that are rated "important" and one that is considered to have "moderate" severity.

The advisories cover bugs in the Internet Explorer web browser, Jet Database Engine and the Chakra scripting engine, among other products and software.

This update also includes two critical advisories, one of which covers security updates to Adobe Flash, and another that deals with a denial-of-service vulnerability in the Microsoft Windows operating system.


Friday, September 7, 2018

Threat Roundup for August 31 to September 7


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 31 and Sept. 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: CVE-2018-3952 / CVE-2018-4010 - Multi-provider VPN Client Privilege Escalation Vulnerabilities

Discovered by Paul Rascagneres.


Overview


Cisco Talos has discovered two similar vulnerabilities in the ProtonVPN and NordVPN VPN clients. The vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user. The vulnerabilities were assigned to the CVE IDs TALOS-2018-0622 / CVE-2018-3952 (NordVPN) and TALOS-2018-0679 / CVE-2018-4010 (ProtonVPN).

The vulnerabilities are similar to a bug previously discovered by VerSprite in April 2018: CVE-2018-10169. That same month, both clients released similar patches to fix this flaw. However, we identified a way to bypass that patch. Despite the fix, it is still possible to execute code as an administrator on the system. The details section later on in this post will explain the first patch, why it was not successful, and how the editors finally fixed the problem.

Thursday, September 6, 2018

Vulnerability Spotlight: TALOS-2018-0560 - ERPNext SQL Injection Vulnerabilities

Vulnerabilities discovered by Yuri Kramarz from the Cisco Security Advisor Team


Overview

Talos is disclosing multiple SQL injection vulnerabilities in the Frappe ERPNext Version 10.1.6 application. Frappe ERPNext is an open-source enterprise resource planning (ERP) cloud application. These vulnerabilities enable an attacker to bypass authentication and get unauthenticated access to sensitive data. An attacker can use a normal web browser to trigger these vulnerabilities — no special tools are required.

Wednesday, September 5, 2018

Malicious MDM: Let's Hide This App

This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Nick Biasini

Summary


Since our initial discovery of a malicious mobile device management (MDM) platform that was loading fake applications onto smartphones, we have gained greater insight into the attacker's methods. We now know how the attacker took advantage of a common MDM feature and used an iOS profile to hide and disable the legitimate versions of the apps to force the use of the malicious stand-ins.

Cisco Talos previously published two articles (here and here) on the subject. In the aforementioned campaigns, the attackers enrolled iOS devices into the MDM and used the devices to control the victim's devices, deploying malicious apps disguised as the messaging services WhatsApp, Telegram and Imo, as well as the web browser Safari.

After additional research, we now know that the attacker deployed the malicious apps after the actor deployed a profile on the enrolled devices and abused the age rating restriction functionality that exists on iOS devices. The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively. After the age rating limit was set to 9-plus, the installed legitimate applications disappeared from the device:

Friday, August 31, 2018

Threat Roundup for August 24-31


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Aug. 24 and 31. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.