Wednesday, March 28, 2018

Vulnerability Spotlight: Multiple Vulnerabilities in Allen Bradley MicroLogix 1400 Series Devices

These vulnerabilities were discovered by Jared Rittle and Patrick DeSantis of Cisco Talos.


Rockwell Automation Allen-Bradley MicroLogix 1400 Programmable Logic Controllers (PLCs) are marketed for use in a variety of different Industrial Control System (ICS) applications and processes. As such, these devices are often relied upon for the performance of critical process control functions in many different critical infrastructure sectors. Previously, Cisco Talos released details regarding a vulnerability that was present in these devices. Cisco Talos continued analysis of these devices and discovered additional vulnerabilities that could be leveraged to modify device configuration and ladder logic, write modified program data into the device's memory module, erase program data from the device's memory module, or conduct Denial of Service (DoS) attacks against affected devices. Depending on the affected PLCs within an industrial control process, this could result in significant damages.

Vulnerability Spotlight: Multiple Nvidia D3D10 Driver Pixel Shader Vulnerabilities

Discovered by Piotr Bania of Cisco Talos


Today, Cisco Talos is disclosing multiple vulnerabilities that exist within the Nvidia D3D10 driver. This driver is used throughout multiple GPU product lines available from Nvidia. This is a commonly used driver, and exploitation can even affect VMware, thus giving rise to a potential guest-to-host escape. It is strongly recommended that patches are applied immediately.

Monday, March 26, 2018

Forgot About Default Accounts? No Worries, GoScanSSH Didn’t

This blog post was authored by Edmund Brumaghin, Andrew Williams, and Alain Zidouemba.

Executive Summary

During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.

Thursday, March 22, 2018

Talos Threat Research Summit at Cisco Live US 2018

Cisco Talos presents a conference by Defenders, for Defenders.

Talos had one goal in mind when creating a brand new conference: Make something that we'd want to attend ourselves.  As such, the Talos Threat Research Summit is aimed at being a one-day conference by defenders, for defenders. This summit is designed to assist you in keeping your users and network safer. Our roster of experienced speakers will share their deep expertise in network defense, tracking the bad guys and identifying trends in the threat landscape. The goal of the summit is that you will leave with up-to-date, actionable intel you can take back to your network and use immediately.  There are also opportunities for networking with your defense-focused peers and security leaders.

More information, including the agenda and speaker line-up will be released in the coming weeks, so stay tuned!

What: Talos Threat Research Summit
When: June 10, 2018
Where: Hyatt Regency, Orlando, Florida – at Cisco Live!

Tuesday, March 20, 2018

Beers with Talos EP 25: WE'LL DO IT LIVE!!!

Beers with Talos (BWT) Podcast Episode 25 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing:

EP25 Show Notes: 

Recorded 3/13/18 - LIVE from San Jose, California. First of all – we still have a podcast and jobs, so ostensibly, we did OK hosting the meeting we talked about last time. There may have even been an award involved, just sayin'.  Since we were all together and we didn’t get fired, we decided to do our podcast live after the meeting for an audience. We are joined by Talos Senior Director Matt Watchinski on this episode, discussing such existential questions as “why security?” and more concrete things like nation state vs. cybercriminal actors and their differing motivations. We also discuss router security and network devices as a preferred attack vector for advanced actors. Special bonus: Matt beats perhaps the last laugh out of the dead horse that is Paul Revere himself. #BeastieBoys #CantBooShowNotes

Tuesday, March 13, 2018

Microsoft Patch Tuesday - March 2018

Microsoft Patch Tuesday - March 2018

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 74 new vulnerabilities, with 14 of them rated critical and 59 of them rated important. These vulnerabilities impact Internet Explorer, Edge, Exchange, Scripting Engine, Windows Shell and more.

Critical Vulnerabilities

Thursday, March 8, 2018

Beers with Talos EP24: Reflections on DDoS and Bad Authentication Schemes

Beers with Talos (BWT) Podcast Episode 24 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing:

EP24 Show Notes: 

Recorded 3/2/18 - Craig is out this week, but the rest of the crew goes through COINHORDER and Memcached, and takes a deeper look at authentication and passwords. We cover an overview of reflection attacks and how some password schemes that are meant to protect, actually cause harm. We also bid you farewell, since our next episode is supposed to be live after the crew hosts a meeting that stands a not-insignificant chance of getting us all fired. Wish us luck — and send us questions that Craig can pose to really important Cisco executives.

Tuesday, March 6, 2018

Gozi ISFB Remains Active in 2018, Leverages "Dark Cloud" Botnet For Distribution

This blog post was authored by Edmund Brumaghin and Holger Unterbrink, with contributions from Adam Weller.

Executive Summary

Gozi ISFB is a well-known and widely distributed banking trojan, and has been in the threat landscape for the past several years. Banking trojans are a type of malware that attackers leverage in an attempt to obtain banking credentials from customers of various financial institutions. The source code associated with Gozi ISFB has been leaked several times over the years, and the robust features available within the Gozi ISFB code base have since been integrated into additional malware, such as GozNym. Talos published detailed research about GozNym in a September 2016 blog post. Since then, Talos has been monitoring Gozi ISFB activity, and has discovered a series of campaigns over the past six month that have been making use of the elusive "Dark Cloud" botnet for distribution. In investigating the infrastructure associated with Dark Cloud, we identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity. Talos is publishing details related to ongoing Gozi ISFB activity, the Dark Cloud botnet, as well as the additional threats we have observed using this infrastructure over the past couple of years.

Thursday, March 1, 2018

Vulnerability Spotlight: Simple DirectMedia Layer’s SDL2_Image


Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low-level access to audio, keyboard, mouse, joystick and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games, including Valve's award-winning catalog, and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. Simple DirectMedia Layer has released a new version of sdl image, 2.0.3 to address this issue, which can be downloaded here. Talos recommends installing this update as quickly as possible on affected systems.

Vulnerability Spotlight: Dovecot out-of-bounds Read Vulnerability


Today, Cisco Talos is disclosing a single out-of-bounds read vulnerability in the Dovecot IMAP server. Dovecot is a popular internet message access protocol, or IMAP, server with performance and security-oriented design. It is a popular choice for robust email servers. In accordance with our coordinated disclosure policy, Talos has worked with Dovecot to ensure that this issue has been resolved. Dovecot has released version 2.2.34 to address this issue. Talos recommends installing this update as quickly as possible on affected systems.