Tuesday, July 31, 2018

Multiple Cobalt Personality Disorder

Introduction


Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors — both for widespread and targeted operations.

Recently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. The attacks have become more sophisticated, and have evolved to evade detection on a continual basis.

Friday, July 27, 2018

Threat Roundup for July 20-27


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between July 20 and 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post isn't exhaustive, and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 26, 2018

Beers with Talos EP 34: Click Here to Assign New Mobile Device Owner



Beers with Talos (BWT) Podcast Ep. #34 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. #34 show notes: 

Recorded July 20, 2018 — This week, we touch on several topics, but we spend the lion’s share of the episode discussing the mobile device management (MDM) campaign we've been following. We are joined by Aaron Woland and spend a great deal of time discussing how these attacks work and how they happen to users of devices across multiple platforms. We talk about the differences in how MDM is handled across different OS flavors, and the similarities in how the attacks happen (hint: users ignoring the warnings).

Vulnerability Spotlight: Multiple Vulnerabilities in Samsung SmartThings Hub

These vulnerabilities were discovered by Claudio Bozzato of Cisco Talos.



Executive Summary


Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub. In accordance with our coordinated disclosure policy, Cisco Talos has worked with Samsung to ensure that these issues have been resolved and that a firmware update has been made available for affected customers. These vulnerabilities could allow an attacker to execute OS commands or other arbitrary code on affected devices.

The SmartThings Hub is a central controller that monitors and manages various internet-of-things (IoT) devices such as smart plugs, LED light bulbs, thermostats, cameras, and more that would typically be deployed in a smart home. The SmartThings Hub functions as a centralized controller for these devices and allows users to remotely connect to and manage these devices using a smartphone. The firmware running on the SmartThings Hub is Linux-based and allows for communications with IoT devices using a variety of different technologies such as Ethernet, Zigbee, Z-Wave and Bluetooth.

Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability to obtain access to this information, monitor and control devices within the home, or otherwise perform unauthorized activities. Some example scenarios are listed below:

  • Smart locks controlled by the SmartThings Hub could be unlocked, allowing for physical access to the home.
  • Cameras deployed within the home could be used to remotely monitor occupants.
  • The motion detectors used by the home alarm system could be disabled.
  • Smart plugs could be controlled to turn off or on different things that may be connected.
  • Thermostats could be controlled by unauthorized attackers.
  • Attackers could cause physical damage to appliances or other devices that may be connected to smart plugs deployed within the smart home.

Given the wide range of possible deployments of these devices, this is not a complete list of different scenarios. Cisco Talos recommends ensuring that affected SmartThings Hubs are updated to the latest version of firmware to ensure that these vulnerabilities are addressed.

Wednesday, July 25, 2018

Advanced Mobile Malware Campaign in India uses Malicious MDM - Part 2

This blog post is authored by Warren Mercer and Paul Rascagneres and Andrew Williams.

Summary


Since our initial post on malicious mobile device management (MDM) platforms, we have gathered more information about this actor that we believe shows it is part of a broader campaign targeting multiple platforms. These new targets include Windows devices and additional backdoored iOS applications. We also believe we have associated this actor with a very similar campaign affecting Android devices.

With this additional information, we have been able to build a profile of how the MDM was working, as explained in the previous post, while also allowing us to identify new infrastructure. We feel that it is critical that users are aware of this attack method, as well-funded actors will continue to utilize MDMs to carry out their campaigns. To be infected by this kind of malware, a user needs to enroll their device, which means they should be on the lookout at all times to avoid accidental enrollment.

In the new MDM we discovered, the actor changed some of their infrastructure in an attempt to improve the MDM's security posture. We also found additional compromised devices, which were again located in India, with one even using the same phone number linking the MDM platforms, and one located in Qatar. We believe this newer version was used from January to March 2018. Similar to the previous MDM, we were able to identify the IPA files the attacker was using to compromise iOS devices. Additionally, we discovered that malicious apps such as WhatsApp had new malicious methods tacked onto them.

During this ongoing analysis, we also looked into other potential indicators that would point us toward the actor. We discovered this Bellingcat article that potentially links this actor to one they dubbed "Bahamut," an advanced actor who was previously targeting Android devices. Bahamut shared a domain name with one of the malicious iOS applications mentioned in our previous post. There was also a separate post from Amnesty International discussing a similar actor that used similar spear-phishing techniques to Bahamut. However, Cisco Talos did not find any spear phishing associated with this campaign. We will discuss some links and potential overlapping with these campaigns below.

Monday, July 23, 2018

TalosIntelligence.com is rolling out a new dispute system

At Cisco Talos, we need customers to be able to provide feedback at all times, whether it be about false positives, false negatives, or missed categories. Because we deal with an abundance of data across our platforms — such as IPS alerts, AMP alerts and more — feedback helps us test the efficacy of those alerts and systems promptly.

Today, there are several ways of doing this: calling Cisco Support (aka TAC), submitting a dispute through Talosintelligence.com, or securityhub.cisco.com, plus a myriad of other ways — each winding up in a different “system” for Talos to deal with on our side. The days of that confusion are numbered.

We’ve been silently working on a streamlined experience, not only for the customers but for our workflow as well.  We asked ourselves the question, “What is the easiest way we can enable a customer to get disputes to us, deal with it the fastest way possible, and get that information back to the customer in the most efficient manner?”

Friday, July 20, 2018

Threat Roundup for July 13-20


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we've observed this week — covering the dates between July 13 and 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, we will summarize the threats we've observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Vulnerability Spotlight: Multiple Vulnerabilities in Sony IPELA E Series Camera

Vulnerabilities discovered by Cory Duplantis and Claudio Bozzato of Cisco Talos.

Overview


Today, Cisco Talos is disclosing several vulnerabilities discovered with the Sony IPELA E Series Network Camera. Sony IPELA Cameras are network-facing cameras used for monitoring and surveillance.

Thursday, July 19, 2018

Blocking Cryptocurrency Mining Using Cisco Security Products


Cisco Talos is releasing a whitepaper addressing Cryptocurrency mining and all the ways to block it using Cisco Security products. The value of cryptocurrencies has fluctuated wildly, but the value is still high enough to garner a lot of attention, both legitimate and malicious. Most of the malicious activity we see is done for financial gain, and cryptocurrencies have provided attackers with a lucrative new avenue to pursue: cryptocurrency mining.

Over the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. This threat is spreading across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. That doesn't include the quasi-legitimate in-browser mining that is becoming increasingly common.

Vulnerability Spotlight: Foxit PDF Reader JavaScript Remote Code Execution Vulns

Overview

Discovered by Aleksandar Nikolic of Cisco Talos.

Talos is disclosing a pair of vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.

TALOS-2018-0588


Vulnerability Spotlight: Multiple Vulnerabilities in ACD Systems Canvas Draw 4

These vulnerabilities were discovered by Tyler Bohan of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Canvas Draw graphics editing tool for Macs.

Canvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.


Sunday, July 15, 2018

Beers with Talos EP33 - Change the Conversation or the People Having It?



Beers with Talos (BWT) Podcast Episode 33 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. 33 show notes: 

Recorded July 6, 2018 - This episode is a bit less technical than most, as we discuss how the conversation around security is unfolding and who is a part of it. Coincidentally (we promise), that dovetails in with Matt’s contention that everybody just needs to stop acting with unending self-interest. Once again, Craig goes on vacation and all hell breaks loose, giving birth to a new concept in ransomware — send us Bitcoin or we send Craig to a remote island for a month. Also, we are going to be doing a live episode. from BlackHat! The registration link below.

Friday, July 13, 2018

Threat Roundup for July 6-13


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we've observed this week — covering the dates between July 6 and 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is not exhaustive and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 12, 2018

Advanced Mobile Malware Campaign in India uses Malicious MDM

This blog post is authored by Warren Mercer and Paul Rascagneres and Andrew Williams.

Summary


Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register. In social engineering attacks the victim is tricked into clicking accept or giving the attacker physical access to a device. This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception. Talos has worked closely with Apple on countering this threat. Apple had already actioned 3 certificates associated with this actor when Talos reached out, and quickly moved to action the two others once Talos tied them to the threat.

An MDM is designed to deploy applications on enrolled devices. In this campaign we identified five applications that have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the functionality of the device, one steals SMS message contents, and the remaining two report the location of the device and can exfiltrate various data.

Wednesday, July 11, 2018

Vulnerability Spotlight: Computerinsel Photoline Multiple Vulnerabilities

Vulnerabilities discovered by Tyler Bohan from Talos

Overview


Today, Cisco Talos is disclosing several vulnerabilities in Computerinsel Photoline. Photoline is an image-processing tool used to modify and edit images, as well as other graphic-related material. This product has a sizable user base and is popular in the graphic design field. The vulnerabilities are present in the parsing functionality of the software.

Tuesday, July 10, 2018

Vulnerability Spotlight: Multiple Antenna House Vulnerabilities

Discovered by Marcin Noga of Cisco Talos

Overview

Cisco Talos has identified six vulnerabilities in the Antenna House Office Server Document Converter (OSDC). These vulnerabilities can be used to remotely execute code on a vulnerable system. Antenna House Office Server Document Converter is a product designed to convert Microsoft Office documents into PDF and SVG documents.

The vulnerabilities can be exploited to locally execute code, or even remotely if the product is used in batch mode by the owners. In this context, the maliciously crafted document could be automatically handled by the product, and a successful exploitation could result in full control of the vulnerable system.

The six vulnerabilities can be exploited by a specially crafted Microsoft Office document.

Microsoft Patch Tuesday - July 2018

Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month's release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.

In addition to the 53 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180017, which addresses the vulnerabilities described in the Adobe security bulletin APSB18-24.

Vulnerability Spotlight: Multiple Adobe Acrobat DC Remote Code Execution Vulnerabilties


Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Today, Talos is releasing details of new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities.

TALOS-2018-0569 - Adobe Acrobat Reader DC Collab.drivers Remote Code Execution Vulnerability (CVE-2018-12812)


Friday, July 6, 2018

Threat Roundup for June 29 to July 6th


Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we've observed this week — covering the dates between June 29 and July 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, it will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive, and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, July 3, 2018

Smoking Guns - Smoke Loader learned new tricks

This post is authored by Ben Baker and Holger Unterbrink

 

Overview


Cisco Talos has been tracking a new version of Smoke Loader — a malicious application that can be used to load other malware — for the past several months following an alert from Cisco Advanced Malware Protection’s (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but further analysis showed some developments in the Smoke Loader sample resulting from this chain of malware that intrigued us. This includes one of the first uses of the PROPagate injection technique in real-world malware. Besides a report released at the end of last week describing a different RIG Exploit Kit-based campaign, we haven’t seen real-world malware using this.