Friday, June 29, 2018

Threat Roundup for June 22-29



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 22 and June 29. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

Today, Talos is disclosing a vulnerability in VMWare Workstation that could result in Denial of Service.  VMWare Workstation is a widely used virtualization platform designed to run alongside a normal operating system, allowing users to use both virtualized and physical systems concurrently.

TALOS-2018-0540

Discovered by a member of Cisco Talos

Wednesday, June 27, 2018

Beers with Talos EP 32 - Live from Orlando Part 2: Take All the Things Off the Internet



Beers with Talos (BWT) Podcast Episode 32 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. 32 show notes: 

Recorded June 13, 2018 — Still live in Orlando, just this time from the lovely lobby bar at the convention center hotel. We are joined by Lurene Grenier to dig a bit deeper on her keynote from the Talos Threat Research Summit. Lurene is here to give you the offensive view of attacking your network. If you want a hot take on defense from someone who is pure offense, well… buckle up and break out your cord-cutting scissors. You are already saying “We can’t do that!” Lurene is telling you that if you decide to take this seriously enough, you can and should.

Tuesday, June 26, 2018

Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor

This blog post was authored by Edmund Brumaghin, Earl Carter and Andrew Williams.

Executive summary


Cisco Talos has analyzed Thanatos, a ransomware variant that is being distributed via multiple malware campaigns that have been conducted over the past few months. As a result of our research, we have released a new, free decryption tool to help victims recover from this malware. Multiple versions of Thanatos have been leveraged by attackers, indicating that this is an evolving threat that continues to be actively developed by threat actors with multiple versions having been distributed in the wild. Unlike other ransomware commonly being distributed, Thanatos does not demand ransom payments to be made using a single cryptocurrency like bitcoin. Instead, it has been observed supporting ransom payments in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.

Additionally, due to issues present within the encryption process leveraged by this ransomware, the malware authors are unable to return the data to the victim, even if he or she pays the ransom. While previous reports seem to indicate this is accidental, specific campaigns appear to demonstrate that in some cases, this is intentional on the part of the distributor. In response to this threat, Talos is releasing ThanatosDecryptor, a free decryption tool that exploits weaknesses in the design of the file encryption methodology used by Thanatos. This utility can be used by victims to regain access to their data if infected by this ransomware.

Friday, June 22, 2018

Threat Roundup for June 16-22



As usual, we are bringing you the weekly Threat Roundup to highlight the most prevalent threats we've seen between June 15 and 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos EP31 - Live from Cisco Live! - VPNFilter and Our First Summit Recap



Beers with Talos (BWT) Podcast Episode 31 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP31 Show Notes: 

Recorded June 12, 2018 — This is a special episode for two reasons! To start, we recorded this live in one take from CiscoTV Studio B at Cisco Live! in Orlando, Florida — which leads to the second reason, there is video of this episode in the show notes below. Join us as we cover the VPNFilter update Talos released June 6, and we recap the inaugural Cisco Talos Threat Research Summit.

Ed. Note - This is what no content editing looks like...

Wednesday, June 20, 2018

My Little FormBook

This blog post is authored by Warren Mercer and Paul Rascagneres.

Summary


Cisco Talos has been tracking a new campaign involving the FormBook malware since May 2018 that utilizes four different malicious documents in a single phishing email. FormBook is an inexpensive stealer available as "malware as a service." This means an attacker can purchase a compiled piece of malware based on their desired parameters. This is commonplace with crimeware and stealer type malware such as FormBook. It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots.

Tuesday, June 19, 2018

Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub


Vulnerabilities discovered by Claudio Bozzato of Cisco Talos

Talos is disclosing twelve new vulnerabilities in Insteon Hub, ranging from remote code execution, to denial of service. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow.

Friday, June 15, 2018

Threat Roundup for June 1-15



Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 01 and June 15. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 14, 2018

Vulnerability Spotlight: TALOS-2018-0523-24 - Multiple Vulnerabilities in Pixars Renderman application

Vulnerabilities discovered by Tyler Bohan from Talos


Overview


Talos is disclosing two denial-of-service vulnerabilities in Pixar’s Renderman application. Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. Both vulnerabilities are due to the lack of proper validation during the parsing process of network packets.

Pixar remedied  these vulnerabilities in RenderMan version 21.7

Wednesday, June 13, 2018

Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability

Vulnerabilities discovered by Marcin Noga from Talos

Overview


Talos is disclosing a remote code execution vulnerability in the Microsoft wimgapi library. The wimgapi DLL is used in the Microsoft Windows operating system to perform operations on Windows Imaging Format (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack. The vulnerability is related to the file header parsing, which means it gets triggered even on simple operations. WIM files do not have a registered file type handler by default, which means that this vulnerability cannot be triggered by tricking a user into double-clicking a WIM file — at least not without registering a file-handler first. This vulnerability was assigned CVE-2018-8210 and a security patch was released as part of the June 2018 Microsoft Patch Tuesday release. The Microsoft advisory can be found here.

Tuesday, June 12, 2018

Microsoft Patch Tuesday - June 2018

Executive Summary


Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 50 flaws, with 11 of them rated "critical," and 39 rated "important." These vulnerabilities impact Microsoft Edge, Internet Explorer, Chakra Scripting Engine, Windows DNSAPI, Microsoft Office, Windows Kernel and more.

In addition to the 50 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180014, the June 2018 Adobe Flash Security Update, which addresses the vulnerabilities described in the security bulletin.

Wednesday, June 6, 2018

VPNFilter Update - VPNFilter exploits endpoints, targets new devices





Introduction



Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding "VPNFilter." In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We've provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.

Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.

Finally, we've conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic.

Tuesday, June 5, 2018

Talos Threat Research Summit Guide and Cisco Live Preview


The first Cisco Talos Threat Research Summit is coming up at Cisco Live! in Orlando, so we are providing a quick guide to all the activities going on at the summit and beyond. The response to the summit was stronger than we could have anticipated for the first year - it sold out fast!  Next time, we definitely need a bigger boat. Whether or not you have a ticket to the summit, read on for a guide of how to stay on top of what's happening in Orlando, and how you can connect with the events Talos is holding around Cisco Live! 2018.

Vulnerability Spotlight: TALOS-2018-0535 - Ocularis Recorder VMS_VA Denial of Service Vulnerability

Vulnerabilities discovered by Carlos Pacho from Talos


Overview

Talos is disclosing a denial-of-service vulnerability in the Ocularis Recorder. Ocularis is a video management software (VMS) platform used in a variety of settings, from convenience stores, to city-wide deployments. An attacker can trigger this vulnerability by crafting a malicious network packet that causes a process to terminate, resulting in a denial of service.