Sunday, July 15, 2018

Beers with Talos EP33 - Change the Conversation or the People Having It?



Beers with Talos (BWT) Podcast Episode 33 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. 33 show notes: 

Recorded July 6, 2018 - This episode is a bit less technical than most, as we discuss how the conversation around security is unfolding and who is a part of it. Coincidentally (we promise), that dovetails in with Matt’s contention that everybody just needs to stop acting with unending self-interest. Once again, Craig goes on vacation and all hell breaks loose, giving birth to a new concept in ransomware — send us Bitcoin or we send Craig to a remote island for a month. Also, we are going to be doing a live episode. from BlackHat! The registration link below.

Friday, July 13, 2018

Threat Roundup for July 6-13


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we've observed this week — covering the dates between July 6 and 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is not exhaustive and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 12, 2018

Advanced Mobile Malware Campaign in India uses Malicious MDM

This blog post is authored by Warren Mercer and Paul Rascagneres and Andrew Williams.

Summary


Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register. In social engineering attacks the victim is tricked into clicking accept or giving the attacker physical access to a device. This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception. Talos has worked closely with Apple on countering this threat. Apple had already actioned 3 certificates associated with this actor when Talos reached out, and quickly moved to action the two others once Talos tied them to the threat.

An MDM is designed to deploy applications on enrolled devices. In this campaign we identified five applications that have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the functionality of the device, one steals SMS message contents, and the remaining two report the location of the device and can exfiltrate various data.

Wednesday, July 11, 2018

Vulnerability Spotlight: Computerinsel Photoline Multiple Vulnerabilities

Vulnerabilities discovered by Tyler Bohan from Talos

Overview


Today, Cisco Talos is disclosing several vulnerabilities in Computerinsel Photoline. Photoline is an image-processing tool used to modify and edit images, as well as other graphic-related material. This product has a sizable user base and is popular in the graphic design field. The vulnerabilities are present in the parsing functionality of the software.

Tuesday, July 10, 2018

Vulnerability Spotlight: Multiple Antenna House Vulnerabilities

Discovered by Marcin Noga of Cisco Talos

Overview

Cisco Talos has identified six vulnerabilities in the Antenna House Office Server Document Converter (OSDC). These vulnerabilities can be used to remotely execute code on a vulnerable system. Antenna House Office Server Document Converter is a product designed to convert Microsoft Office documents into PDF and SVG documents.

The vulnerabilities can be exploited to locally execute code, or even remotely if the product is used in batch mode by the owners. In this context, the maliciously crafted document could be automatically handled by the product, and a successful exploitation could result in full control of the vulnerable system.

The six vulnerabilities can be exploited by a specially crafted Microsoft Office document.

Microsoft Patch Tuesday - July 2018

Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.

In addition to the 53 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180017, which addresses the vulnerabilities described in the Adobe security bulletin APSB18-24.

Vulnerability Spotlight: Multiple Adobe Acrobat DC Remote Code Execution Vulnerabilties


Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Today, Talos is releasing details of new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities.

TALOS-2018-0569 - Adobe Acrobat Reader DC Collab.drivers Remote Code Execution Vulnerability (CVE-2018-12812)


Friday, July 6, 2018

Threat Roundup for June 29 to July 6th


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we've observed this week — covering the dates between June 29 and July 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, it will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive, and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, July 3, 2018

Smoking Guns - Smoke Loader learned new tricks

This post is authored by Ben Baker and Holger Unterbrink

 

Overview


Cisco Talos has been tracking a new version of Smoke Loader — a malicious application that can be used to load other malware — for the past several months following an alert from Cisco Advanced Malware Protection’s (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but further analysis showed some developments in the Smoke Loader sample resulting from this chain of malware that intrigued us. This includes one of the first uses of the PROPagate injection technique in real-world malware. Besides a report released at the end of last week describing a different RIG Exploit Kit-based campaign, we haven’t seen real-world malware using this.

Friday, June 29, 2018

Threat Roundup for June 22-29



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 22 and June 29. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

Today, Talos is disclosing a vulnerability in VMWare Workstation that could result in Denial of Service.  VMWare Workstation is a widely used virtualization platform designed to run alongside a normal operating system, allowing users to use both virtualized and physical systems concurrently.

TALOS-2018-0540

Discovered by a member of Cisco Talos

Wednesday, June 27, 2018

Beers with Talos EP 32 - Live from Orlando Part 2: Take All the Things Off the Internet



Beers with Talos (BWT) Podcast Episode 32 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. 32 show notes: 

Recorded June 13, 2018 — Still live in Orlando, just this time from the lovely lobby bar at the convention center hotel. We are joined by Lurene Grenier to dig a bit deeper on her keynote from the Talos Threat Research Summit. Lurene is here to give you the offensive view of attacking your network. If you want a hot take on defense from someone who is pure offense, well… buckle up and break out your cord-cutting scissors. You are already saying “We can’t do that!” Lurene is telling you that if you decide to take this seriously enough, you can and should.

Tuesday, June 26, 2018

Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor

This blog post was authored by Edmund Brumaghin, Earl Carter and Andrew Williams.

Executive summary


Cisco Talos has analyzed Thanatos, a ransomware variant that is being distributed via multiple malware campaigns that have been conducted over the past few months. As a result of our research, we have released a new, free decryption tool to help victims recover from this malware. Multiple versions of Thanatos have been leveraged by attackers, indicating that this is an evolving threat that continues to be actively developed by threat actors with multiple versions having been distributed in the wild. Unlike other ransomware commonly being distributed, Thanatos does not demand ransom payments to be made using a single cryptocurrency like bitcoin. Instead, it has been observed supporting ransom payments in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.

Additionally, due to issues present within the encryption process leveraged by this ransomware, the malware authors are unable to return the data to the victim, even if he or she pays the ransom. While previous reports seem to indicate this is accidental, specific campaigns appear to demonstrate that in some cases, this is intentional on the part of the distributor. In response to this threat, Talos is releasing ThanatosDecryptor, a free decryption tool that exploits weaknesses in the design of the file encryption methodology used by Thanatos. This utility can be used by victims to regain access to their data if infected by this ransomware.

Friday, June 22, 2018

Threat Roundup for June 16-22



As usual, we are bringing you the weekly Threat Roundup to highlight the most prevalent threats we've seen between June 15 and 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos EP31 - Live from Cisco Live! - VPNFilter and Our First Summit Recap



Beers with Talos (BWT) Podcast Episode 31 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP31 Show Notes: 

Recorded June 12, 2018 — This is a special episode for two reasons! To start, we recorded this live in one take from CiscoTV Studio B at Cisco Live! in Orlando, Florida — which leads to the second reason, there is video of this episode in the show notes below. Join us as we cover the VPNFilter update Talos released June 6, and we recap the inaugural Cisco Talos Threat Research Summit.

Ed. Note - This is what no content editing looks like...

Wednesday, June 20, 2018

My Little FormBook

This blog post is authored by Warren Mercer and Paul Rascagneres.

Summary


Cisco Talos has been tracking a new campaign involving the FormBook malware since May 2018 that utilizes four different malicious documents in a single phishing email. FormBook is an inexpensive stealer available as "malware as a service." This means an attacker can purchase a compiled piece of malware based on their desired parameters. This is commonplace with crimeware and stealer type malware such as FormBook. It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots.

Tuesday, June 19, 2018

Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub


Vulnerabilities discovered by Claudio Bozzato of Cisco Talos

Talos is disclosing twelve new vulnerabilities in Insteon Hub, ranging from remote code execution, to denial of service. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow.

Friday, June 15, 2018

Threat Roundup for June 1-15



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 01 and June 15. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 14, 2018

Vulnerability Spotlight: TALOS-2018-0523-24 - Multiple Vulnerabilities in Pixars Renderman application

Vulnerabilities discovered by Tyler Bohan from Talos


Overview


Talos is disclosing two denial-of-service vulnerabilities in Pixar’s Renderman application. Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. Both vulnerabilities are due to the lack of proper validation during the parsing process of network packets.

Pixar remedied  these vulnerabilities in RenderMan version 21.7

Wednesday, June 13, 2018

Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability

Vulnerabilities discovered by Marcin Noga from Talos

Overview


Talos is disclosing a remote code execution vulnerability in the Microsoft wimgapi library. The wimgapi DLL is used in the Microsoft Windows operating system to perform operations on Windows Imaging Format (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack. The vulnerability is related to the file header parsing, which means it gets triggered even on simple operations. WIM files do not have a registered file type handler by default, which means that this vulnerability cannot be triggered by tricking a user into double-clicking a WIM file — at least not without registering a file-handler first. This vulnerability was assigned CVE-2018-8210 and a security patch was released as part of the June 2018 Microsoft Patch Tuesday release. The Microsoft advisory can be found here.

Tuesday, June 12, 2018

Microsoft Patch Tuesday - June 2018

Executive Summary


Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 50 flaws, with 11 of them rated "critical," and 39 rated "important." These vulnerabilities impact Microsoft Edge, Internet Explorer, Chakra Scripting Engine, Windows DNSAPI, Microsoft Office, Windows Kernel and more.

In addition to the 50 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180014, the June 2018 Adobe Flash Security Update, which addresses the vulnerabilities described in the security bulletin.

Wednesday, June 6, 2018

VPNFilter Update - VPNFilter exploits endpoints, targets new devices





Introduction



Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding "VPNFilter." In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We've provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.

Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.

Finally, we've conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic.

Tuesday, June 5, 2018

Talos Threat Research Summit Guide and Cisco Live Preview


The first Cisco Talos Threat Research Summit is coming up at Cisco Live! in Orlando, so we are providing a quick guide to all the activities going on at the summit and beyond. The response to the summit was stronger than we could have anticipated for the first year - it sold out fast!  Next time, we definitely need a bigger boat. Whether or not you have a ticket to the summit, read on for a guide of how to stay on top of what's happening in Orlando, and how you can connect with the events Talos is holding around Cisco Live! 2018.

Vulnerability Spotlight: TALOS-2018-0535 - Ocularis Recorder VMS_VA Denial of Service Vulnerability

Vulnerabilities discovered by Carlos Pacho from Talos


Overview

Talos is disclosing a denial-of-service vulnerability in the Ocularis Recorder. Ocularis is a video management software (VMS) platform used in a variety of settings, from convenience stores, to city-wide deployments. An attacker can trigger this vulnerability by crafting a malicious network packet that causes a process to terminate, resulting in a denial of service.

Thursday, May 31, 2018

NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.

Executive Summary


Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan that we're calling "NavRAT" is downloaded, which can perform various actions on the victim machine, including command execution, and has keylogging capabilities.

The decoy document is named "미북 정상회담 전망 및 대비.hwp" (Prospects for US-North Korea Summit.hwp). The HWP file format is mainly used in South Korea. An Encapsulated PostScript (EPS) object is embedded within the document in order to execute malicious shellcode on the victim systems. The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT.

This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email. The uploaded file(s) are sent by email, and the downloaded files are retrieved from an email attachment. We have already observed malware using free email platforms for abuse, but this is the first time we have identified a malware that uses Naver — which is known for its popularity in South Korea.

One of the most interesting questions we still have is regarding attribution — and who is behind this malware. Previously, we published several articles concerning Group123 (here, here, here, here and here). We currently assess with medium confidence that this campaign and NavRAT are linked to Group123.

Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilites

Vulnerabilities discovered by Cory Duplantis from Talos

Overview


In April 2018, Talos published 5 vulnerabilities in Natus NeuroWorks software. We have also identified 3 additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.

We strongly recommend readers to refer to the "Discussion" part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices. Natus has released Neuroworks 8.5 GMA3 to address these issues. Talos recommends installing this update as quickly as possible on affected systems.

Tuesday, May 29, 2018

Beers with Talos EP 30 - VPNFilter, the Unfiltered Story



Beers with Talos (BWT) Podcast Episode 30 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP30 Show Notes: 


Recorded May 25, 2018 - As you can expect, this episode focuses on VPNFilter. We discuss how we got involved, why Talos made the decision to disclose when we did, and we cover many details of the malware itself. There is a lot of background to this ongoing discussion. Take a peek behind the curtain of the defense against this attack as we cover many different aspects of the malware, the attack and the mitigation.

Saturday, May 26, 2018

Threat Roundup for May 18-25



Welcome to Cisco Talos' weekly Threat Roundup, where we go over some of the most prevalent malware and vulnerabilities we've seen over the past week. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, May 23, 2018

New VPNFilter malware targets at least 500K networking devices worldwide




Intro

For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor's widespread use of a sophisticated modular malware system we call "VPNFilter." We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.  In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn't definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don't yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.

Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.

This post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some thoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the possible thought process and decisions made by the actor. We will also discuss how to defend against this threat and how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this point, although we are confident there are more that we have not seen.

Thursday, May 17, 2018

Beers with Talos EP29 - This is a PSA: Stop Clicking. There is No Prince.



Beers with Talos (BWT) Podcast Episode 29 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP29 Show Notes: 

Recorded May 11, 2018 - First and foremost, we recorded this episode one day before our "birthday." We want to thank everyone, especially the listeners, who have let us do this for the past year, racking up over half a million downloads! In this episode, we welcome special guest Nick Biasini from Talos Outreach. We set out to talk about several topics, but spend most of our time with Nick around the idea of building a stronger culture of cybersecurity and what it will take to get the baseline users on board. We are missing Matt this week, and hope he had an amazing time following the DMB tour up to Burlington, or whatever he was doing.

Wednesday, May 16, 2018

TeleGrab - Grizzly Attacks on Secure Messaging


This post was written by Vitor Ventura with contributions from Azim Khodjibaev

Introduction


Over the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.

While the first version only stole browser credentials and cookies, along with all text files it can find on the system, the second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.
Talos intelligence research allowed the identification of the author behind this malware with high confidence. The author posted several YouTube videos with instructions on how to use the Telegram collected files to hijack Telegram sessions and how to package it for distribution.
The operators of this malware use several pcloud.com hardcoded accounts to store the exfiltrated information. This information is not encrypted, which means that anyone with access to these credentials will have access to the exfiltrated information.

The malware is mainly targeting Russian-speaking victims, and is intentionally avoiding IP addresses related with anonymizer services.

Tuesday, May 15, 2018

Vulnerability Spotlight: Multiple Adobe Acrobat Reader DC Vulnerabilities

Discovered by Aleksandar Nikolic of Cisco Talos

Update 05/15/18: The CVE for TALOS-2018-0517 has been corrected below.

Overview


Today, Talos is releasing details of a new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.

A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044. This stack overflow can lead to return address overwrite which can result in arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

Friday, May 11, 2018

Threat Roundup for May 04 - 11



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 4 and May 11. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, May 9, 2018

Gandcrab Ransomware Walks its Way onto Compromised Sites

This blog post authored by Nick Biasini with contributions from Nick Lister and Christopher Marczewski.

Despite the recent decline in the prevalence of ransomware in the threat landscape, Cisco Talos has been monitoring the now widely distributed ransomware called Gandcrab. Gandcrab uses both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. While we've seen cryptocurrency miners overtake ransomware as the most popular malware on the threat landscape, Gandcrab is proof that ransomware can still strike at any time.

While investigating a recent spam campaign Talos found a series of compromised websites that were being used to deliver Gandcrab. This malware is the latest in a long line of examples of why stopping malware distribution is a problem, and shows why securing websites is both an arduous and necessary task. As a clear example of how challenging resolving these issues can be, one of the sites — despite being shut down briefly — was seen serving Gandcrab not once, but twice, over a few days.

Tuesday, May 8, 2018

Wipers - Destruction as a means to an end

This whitepaper post is authored by Vitor Ventura and with contributions from Martin Lee

In a digital era when everything and everyone is connected, malicious actors have the perfect space to perform their activities. During the past few years, organizations have suffered several kinds of attacks that arrived in many shapes and forms. But none have been more impactful than wiper attacks. Attackers who deploy wiper malware have a singular purpose of destroying or disrupting systems and/or data.
Unlike malware that holds data for ransom (ransomware), when a malicious actor decides to use a wiper in their activities, there is no direct financial motivation. For businesses, this often is the worst kind of attack, since there is no expectation of data recovery.
Another crucial aspect of a wiper attack is the fear, uncertainty and doubt that it generates. In the past, wiper attacks have been used by malicious actors with a dual purpose: Generate social destabilization while sending a public message, while also destroying all traces of their activities.
A wiper's destructive capability can vary, ranging from the overwriting of specific files, to the destruction of the entire filesystem. The amount of data impacted will be a direct consequence of the technique used. Which, of course, will have direct impact on the business — the harder the data/system recovery process becomes, the bigger the business impact.
The defense against these attacks often falls back to the basics. By having certain protections in place — a tested cyber security incident response plan, a risk-based patch management program, a tested and cyber security-aware business continuity plan, and network and user segmentation on top of the regular software security stack — an organization dramatically increases its resilience against these kind of attacks.

Download the full whitepaper here.

Microsoft Patch Tuesday - May 2018

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 67 new vulnerabilities, with 21 of them rated critical, 42 of them rated important, and four rated as low severity. These vulnerabilities impact Outlook, Office, Exchange, Edge, Internet Explorer and more.

In addition to the 67 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180008, which addresses the vulnerability CVE-2018-4944 described in the Adobe security bulletin APSB18-16.


Monday, May 7, 2018

Beers with Talos EP 28 - APT, BGP, RCEs, and an Old RAT



Beers with Talos (BWT) Podcast Episode 28 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP28 Show Notes: 

Recorded April 27 - We have a special guest intro this week, since Mitch came down with a case of "can't speak above a whisper" during production of the episode. We chat about what defines an “APT” — is it the actor, the technical complexity used, or something different altogether? We also discuss the recent BGP attacks — how they work and how you can prepare for them — and the progress of GravityRAT.  Matt has specific feelings about USB-C and his new computer.

Vulnerability Spotlight: MySQL Multi-Master Manager Remote Command Injection Vulnerability

Discovered by Matthew Van Gundy of Asig

Overview


Today, Talos is releasing details of a new vulnerability within MySQL Multi-Master Manager. This is used to perform monitoring, failover and management of MySQL master-master replication configurations. By using MySQL MMM (Multi-Master Replication Manager for MySQL) it ensures that only one node is writeable at a time. Using MySQL MMM an end user can also choose to move their Virtual IP addresses to different servers depending on their replication status.


Friday, May 4, 2018

Threat Round Up for April 27 to May 04


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 27 and May 4. As with previous roundups, this post isn't meant to be an in-depth analysis. We'll summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org or ClamAV.net.

Friday, April 27, 2018

Threat Roundup for April 20-27



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 20 and 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, April 26, 2018

GravityRAT - The Two-Year Evolution Of An APT Targeting India

This blog post is authored by Warren Mercer and Paul Rascagneres.

Update: 4/30 Since the publication of the blog post, one of the anti-VM capability was commented a lot on Twitter: the detection of Virtual Machines by checking the temperature of the system. We decided to add more details and clarifications concerning this feature. GravityRAT uses a WMI request in order to get the current temperature of the hardware. Here is the output of the query on a physical machine (a Surface Book):

The query returns the temperature of 7 thermal zones.
Here is the output on a Virtual Machine executed by Hyper-V on the same hardware:

The feature is not supported. The malware author used this behavior in order to identify VM (such as Sandboxes).

From our tests and the feedback from several researchers, this monitoring is not supported on Hyper-V, VMWare Fusion, VirtualBox, KVM and XEN. It's important to notice that several recent physical systems do not support it (a researcher reported some Lenovo and Dell hosts did not support this). It means that GravityRAT will consider this physical machine as VMs. Importantly to note this check is not foolproof as we have identified physical hosts which do not report back the temperature, however, it should also be considered a check that is identifying a lot of virtual environments. This is particularly important due to the amount of sandboxing & malware detonation being carried out within virtual environments by researchers.



Summary


Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years while it continues to be developed. Several weeks ago, we identified the use of the latest version of this RAT (Remote Access Tool). In this article, we will discuss the technical capabilities, the evolution, development and potential attribution of what we are calling GravityRAT.

GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We've seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.

Throughout our investigation, we observed several malicious documents used to attack victims, which we will discuss. These malicious documents were used by the developer to run several tests on the popular analysis platform VirusTotal. Using VirusTotal allowed the developer to make changes in an attempt to decrease antivirus detection.

Although GravityRAT has not been previously published or discussed, there was some information from the National Computer Emergency Response Team (CERT) of India describing GravityRAT as being used in targeted attacks against India. Finally, we will discuss specific attribution elements discovered during our research into GravityRAT as we identify specific information, which we believe to be leaked by the developer, such as location, and potentially their first name.

Vulnerability Spotlight: Hyland Perceptive Document Filters Multiple Vulnerabilites

Vulnerabilities discovered by Marcin 'Icewall' Noga from Talos

Overview


Talos has discovered multiple vulnerabilities in Hyland Perceptive Document Filters software. This software is a toolkit that allows developers to read and extract metadata from a file. It supports a large set of common file formats. In addition to this the software is also capable of converting file formats.

We identified 4 vulnerabilities that allows an attacker to execute arbitrary code on the vulnerable systems. These vulnerabilities concerns the file conversion features.

The vulnerabilities can be exploited to locally execute code as well as remotely if the framework is used in batch mode by the owners. In this context, the malicious crafted document could be automatically handled by the toolkit and a successful exploitation could result full control of the vulnerable system. The vulnerable features can be used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. It can convert common formats such as Microsoft's document formats into other format (for example easier to be parsed).

Monday, April 23, 2018

Cryptomining Campaign Returns Coal and Not Diamond

Executive summary


Soon after a launch of a new cryptocurrency, Bitvote, in January, Talos discovered a new mining campaign affecting systems in India, Indonesia, Vietnam and several other countries that were tied to Bitvote.

Apart from the fact that the attackers have chosen to target the new bitcoin fork in order to gain the early adoption advantage, this campaign is notable for its usage of a kernel-mode driver to manage command and control (C2) infrastructure, configuration management, download and execute functionality, as well as payload protection. It is quite uncommon to implement this functionality in kernel, apart from the payload protection, and points to a moderate to high level of technical knowledge behind the attack.

The payloads and the configuration were embedded in specially modified animated GIF files and published as parts of web pages hosted on free blogging platforms.

The campaign was active in February and March, and so far, it has brought limited returns for attackers.

Friday, April 20, 2018

Beers with Talos EP27: Smart Install, Vuln Process Realities, and Professional Wrestling



Beers with Talos (BWT) Podcast Episode 27 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP27 Show Notes: 

Recorded 4/13/18 - We just upgraded all our gear, so naturally we had a straight tech meltdown this week and we saved it the best we could. Matt will sound way better next week. Promise. We cover Smart Installer. Again. But that leads down a discussion of security versus convenience that leads to us discussing the process of vuln disclosure - how vendor discussions, release dates, and policies work in the real world.

Seriously, we grounded Matt’s computer for misbehaving with the audio.

Thursday, April 19, 2018

Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader

Overview

Talos is disclosing five vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.  Update to the current version of Foxit PDF Reader.

Details

Vulnerabilities Discovered by Aleksandar Nikolic

TALOS-2017-0506

Updates for BASS

This blog post was authored by Jonas Zaddach and Mariano Graziano.

Cisco Talos has rolled out a series of improvements to the BASS open-source framework aimed at speeding up its ability to provide coverage for new malware families. Talos released BASS, (pronounced "bæs") an open-source framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters, last June. It is meant to reduce the amount of resources required to run ClamAV by producing more pattern-based signatures, as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable, thanks to Docker, an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud.




Tuesday, April 17, 2018

Vulnerability Spotlight: Foscam IP Video Camera Firmware Recovery Unsigned Image Vulnerability

This vulnerability was discovered by Claudio Bozzato of Cisco Talos.

Executive Summary


The Foscam C1 Indoor HD Camera is a network-based camera that is marketed for a variety of uses, including as a home security monitoring device. Talos recently identified 32 vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details of in two blog posts here and here. In continuing our security assessment of these devices, Talos has discovered an additional vulnerability. In accordance with our coordinated disclosure policy, Talos has worked with Foscam to ensure that this issue has been resolved and that a firmware update is made available for affected customers. This vulnerability could be leveraged by an attacker to gain the ability to completely take control of affected devices.

Friday, April 13, 2018

Threat Roundup for April 6 - 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 6 and 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and we will discuss how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

These vulnerabilities were discovered by Carlos Pacho of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.

Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.

Malware monitor - leveraging PyREBox for malware analysis

This post was authored by Xabier Ugarte Pedrero

In July 2017 we released PyREBox, a Python Scriptable Reverse Engineering Sandbox as an open source tool. This project is part of our continuous effort to create new tools to improve our workflows. PyREBox is a versatile instrumentation framework based on QEMU.

It allows us to run a whole operating system in a virtual environment (emulator), and to inspect and modify its memory and registers at run-time. A small set of QEMU modifications allows users to instrument certain events such as instruction execution or memory read/writes.

On top of this, PyREBox leverages Virtual Machine Introspection techniques to bridge the semantic gap, that is, understanding OS abstractions such as processes, threads, or libraries. You can find the more detailed description of the framework as well as its capabilities in the original blogpost.

In the past few months we have received positive feedback from the community, fixed bugs and added features suggested by the users. We also added support for GNU/Linux guests, and implemented an agent (program run inside the emulated guest) that allows file transfer between a host and a guest, as well as execution of samples in the guest on demand.

As part of this ongoing effort, today we are releasing a set of PyREBox scripts that are designed to aid malware analysis: Malware monitor. These scripts automate different tasks, such as code coverage analysis, API tracing, memory monitoring, and process memory dumping.

Thursday, April 12, 2018

Vulnerability Spotlight: TALOS-2018-0529-531 - Multiple Vulnerabilities in NASA CFITSIO library

Vulnerabilities discovered by Tyler Bohan from Talos


Overview

Talos is disclosing three remote code execution vulnerabilities in the NASA CFITSIO library. CFITSIO is a library of C and Fortran subroutines for reading and writing data files in the Flexible Image Transport System (FITS) data format. FITS is a standard format endorsed by both NASA and the International Astronomical Union for astronomical data.

Specially crafted images parsed via the library can cause a stack-based buffer overflow, overwriting arbitrary data. An attacker can deliver a malicious FIT image to trigger this vulnerability, and potentially gain the ability to execute code.

Wednesday, April 11, 2018

Vulnerability Spotlight: Multiple Simple DirectMedia Layer Vulnerabilities

Discovered by Lilith Wyatt of Cisco Talos

Overview



Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valve's award winning catalog and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. The latest SDL version (2.0.8) can be found here.

Vulnerability Spotlight: Multiple Computerinsel PhotoLine PSD Code Execution Vulnerabilities



Discovered by Tyler Bohan of Cisco Talos

Overview


Today, Cisco Talos is disclosing a vulnerability within Computerinsel PhotoLine's PSD-parsing functionality. Photoline is an image processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PSD documents. PSD is a document format used by Adobe Photoshop, and is supported by many third-party applications throughout the industry.

The vulnerability arises in parsing the PSD document. The application takes data directly from the document without verification and uses it to calculate an address. The document has a specially crafted blending channel value leading to this miscalculation. Below is the area of the crash.

Tuesday, April 10, 2018

Microsoft Patch Tuesday - April 2018

Microsoft Patch Tuesday - April 2018


Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 65 new vulnerabilities and one advisory, with 25 of them rated critical, 39 of them rated important and one of them rated moderate. These vulnerabilities impact Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Windows kernel, Windows Hyper-V, Microsoft Scripting Engine and more.

In addition, an update for Adobe Flash Player was released.

IcedID Banking Trojan Teams up with Ursnif/Dreambot for Distribution


Update: 4/11 we have corrected the detection to Ursnif/Dreambot

This post was authored by Ross Gibb with research contributions from Daphne Galme, and Michael Gorelik of Morphisec, a Cisco Security Technical Alliance partner.

Cisco has noticed an increase in infections by the banking trojan IcedID through our Advanced Malware Protection (AMP) system. Security researchers first reported a new banking Trojan known as "IcedID" [1] in November 2017. At the time of discovery, IcedID was being distributed by Emotet, another well-known banking trojan malware. In late February and throughout March 2018, we noticed an increase in infections from IcedID being detected throughout the AMP ecosystem. Like in November 2017, some of the infections could be traced to Emotet, but this time, many detections could instead be traced to emails with attached malicious Microsoft Word documents containing macros. When the malicious documents are opened and the macros are enabled, Ursnif/Dreambot, another trojan, would be downloaded and executed, which subsequently downloads IcedID. In addition to Ursnif/Dreambot, many of the samples downloaded a second payload, a Bytecoin miner (Bytecoin is a crypto currency similar to bitcoin).

Friday, April 6, 2018

Beers with Talos EP26: Talos is Holding a Conference, and the Evolving Battle at the Edge


Beers with Talos (BWT) Podcast Episode 26 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP26 Show Notes: 


Recorded 3/29/18 - Joel is sitting out this week, and Bill Largent from the Outreach team fills in. We are pretty sure he was just running late trying to live on Joel Mean Time which, coincidentally, is now a GitHub project thanks to Moses (link below). We cover a wide range of topics in this episode, so stay with us! We chat about the Talos Threat Research Summit coming in June, we wonder where the carrots to match the sticks in security are, and weigh the value of finding your own damn vulns. The last part of the show starts with discussing GoScanSSH, which ends up being a discussion on the larger battle for the edge.