Monday, April 23, 2018

Cryptomining Campaign Returns Coal and Not Diamond

Executive summary


Soon after a launch of a new cryptocurrency, Bitvote, in January, Talos discovered a new mining campaign affecting systems in India, Indonesia, Vietnam and several other countries that was tied to Bitvote.

Apart from the fact that the attackers have chosen to target the new bitcoin fork in order to gain the early adoption advantage, this campaign is notable for its usage of a kernel-mode driver to manage command and control (C2) infrastructure, configuration management, download and execute functionality, as well as payload protection. It is quite uncommon to implement this functionality in kernel, apart from the payload protection, and points to a moderate to high level of technical knowledge behind the attack.

The payloads and the configuration were embedded in specially modified animated GIF files and published as parts of web pages hosted on free blogging platforms.

The campaign was active in February and March, and so far, it has brought limited returns for attackers.

Friday, April 20, 2018

Beers with Talos EP27: Smart Install, Vuln Process Realities, and Professional Wrestling



Beers with Talos (BWT) Podcast Episode 27 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP27 Show Notes: 

Recorded 4/13/18 - We just upgraded all our gear, so naturally we had a straight tech meltdown this week and we saved it the best we could. Matt will sound way better next week. Promise. We cover Smart Installer. Again. But that leads down a discussion of security versus convenience that leads to us discussing the process of vuln disclosure - how vendor discussions, release dates, and policies work in the real world.

Seriously, we grounded Matt’s computer for misbehaving with the audio.

Thursday, April 19, 2018

Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader

Overview

Talos is disclosing five vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.  Update to the current version of Foxit PDF Reader.

Details

Vulnerabilities Discovered by Aleksandar Nikolic

TALOS-2017-0506

Updates for BASS

This blog post was authored by Jonas Zaddach and Mariano Graziano.

Cisco Talos has rolled out a series of improvements to the BASS open-source framework aimed at speeding up its ability to provide coverage for new malware families. Talos released BASS, (pronounced "bæs") an open-source framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters, last June. It is meant to reduce the amount of resources required to run ClamAV by producing more pattern-based signatures, as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable, thanks to Docker, an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud.




Tuesday, April 17, 2018

Vulnerability Spotlight: Foscam IP Video Camera Firmware Recovery Unsigned Image Vulnerability

This vulnerability was discovered by Claudio Bozzato of Cisco Talos.

Executive Summary


The Foscam C1 Indoor HD Camera is a network-based camera that is marketed for a variety of uses, including as a home security monitoring device. Talos recently identified 32 vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details of in two blog posts here and here. In continuing our security assessment of these devices, Talos has discovered an additional vulnerability. In accordance with our coordinated disclosure policy, Talos has worked with Foscam to ensure that this issue has been resolved and that a firmware update is made available for affected customers. This vulnerability could be leveraged by an attacker to gain the ability to completely take control of affected devices.

Friday, April 13, 2018

Threat Roundup for April 6 - 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 6 and 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and we will discuss how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

These vulnerabilities were discovered by Carlos Pacho of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.

Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.

Malware monitor - leveraging PyREBox for malware analysis

This post was authored by Xabier Ugarte Pedrero

In July 2017 we released PyREBox, a Python Scriptable Reverse Engineering Sandbox as an open source tool. This project is part of our continuous effort to create new tools to improve our workflows. PyREBox is a versatile instrumentation framework based on QEMU.

It allows us to run a whole operating system in a virtual environment (emulator), and to inspect and modify its memory and registers at run-time. A small set of QEMU modifications allows users to instrument certain events such as instruction execution or memory read/writes.

On top of this, PyREBox leverages Virtual Machine Introspection techniques to bridge the semantic gap, that is, understanding OS abstractions such as processes, threads, or libraries. You can find the more detailed description of the framework as well as its capabilities in the original blogpost.

In the past few months we have received positive feedback from the community, fixed bugs and added features suggested by the users. We also added support for GNU/Linux guests, and implemented an agent (program run inside the emulated guest) that allows file transfer between a host and a guest, as well as execution of samples in the guest on demand.

As part of this ongoing effort, today we are releasing a set of PyREBox scripts that are designed to aid malware analysis: Malware monitor. These scripts automate different tasks, such as code coverage analysis, API tracing, memory monitoring, and process memory dumping.

Thursday, April 12, 2018

Vulnerability Spotlight: TALOS-2018-0529-531 - Multiple Vulnerabilities in NASA CFITSIO library

Vulnerabilities discovered by Tyler Bohan from Talos


Overview

Talos is disclosing three remote code execution vulnerabilities in the NASA CFITSIO library. CFITSIO is a library of C and Fortran subroutines for reading and writing data files in the Flexible Image Transport System (FITS) data format. FITS is a standard format endorsed by both NASA and the International Astronomical Union for astronomical data.

Specially crafted images parsed via the library can cause a stack-based buffer overflow, overwriting arbitrary data. An attacker can deliver a malicious FIT image to trigger this vulnerability, and potentially gain the ability to execute code.

Wednesday, April 11, 2018

Vulnerability Spotlight: Multiple Simple DirectMedia Layer Vulnerabilities

Discovered by Lilith Wyatt of Cisco Talos

Overview



Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valve's award winning catalog and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. The latest SDL version (2.0.8) can be found here.

Vulnerability Spotlight: Multiple Computerinsel PhotoLine PSD Code Execution Vulnerabilities



Discovered by Tyler Bohan of Cisco Talos

Overview


Today, Cisco Talos is disclosing a vulnerability within Computerinsel PhotoLine's PSD-parsing functionality. Photoline is an image processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PSD documents. PSD is a document format used by Adobe Photoshop, and is supported by many third-party applications throughout the industry.

The vulnerability arises in parsing the PSD document. The application takes data directly from the document without verification and uses it to calculate an address. The document has a specially crafted blending channel value leading to this miscalculation. Below is the area of the crash.

Tuesday, April 10, 2018

Microsoft Patch Tuesday - April 2018

Microsoft Patch Tuesday - April 2018


Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 65 new vulnerabilities and one advisory, with 25 of them rated critical, 39 of them rated important and one of them rated moderate. These vulnerabilities impact Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Windows kernel, Windows Hyper-V, Microsoft Scripting Engine and more.

In addition, an update for Adobe Flash Player was released.

IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution


Update: 4/11 we have corrected the detection to Ursnif/Dreambot

This post was authored by Ross Gibb with research contributions from Daphne Galme, and Michael Gorelik of Morphisec, a Cisco Security Technical Alliance partner.

Cisco has noticed an increase in infections by the banking trojan IcedID through our Advanced Malware Protection (AMP) system. Security researchers first reported a new banking Trojan known as "IcedID" [1] in November 2017. At the time of discovery, IcedID was being distributed by Emotet, another well-known banking trojan malware. In late February and throughout March 2018, we noticed an increase in infections from IcedID being detected throughout the AMP ecosystem. Like in November 2017, some of the infections could be traced to Emotet, but this time, many detections could instead be traced to emails with attached malicious Microsoft Word documents containing macros. When the malicious documents are opened and the macros are enabled, Ursnif/Dreambot, another trojan, would be downloaded and executed, which subsequently downloads IcedID. In addition to Ursnif/Dreambot, many of the samples downloaded a second payload, a Bytecoin miner (Bytecoin is a crypto currency similar to bitcoin).

Friday, April 6, 2018

Beers with Talos EP26: Talos is Holding a Conference, and the Evolving Battle at the Edge


Beers with Talos (BWT) Podcast Episode 26 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP26 Show Notes: 


Recorded 3/29/18 - Joel is sitting out this week, and Bill Largent from the Outreach team fills in. We are pretty sure he was just running late trying to live on Joel Mean Time which, coincidentally, is now a GitHub project thanks to Moses (link below). We cover a wide range of topics in this episode, so stay with us! We chat about the Talos Threat Research Summit coming in June, we wonder where the carrots to match the sticks in security are, and weigh the value of finding your own damn vulns. The last part of the show starts with discussing GoScanSSH, which ends up being a discussion on the larger battle for the edge.

Thursday, April 5, 2018

Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client

Update: 4/9 Cisco PSIRT has released additional guidance available here.

Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol. Some of these attacks are believed to be associated with nation-state actors, such as those described in U.S. CERT's recent alert. As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths.

On Feb. 14, 2017, Cisco's Product Security Incident Response Team (PSIRT) released an advisory detailing active scanning associated with Cisco Smart Install Clients. The Cisco Smart Install Client is a legacy utility designed to allow no-touch installation of new Cisco equipment, specifically Cisco switches. As a response to this activity, Cisco Talos published a blog and released an open-source tool that scans for devices that use the Cisco Smart Install protocol. In addition to the release of the scanning tool, additional coverage has been released for Snort (SID: 41722-41725) to detect any attempts to leverage this type of technology.

Wednesday, April 4, 2018

Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities

Vulnerabilities discovered by Cory Duplantis from Talos

Overview


Talos has discovered multiple vulnerabilities in Natus NeuroWorks software. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks.

We identified a number of vulnerabilities falling into two classes:

  • Four code execution vulnerabilities
  • One denial of service vulnerability.


The first category allows code execution on the medical device through a specially crafted network packet. The second category can cause the vulnerable service to crash. The vulnerabilities can be triggered remotely without authentication.

Tuesday, April 3, 2018

Vulnerability Spotlight: Moxa AWK-3131A Multiple Features Login Username Parameter OS Command Injection Vulnerability

This vulnerability is discovered by Patrick DeSantis and Dave McDaniel of Cisco Talos

Today, Talos is disclosing TALOS-2017-0507 (CVE-2017-14459), a vulnerability that has been identified in Moxa AWK-3131A industrial wireless access point.

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. The manufacturer specifically highlights automated materials handling and automated guided vehicles as target markets.

An exploitable OS Command Injection vulnerability exists in the Telnet, SSH and the local login port functionality of Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client in firmware versions 1.4 and newer. An attacker can inject commands via the username parameter, resulting in remote, unauthenticated, root-level operating system command execution.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.

Monday, April 2, 2018

Fake AV Investigation Unearths KevDroid, New Android Malware


This blog post is authored by Warren Mercer, Paul Rascagneres, Vitor Ventura and with contributions from Jungsoo An.

Summary


Several days ago, EST Security published a post concerning a fake antivirus malware targeting the Android mobile platform. In the Korean media, it was mentioned that there could be a link between this Android malware and Group 123. Talos decided to investigate this malware. And due to our reporting and history of following of Group 123, we discovered some interesting elements.

Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim's phone calls. One variant uses a known Android exploit (CVE-2015-3636) in order to get root access on the compromised Android device. The data of both variants was sent using an HTTP POST to a unique command and control (C2) server. The ability to record calls was implemented based on an open-source project available on GitHub. We named this malware "KevDroid."

Another RAT (this time targeting Windows) was identified hosted on the command and control server in use by KevDroid. This malware specifically uses the PubNub platform as its C2 server. PubNub is a global data stream network (DSN). The attackers use the PubNub API in order to publish orders to the compromised systems. This behaviour explains why we named it "PubNubRAT."

At this time, we cannot identify a link between these samples and the Group 123 sample. We only identified a bundle of tactics, techniques and procedural elements that were too weak to identify a real link.

Wednesday, March 28, 2018

Vulnerability Spotlight: Multiple Vulnerabilities in Allen Bradley MicroLogix 1400 Series Devices

These vulnerabilities were discovered by Jared Rittle and Patrick DeSantis of Cisco Talos.

Summary


Rockwell Automation Allen-Bradley MicroLogix 1400 Programmable Logic Controllers (PLCs) are marketed for use in a variety of different Industrial Control System (ICS) applications and processes. As such, these devices are often relied upon for the performance of critical process control functions in many different critical infrastructure sectors. Previously, Cisco Talos released details regarding a vulnerability that was present in these devices. Cisco Talos continued analysis of these devices and discovered additional vulnerabilities that could be leveraged to modify device configuration and ladder logic, write modified program data into the device's memory module, erase program data from the device's memory module, or conduct Denial of Service (DoS) attacks against affected devices. Depending on the affected PLCs within an industrial control process, this could result in significant damages.

Vulnerability Spotlight: Multiple Nvidia D3D10 Driver Pixel Shader Vulnerabilities

Discovered by Piotr Bania of Cisco Talos

Overview


Today, Cisco Talos is disclosing multiple vulnerabilities that exist within the Nvidia D3D10 driver. This driver is used throughout multiple GPU product lines available from Nvidia. This is a commonly used driver, and exploitation can even affect VMware, thus giving rise to a potential guest-to-host escape. It is strongly recommended that patches are applied immediately.

Monday, March 26, 2018

Forgot About Default Accounts? No Worries, GoScanSSH Didn’t

This blog post was authored by Edmund Brumaghin, Andrew Williams, and Alain Zidouemba.


Executive Summary


During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.

Thursday, March 22, 2018

Talos Threat Research Summit at Cisco Live US 2018

Cisco Talos presents a conference by Defenders, for Defenders.

Talos had one goal in mind when creating a brand new conference: Make something that we'd want to attend ourselves.  As such, the Talos Threat Research Summit is aimed at being a one-day conference by defenders, for defenders. This summit is designed to assist you in keeping your users and network safer. Our roster of experienced speakers will share their deep expertise in network defense, tracking the bad guys and identifying trends in the threat landscape. The goal of the summit is that you will leave with up-to-date, actionable intel you can take back to your network and use immediately.  There are also opportunities for networking with your defense-focused peers and security leaders.

More information, including the agenda and speaker line-up will be released in the coming weeks, so stay tuned!

What: Talos Threat Research Summit
When: June 10, 2018
Where: Hyatt Regency, Orlando, Florida – at Cisco Live!


Tuesday, March 20, 2018

Beers with Talos EP 25: WE'LL DO IT LIVE!!!


Beers with Talos (BWT) Podcast Episode 25 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP25 Show Notes: 

Recorded 3/13/18 - LIVE from San Jose, California. First of all – we still have a podcast and jobs, so ostensibly, we did OK hosting the meeting we talked about last time. There may have even been an award involved, just sayin'.  Since we were all together and we didn’t get fired, we decided to do our podcast live after the meeting for an audience. We are joined by Talos Senior Director Matt Watchinski on this episode, discussing such existential questions as “why security?” and more concrete things like nation state vs. cybercriminal actors and their differing motivations. We also discuss router security and network devices as a preferred attack vector for advanced actors. Special bonus: Matt beats perhaps the last laugh out of the dead horse that is Paul Revere himself. #BeastieBoys #CantBooShowNotes

Tuesday, March 13, 2018

Microsoft Patch Tuesday - March 2018

Microsoft Patch Tuesday - March 2018

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 74 new vulnerabilities, with 14 of them rated critical and 59 of them rated important. These vulnerabilities impact Internet Explorer, Edge, Exchange, Scripting Engine, Windows Shell and more.

Critical Vulnerabilities

Thursday, March 8, 2018

Beers with Talos EP24: Reflections on DDoS and Bad Authentication Schemes



Beers with Talos (BWT) Podcast Episode 24 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP24 Show Notes: 


Recorded 3/2/18 - Craig is out this week, but the rest of the crew goes through COINHORDER and Memcached, and takes a deeper look at authentication and passwords. We cover an overview of reflection attacks and how some password schemes that are meant to protect, actually cause harm. We also bid you farewell, since our next episode is supposed to be live after the crew hosts a meeting that stands a not-insignificant chance of getting us all fired. Wish us luck — and send us questions that Craig can pose to really important Cisco executives.

Tuesday, March 6, 2018

Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution

This blog post was authored by Edmund Brumaghin and Holger Unterbrink, with contributions from Adam Weller.


Executive Summary


Gozi ISFB is a well-known and widely distributed banking trojan, and has been in the threat landscape for the past several years. Banking trojans are a type of malware that attackers leverage in an attempt to obtain banking credentials from customers of various financial institutions. The source code associated with Gozi ISFB has been leaked several times over the years, and the robust features available within the Gozi ISFB code base have since been integrated into additional malware, such as GozNym. Talos published detailed research about GozNym in a September 2016 blog post. Since then, Talos has been monitoring Gozi ISFB activity, and has discovered a series of campaigns over the past six month that have been making use of the elusive "Dark Cloud" botnet for distribution. In investigating the infrastructure associated with Dark Cloud, we identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity. Talos is publishing details related to ongoing Gozi ISFB activity, the Dark Cloud botnet, as well as the additional threats we have observed using this infrastructure over the past couple of years.

Thursday, March 1, 2018

Vulnerability Spotlight: Simple DirectMedia Layer’s SDL2_Image



Overview



Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low-level access to audio, keyboard, mouse, joystick and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games, including Valve's award-winning catalog, and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. Simple DirectMedia Layer has released a new version of sdl image, 2.0.3 to address this issue, which can be downloaded here. Talos recommends installing this update as quickly as possible on affected systems.

Vulnerability Spotlight: Dovecot out-of-bounds Read Vulnerability


Overview


Today, Cisco Talos is disclosing a single out-of-bounds read vulnerability in the Dovecot IMAP server. Dovecot is a popular internet message access protocol, or IMAP, server with performance and security-oriented design. It is a popular choice for robust email servers. In accordance with our coordinated disclosure policy, Talos has worked with Dovecot to ensure that this issue has been resolved. Dovecot has released version 2.2.34 to address this issue. Talos recommends installing this update as quickly as possible on affected systems.

Wednesday, February 28, 2018

CannibalRAT targets Brazil




This post was authored by Warren Mercer and Vitor Ventura

Introduction


Talos has identified two different versions of a RAT, otherwise known as a remote access trojan, that has been written entirely in Python and is wrapped into a standalone executable. The RAT is impacting users of a Brazilian public sector management school.

The samples of two different versions of this RAT, both versions (3.0 and 4.0 according to the information within the samples analyzed) were written using Python and packed into an executable using a common tool called py2exe. The malware main script bytecode is stored in a portable executable (PE) section called PYTHONSCRIPT, while the Python DLL is stored in a section called PYTHON27.DLL. All the remaining modules' bytecode is compressed and stored in the executable overlay.

Both versions have all the usual RAT capabilities, however, during our investigation it became clear that version 4.0 (the latest) is a stripped-down version, where some features were removed, as explained later, to be part of a targeted campaign.

The target of such campaign are the users of INESAP - Instituto Nacional Escola Superior da Administração Pública, which is a Brazilian public sector management school that also does consulting work.

Monday, February 26, 2018

Who Wasn’t Responsible for Olympic Destroyer?

This blog post is authored by Paul Rascagneres and Martin Lee.


Summary


Absent contributions from traditional intelligence capacities, the available evidence linking the Olympic Destroyer malware to a specific threat actor group is contradictory, and does not allow for unambiguous attribution. The threat actor responsible for the attack has purposefully included evidence to frustrate analysts and lead researchers to false attribution flags. This false attribution could embolden an adversary to deny an accusation, publicly citing evidence based upon false claims by unwitting third parties. Attribution, while headline grabbing, is difficult and not an exact science. This must force one to question purely software-based attribution going forward.

Friday, February 23, 2018

Threat Round Up for Feb 16 - 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between February 16 and February 23. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: Adobe Acrobat Reader DC Document ID Remote Code Execution Vulnerability


Discovered by Aleksandar Nikolic of Cisco Talos

Overview


Today, Talos is releasing details of a new vulnerability within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.

A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044. This stack overflow can lead to return address overwrite which can result in arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

Thursday, February 22, 2018

Beers with Talos EP23 - Eternal Fauxmance: Attribution Easter Eggs



Beers with Talos (BWT) Podcast Episode 23 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP23 Show Notes: 


Recorded 2/16/18 - This week, Mitch learns about starting a show without Matt with no other plans to control Craig in place. The team discusses Olympic Destroyer and then takes on attribution in light of recent developments with Nyetya. We look at what attribution actually takes and the ease and commonality of planting false flags.

Tuesday, February 20, 2018

Talos Quarterly Threat Briefing - Winter 2018


Date: Tuesday, February 27, 2018

Time: 1:00pm ET/10:00am PT

Topic: Miners, Malspam, and Meltdowns 

Recording available here: http://cs.co/TalosQTB-Q218R


Space is limited for this event, so be sure to save your spot.  Following the webinar, the video will also be made available here.

In this edition of the Talos Quarterly Threat Briefing, Nick Biasini from Cisco Talos will discuss vital intel around the most prevalent and damaging threats of the last quarter.  Join the briefing to take a look at targeted attacks, get an intel on Necurs, and learn about the shift to malicious mining.

Friday, February 16, 2018

Threat Round Up for Feb 9 - Feb 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between February 9 and February 16. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, February 14, 2018

COINHOARDER: Tracking a Ukrainian Bitcoin Phishing Ring DNS Style

This post is authored by Jeremiah O'Connor and Dave Maynor with contributions from Artsiom Holub and Austin McBride. 

Executive Summary


Cisco has been tracking a bitcoin theft campaign for over 6 months. The campaign was discovered internally and researched with the aid of an intelligence sharing partnership with Ukraine Cyberpolice. The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims. This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims. This campaign demonstrates just how lucrative these sorts of malicious attacks can be for cybercriminals. Additionally, the revenue generated by these sorts of attacks, can then be reinvested into other cybercriminal operations.

Tuesday, February 13, 2018

Microsoft Patch Tuesday - February 2018

Microsoft Patch Tuesday - February 2018

Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 54 new vulnerabilities with 14 of them rated critical, 38 of them rated important, and 2 of them rated Moderate. These vulnerabilities impact Outlook, Edge, Scripting Engine, App Container, Windows, and more.

Monday, February 12, 2018

Olympic Destroyer Takes Aim At Winter Olympics



This blog post is authored by Warren Mercer and Paul Rascagneres. Ben Baker and Matthew Molyett contributed to this post.

Update 2/13 08:30 We have updated the information regarding the use of stolen credentials

Update 2/12 12:00: We have updated the destructor section with action taken against mapped file shares


Summary


The Winter Olympics this year is being held in Pyeongchang, South Korea. The Guardian, a UK Newspaper reported an article that suggested the Olympic computer systems suffered technical issues during the opening ceremony. Officials at the games confirmed some technical issues to non-critical systems and they completed recovery within around 12 hours. Sunday 11th February the Olympic games officials confirmed a cyber attack occurred but did not comment or speculate further.

Talos have identified the samples, with moderate confidence, used in this attack. The infection vector is currently unknown as we continue to investigate. The samples identified, however, are not from adversaries looking for information from the games but instead they are aimed to disrupt the games. The samples analysed appear to perform only destructive functionality. There does not appear to be any exfiltration of data. Analysis shows that actors are again favouring legitimate pieces of software as PsExec functionality is identified within the sample. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This is something we have witnessed previously with BadRabbit and Nyetya.

Friday, February 9, 2018

Threat Round Up for Feb 2 - Feb 9

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between February 2 and February 9. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, February 7, 2018

Targeted Attacks In The Middle East

This blog post is authored by Paul Rascagneres with assistance of Martin Lee.

Executive Summary


Talos has identified a targeted attacks affecting the Middle East. This campaign contains the following elements, which are described in detail in this article.

  • The use of allegedly confidential decoy documents purported to be written by the Jordanian publishing and research house, Dar El-Jaleel. This institute is known for their research of the Palestinian-Israeli conflict and the Sunni-Shia conflict within Iran.
  • The attacker extensively used scripting languages (VBScript, PowerShell, VBA) as part of their attack. These scripts are used to dynamically load and execute VBScript functions retrieved from a Command & Control server.
  • The attacker demonstrates excellent operational security (OPSEC). The attacker was particularly careful to camouflage their infrastructure. During our investigation, the attacker deployed several reconnaissance scripts in order to check the validity of victim machine, blocking systems that don't meet their criteria. The attacker uses the reputable CloudFlare system to hide the nature and location of their infrastructure. Additionally, the attacker filters connections based on their User-Agent strings, and only enables their infrastructure for short periods of time before blocking all connections.

This is not the first targeted campaign against the region that uses Dar El-Jaleel decoy documents which we have investigated. However, we have no indication that the previous campaigns are related.

Tuesday, February 6, 2018

Beers with Talos EP 22: Forget the ASA, Rob Joyce Favorited Craig’s Tweet



Beers with Talos (BWT) Podcast Episode 22 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP22 Show Notes: 

Recorded 2/2/18 - Guests two EPs in a row! We are joined by Omar Santos from Cisco PSIRT to discuss CVE-2018-0101, the Cisco ASA Remote Code Execution and Denial of Service Vulnerability. See the PSIRT post below for latest updates. We also discuss Crypto miners overtaking ransomware, a Flash 0-day carrying a known ROKRAT payload (huh??), and we couldn’t escape discussing Autosploit because Rob Joyce faved one of Craig’s tweets.

Friday, February 2, 2018

Flash 0-Day In The Wild: Group 123 At The Controls

This blog post is authored by Warren Mercer and Paul Rascagneres.

Executive Summary


The 1st of February, Adobe published an advisory concerning a Flash vulnerability (CVE-2018-4878). This vulnerability is a use after free that allows Remote Code Execute through a malformed Flash object. Additionally KISA (Korean CERT) published an advisory about a Flash 0-day used in the wild. Talos identified that an attacker exploited this vulnerability with a Flash object embedded in a Microsoft Excel document. By opening the document, the exploit was executed in order to download an additional payload from a compromised website.

We identified that the downloaded payload is the well-known Remote Administration Tool named ROKRAT. We already extensively spoke about this RAT on several articles in this blog: here, here, here and here. It is particularity used with cloud platforms in order to exfiltrate documents and manage infected systems.

Wednesday, January 31, 2018

Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions

The Dark Side of the Digital Gold Rush


This post was authored by Nick Biasini, Edmund Brumaghin, Warren Mercer and Josh Reynolds with contributions from Azim Khodijbaev and David Liebenberg.


Executive Summary


The threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks.

This focus on mining isn't entirely surprising, considering that various cryptocurrencies along with "blockchain" have been all over the news as the value of these currencies has exponentially increased. Adversaries have taken note of these gains and have been creating new attacks that help them monetize this growth. Over the past several months Talos has observed a marked increase in the volume of cryptocurrency mining software being maliciously delivered to victims.

In this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward.

To put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year. Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically. It is important to note that due to volatility present across cryptocurrency markets, these values may change drastically from day to day. All calculations in this blog were made based on XMR/USD at the time of this writing.

Monday, January 29, 2018

2017 in Snort Signatures.

This post was written by Martin Lee and Vanja Svajcer.

2017 was an eventful year for cyber security with high profile vulnerabilities that allowed self-replicating worm attacks such as WannaCry and BadRabbit to impact organizations throughout the world. In 2017, Talos researchers discovered many new attacks including backdoors in legitimate software such as CCleaner, designed to target high tech companies as well as M.E.Doc, responsible for initial spread of Nyetya. Despite all those, headline making attacks are only a small part of the day to day protection provided by security systems.

In this post we review some of the findings created by investigating the most frequently triggered Snort signatures as reported by Cisco Meraki systems and included in the Snort default policy set.

Friday, January 26, 2018

Beers with Talos EP 21: How to Hire the Best, Attribution Without Apaches is Useless



Beers with Talos (BWT) Podcast Episode 21 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP21 Show Notes: 

It is a packed episode this time! We are joined by Edmund from the Talos Outreach Group to chat about Threat Modeling after we make our way through attribution and Group 123, hipster artisanal patching (hand flipped bits!), and spend a good bit of time talking about how Talos identifies the cream of the crop when we are hiring.

Vulnerability Spotlight: Walt Disney Per-Face Texture Mapping faceInfoSize Code Execution Vulnerability

This vulnerability was discovered by Tyler Bohan of Cisco Talos.

Executive Summary


Walt Disney PTEX is an open source software application maintained by Walt Disney Animation Studios. It is designed for use in post-production rendering. It allows for the storage of thousands of texture mappings within a single file. This particular software library is in many other software applications such as Pixar's RenderMan, giving it a large install base. A list of other applications that have incorporated PTEX is available here. Talos has recently discovered a stack-based buffer overflow in PTEX that could potentially allow a remote attacker to execute arbitrary code on affected systems.

Monday, January 22, 2018

SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks


This post was written by Vitor Ventura

Introduction


Talos has been working in conjunction with Cisco IR Services on what we believe to be a new variant of the SamSam ransomware. This ransomware has been observed across multiple industries including Government, Healthcare and ICS. These attacks do not appear to be highly targeted, and appear to be more opportunistic in nature.

Given SamSam's victimology, its impacts are not just felt within the business world, they are also impacting people, especially if we consider the Healthcare sector. Non-urgent surgeries can always be rescheduled but if we take as an example patients where the medical history and former medical treatment are crucial the impact may be more severe. Furthermore, many critical life savings medical devices are now highly computerized. Ransomware can impact the operation of these devices making it very difficult for medical personnel to diagnose and treat patients leading to potentially life threatening situations. Equipment that might be needed in time-sensitive operations may be made unavailable due to the computer used to operate the equipment being unavailable.

The initial infection vector for these ongoing attacks is currently unknown and Talos is investigating this in order to identify it. The history of SamSam indicates that attackers may follow their previous modus operandi of exploiting a host and then laterally moving within their target environment to plant and later run the SamSam ransomware. Previously, we observed the adversaries attacking vulnerable JBoss hosts during a previous wave of SamSam attacks in 2016. Although the infection vector for the new variant is not yet confirmed, there is a possibility that compromised RDP/VNC servers have played a part in allowing the attackers to obtain an initial foothold.

Thursday, January 18, 2018

The Many Tentacles of the Necurs Botnet


This post was written by Jaeson Schultz.

Introduction

Over the past five years the Necurs botnet has established itself as the largest purveyor of spam worldwide. Necurs is responsible for emailing massive amounts of banking malware, ransomware, dating spam, pump-n-dump stock scams, work from home schemes, and even cryptocurrency wallet credential phishing. Necurs sends so much spam that at times Necurs' spam campaigns can make up more than 90% of the spam seen by Cisco Talos in one day.

To conduct a deeper analysis of Necurs, Talos extracted 32 distinct spam campaigns sent by Necurs between August 2017 and November 2017. The result was a collection of over 2.1 million spam messages, sent from almost 1.2 million distinct sending IP addresses in over 200 countries and territories.

Beers with Talos EP20: Crypto, Vuln Disco, and the Spectre Meltdown



Beers with Talos (BWT) Podcast Episode 20 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP20 Show Notes: 

This is easily our best podcast of 2018 (so far). The crew discusses the recent spike in crypto-mania sweeping the globe and also goes in-depth on how vulnerability discovery plays a critical role in overall security. Plus, the crew all (shockingly) have different takes on Spectre/Meltdown and Craig decides to up the ante with the killer robots.

Timeline:

The Roundtable

01:20 - Matt - Discussing Cats - a BOGO on denigrating cultural icons
04:59 - Nigel - The Reds will be victorious and glorious, of course
07:11 - Craig - Probably not the firefighter/arsonist of the security world. Probably.
09:23 - Joel - Arctic bombs and picking a bone with Mother Nature
12:04 - MItch - Tales of the short lives of expensive presents

The Topics

15:10 - CRYPTO MANIA!!! HMB while I take out a second mortgage, also Ethereum CLIENT vulns
24:10 - Vuln disco - why it matters, discussion around recent Blender vulns
39:30 - Meltdown and Spectre - Breaking down the actual threat, risk/exposure, and mitigation
54:28 - Parting shots

The Links and Credits:

Ethereum Client Bugs blog post: http://blog.talosintelligence.com/2018/01/vulnerability-spotlight-multiple.html
Bitcoin Pizza Twitter: https://twitter.com/bitcoin_pizza?lang=en
Blender Vuln Spotlight blog post: http://blog.talosintelligence.com/2018/01/unpatched-blender-vulns.html
Meltdown/Spectre blog post: http://blog.talosintelligence.com/2018/01/meltdown-and-spectre.html
Phantom Tolley relevant XKCD: http://www.explainxkcd.com/wiki/index.php/1938:_Meltdown_and_Spectre
Critical Role (Geek and Sundry Twitch): https://geekandsundry.com/shows/critical-role/
Alexa Silver: https://www.youtube.com/watch?v=YvT_gqs5ETk
==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Wednesday, January 17, 2018

Vulnerability Spotlight: Tinysvcmdns Multi-label DNS DoS Vulnerability

Overview

Talos is disclosing a single NULL pointer dereference vulnerability in the tinysvcmdns library. Tinysvcmdns is a tiny MDNS responder implementation for publishing services. This is essentially a mini and embedded version of Avahi or Bonjour. 

Details

Discovered by Claudio Bozzato, Yves Younan, Lilith Wyatt, and Aleksandar Nikolic of Cisco Talos.

Tuesday, January 16, 2018

Korea In The Crosshairs

This blog post is authored by Warren Mercer and Paul Rascagneres and with contributions from Jungsoo An.

A one year review of campaigns performed by an actor with multiple campaigns mainly linked to South Korean targets.

Executive Summary


This article exposes the malicious activities of Group 123 during 2017. We assess with high confidence that Group 123 was responsible for the following six campaigns:

  • "Golden Time" campaign.
  • "Evil New Year" campaign.
  • "Are you Happy?" campaign.
  • "FreeMilk" campaign.
  • "North Korean Human Rights" campaign.
  • "Evil New Year 2018" campaign.

On January 2nd of 2018, the "Evil New Year 2018" was started. This campaign copies the approach of the 2017 "Evil New Year" campaign.

The links between the different campaigns include shared code and compiler artifacts such as PDB (Program DataBase) patterns which were present throughout these campaigns.

Based on our analysis, the "Golden Time", both "Evil New Year" and the "North Korean Human Rights" campaigns specifically targeted South Korean users. The attackers used spear phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite. Group 123 has been known to use exploits (such as CVE-2013-0808) or scripting languages harnessing OLE objects. The purpose of the malicious documents was to install and to execute ROKRAT, a remote administration tool (RAT). On occasion the attackers directly included the ROKRAT payload in the malicious document and during other campaigns the attackers leveraged multi-stage infection processes: the document only contained a downloader designed to download ROKRAT from a compromised web server.

Additionally, the "FreeMilk" campaign targeted several non-Korean financial institutions. In this campaign, the attackers made use of a malicious Microsoft Office document, a deviation from their normal use of Hancom documents. This document exploited a newer vulnerability, CVE-2017-0199. Group 123 used this vulnerability less than one month after its public disclosure. During this campaign, the attackers used 2 different malicious binaries: PoohMilk and Freenki. PoohMilk exists only to launch Freenki. Freenki is used to gather information about the infected system and to download a subsequent stage payload. This malware was used in several campaigns in 2016 and has some code overlap with ROKRAT.

Finally, we identified a 6th campaign that is also linked to Group 123. We named this 6th campaign "Are You Happy?". In this campaign, the attackers deployed a disk wiper. The purpose of this attack was not only to gain access to the remote infected systems but to also wipe the first sectors of the device. We identified that the wiper is a ROKRAT module.

Friday, January 12, 2018

Threat Round Up for January 5 - 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between January 05 and January 12. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 11, 2018

Vulnerability Spotlight: Multiple Unpatched Vulnerabilities in Blender Identified


Update 1/25/18: Blender has released version 2.79a to address these issues

Technology has evolved in incredible ways that has helped people to create and visualize media like never before. Today, people can use tools such as Blender to visualize, model, and animate 3D content, especially since it's free and open-source software. However, this also make it an attractive target for adversaries to audit and find vulnerabilities. Given the user base of Blender, exploiting these vulnerabilities to compromise a user could have a significant impact as attackers could use the foothold gained by attacking Blender to further compromise an organization's network.

Today, Talos is disclosing multiple vulnerabilities that have been identified in Blender. These vulnerabilities could allow an attacker to execute arbitrary code on an affected host running Blender. A user who opens a specially crafted file in Blender that is designed to trigger one of these vulnerabilities could be exploited and compromised.

Talos has responsibly disclosed these vulnerabilities to Blender in an attempt to ensure they are addressed. However, Blender has declined to address them stating that "fixing these issues one by one is also a waste of time." As a result, there currently is no software update that addresses these vulnerabilities. Additionally, Blender developers believe that "opening a file with Blender should be considered like opening a file with the Python interpreter, you have [to trust] the source it is coming from."

Talos has offered advice to help with these issues. We realize that one developer in an open source project does not speak on behalf of the entire project. The discussion on Blender's site continues.

Wednesday, January 10, 2018

Vulnerability Spotlight: Ruby Rails Gem XSS Vulnerabilities

Vulnerabilities discovered by Zachary Sanchez of Cisco ASIG

Overview


Talos has discovered two XSS vulnerabilities in Ruby Rails Gems. Rails is a Ruby framework designed to create web services or web pages. Ruby Gems is a package manager for distributing software packages as 'gems'. The two XSS vulnerabilities were discovered in two different gem packages: delayed_job_web and rails_admin.

Ruby is widely used as a language for web development. Gem packages allow software engineers to reuse code across multiple development projects. As such, the discovery of a vulnerability in a gem may mean that many different systems are affected by that vulnerability.

Tuesday, January 9, 2018

Microsoft Patch Tuesday - January 2018

Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 56 new vulnerabilities with 16 of them rated critical, 39 of them rated important and 1 of them rated Moderate. These vulnerabilities impact ASP.NET, Edge, Internet Explorer, Office, Windows, and more.

In addition to the 56 vulnerabilities addressed, Microsoft has also released an update that addresses Meltdown and Spectre. Mitigations for these two vulnerabilities were published for Windows in ADV180002. Note that due to incompatibilities with anti-virus products, users and organizations may not have received this update yet. For more information, users should refer to Microsoft's knowledge base article which covers this issue.

Vulnerability Spotlight: Multiple Vulnerabilities in the CPP and Parity Ethereum Client

Vulnerabilities discovered by Marcin Noga of Cisco Talos.


Overview


Talos is disclosing the presence of multiple vulnerabilities in the CPP and the Parity Ethereum clients.

TALOS-2017-0503 / CVE-2017-14457 describes a denial of service vulnerability and potential memory leak in libevm. The function is not currently enabled in the default build. This vulnerability only affects nodes which have manually enabled it during build time.

TALOS-2017-0508 / CVE-2017-14460 is an overly permissive cross-domain (CORS) whitelist policy vulnerability in the Ethereum Parity client. It can lead to the leak of sensitive data about existing accounts, parity settings and network configurations, in addition to accounts and parity settings modifications, if certain APIs have been turned on.

Further on, TALOS-2017-0464 - TALOS-2017-0471 / CVE-2017-12112 - CVE-2017-12119 describe multiple Authorization Bypass Vulnerabilities which an attacker could misuse to access functionality reserved only for users with administrative privileges without any credentials.

Finally, Talos found TALOS-2017-0471 / CVE-2017-12119, another denial of service vulnerabilities in the CPP-Ethereum JSON-RPC implementation. A specially crafted json request can cause an unhandled exception resulting in a denial of service.

Monday, January 8, 2018

Meltdown and Spectre

Cisco Talos is aware of three new vulnerabilities impacting Intel, AMD, Qualcomm and ARM processors used by almost all computers. We are investigating these issues and although we have not observed exploitation of these vulnerabilities in the wild, that does not mean that it has not occurred. We have observed publicly available proof of concept exploit code being developed to exploit these vulnerabilities.

These issues have been assigned the following CVE entries:

Meltdown: An attacker can access kernel memory from user space
Spectre: An attacker can read memory contents from other users' running programs

Friday, January 5, 2018

Threat Round Up for December 29 - January 5

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between December 29 and January 05. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 4, 2018

Not So Crystal Clear - Zeus Variant Spoils Ukrainian Holiday

This post was authored by Edmund Brumaghin with contributions from Ben Baker, Dave Maynor and Matthew Molyett.

Introduction


Talos has observed a cyber attack which was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). This vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. However, the attackers did not compromise the firm's update servers and did not have the level of access noted in the Nyetya compromise. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. Websites being compromised to serve malicious content is common and it appears that CFM's website was leveraged in the same way. This can be achieved through exploitation of existing vulnerabilities in server-side software or brute-forcing weak credentials, allowing attackers to gain remote administrative access. The fact that it is an accounting software company in Ukraine and the timing of the attack increased visibility.

This attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine. The details of the specific malware infection process itself have been previously documented here. Talos was able to register and sinkhole one of the Command and Control (C2) domains and through this, obtain additional details regarding the scope of this attack and associated victims. This blog provides additional information related to the geographic regions that were targeted by this attack as well as the size and scope of of systems that were successfully compromised.

Wednesday, January 3, 2018

Tutorial: Mutiny Fuzzing Framework and Decept Proxy

Here's a basic demo video for our new opensource tools, Decept and Mutiny. Happy New Year <(^_^)> 
~ Lilith
Recently, Talos released new tools to assist in the monumental task of finding vulnerabilities in network applications. Mutiny and Decept work together to help researchers fuzz quickly and effectively with some unique features.  For more info on Mutiny Fuzzing Framework and Decept Proxy, see the initial blog post here:
http://cs.co/6058DJPR2


This tutorial assumes the following are previously installed:

Mutiny Fuzzing Framework: https://github.com/Cisco-Talos/mutiny-fuzzer
Decept Proxy: https://github.com/Cisco-Talos/Decept
Python 2.7