Friday, December 21, 2018

Threat Roundup for Dec. 14 to Dec. 21


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 14 and Dec. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Submissions for talks at the 2019 Talos Threat Research Summit are now open




When Cisco Talos launched the first ever Talos Threat Research Summit last year, we never could have anticipated how popular it would be. Tickets sold out quickly, and our inaugural Talos-backed conference was packed in the days leading up to Cisco Live. This year, we are bringing back the Threat Research Summit, and making it even bigger.

Thursday, December 20, 2018

Year in Malware 2018: The most prominent threats Talos tracked this year



It was easy to see a wild year coming in cybersecurity. It started with a bang, with Olympic Destroyer targeting the Winter Olympics in February in an attempt to disrupt the opening ceremonies. Things only got crazier from there, with cryptocurrency miners popping up everywhere, and VPNFilter taking the world by storm over the summer. There was never a shortage of cybersecurity news this year, and Talos was there to dissect all of it. As the year wraps up, here’s a look back on the most prominent malware we discovered and the major trends we saw — some of which we expect to continue into 2019. Take a look below for our malware Year in Review, as well as a timeline of the major attacks Talos discovered this year.

Wednesday, December 19, 2018

Microsoft Patches Out-of-Band Internet Explorer Scripting Engine Vulnerability After Exploitation Detected in the Wild

Overview

Microsoft released an out-of-band (OOB) patch on Wednesday related to a vulnerability in the scripting engine of Internet Explorer. This particular vulnerability is believed to be actively exploited in the wild and should be patched immediately.

This remote code execution bug lies in the way that Internet Explorer's scripting engine handles objects in memory. Triggering this vulnerability can corrupt memory in such a way to allow arbitrary code execution using the current user's rights. This vulnerability can be triggered in a variety of ways, including via a specially crafted web page that a user visits. The full details of the vulnerability can be found here.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them as well as coverage via AMP. Please note that additional SNORTⓇ rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 48699 - 48702.

AMP coverage




Tuesday, December 18, 2018

As Cryptocurrency Crash Continues, Will Mining Threat Follow?

Post authored by Nick Biasini.

Executive Summary

As 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it's safe to say that cryptocurrencies have had a massive impact globally, especially on the threat landscape. However, 2018 is ending on a sour note for these currencies, as they have been in steady decline, ending in a sudden drop resulting in losses in excess of 75 percent of their value from the highs of late 2017 and early 2018.

Malicious cryptocurrency mining was the new payload of choice for adversaries and recurring revenue, dislodging the lump-sum payouts of threats like ransomware atop the threat landscape.

But the sudden collapse of the market, after a gradual decline, raises the question about how the threat landscape would be impacted, if at all. Despite conventional wisdom, Cisco Talos hasn't seen a notable shift away from cryptocurrency mining. We have seen pockets of movement, but they have lived explicitly in the email space where both threat distribution and botnets play a crucial role. As 2018 proceeded, adversaries have shifted payloads in the email space away from cryptocurrency mining and toward more modular threats like Emotet and remote access trojans (RATs). Talos is also releasing another blog today outlining some of the campaigns we've seen recently from some well-known actors who have a history with cryptocurrency mining.

After reviewing the real-world impact and associated data, it appears that cryptocurrency mining is not slowing down, and if anything, could be slightly increasing in frequency for certain aspects of the landscape. As we move into 2019, it's likely that the payloads of choice will continue to diverge between different aspects of the threat landscape. Regardless, enterprises need to be prepared to deal with malicious or unauthorized cryptocurrency mining activities on their respective networks, because it's not going away — at least not yet.

Connecting the dots between recently active cryptominers

Post authored by David Liebenberg and Andrew Williams.

Executive Summary

Through Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined.

This blog examines these actors' recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies.

We will cover the recent activities of these actors:
  • Rocke —A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts2, Jenkins and JBoss.
  • 8220 Mining Group —Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.
  • Tor2Mine —A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).
These groups have used similar TTPs, including:
  • Malicious shell scripts masquerading as JPEG files with the name "logo*.jpg" that install cron jobs and download and execute miners.
  • The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.
  • Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.
  • Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.
  • Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.
We were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.

Friday, December 14, 2018

Beers with Talos EP 43: Espionage, Encryption, and CISO Square One



Beers with Talos (BWT) Podcast Ep. #43 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #43 show notes: 

Recorded Dec. 7, 2018.

Several of us are under the weather, but the show must go on. We did our best, as always. After running through some recent research, we spend a good bit of this EP looking through the lens of a recent breach at the first things a new security leader should get a handle on - what questions need to be answered? What information and practices are day-1 vital? We wrap up taking a look at a slew of vulns Talos uncovered in secure messaging apps.

Bitcoin Bomb Scare Associated with Sextortion Scammers

This blog was written by Jaeson Schultz.

Organizations across the country are on edge today after a flurry of phony bomb threats hit several public entities Thursday, such as universities, schools and news outlets, among others. The attackers distributed malicious emails claiming to have placed some type of explosive materials in the recipient's building. The emails stated the attackers would detonate these explosives unless the victim made a Bitcoin payment of several thousand dollars.

Cisco Talos discovered that this campaign is actually an evolution of sextortion and extortion attacks that we reported on in October. The claims in the emails we've seen from this actor are completely false, yet they have caused untold amounts of damage as organizations have evacuated buildings and called upon law enforcement to investigate.


An example of the malicious, phony emails that attackers sent out to organizations across the U.S. yesterday.


Threat Roundup for Dec. 7 to Dec. 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 07 and Dec. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cisco Coverage for Shamoon 2 & 3

Update Dec. 14, 2018 10:30 CST: Added new Shamoon 3 IOCs

Shamoon is a type of destructive malware that has been previously associated with attacks against various organizations in the oil and gas industry that we've been tracking since 2012. A new variant of this threat, identified as Shamoon 2, has been used against several compromised organizations and institutions. Throughout 2017, Talos observed an increase in Shamoon 2 activity and responded to ensure our customers remained protected. 

On Dec. 10, Talos observed a new Shamoon 3 variant (c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f) that was uploaded to VirusTotal. While it is unclear where this sample came from, it shares many of the characteristics of the Shamoon 2 variant. Talos once again responded to ensure our customers are protected with all the existing coverage mechanisms. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.

Propagation

Shamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.

Tuesday, December 11, 2018

Vulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerability


Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Executive summary

Adobe Acrobat Reader DC contains a vulnerability that could allow an attacker to remotely execute code on the victim’s machine. If the attacker tricks the user into opening a specially crafted PDF with specific JavaScript, they could cause heap corruption. The user could also trigger this bug if they open a specially crafted email attachment.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Microsoft Patch Tuesday — December 2018: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 38 vulnerabilities, nine of which are rated “critical” and 29 that are considered “important.” There are no “moderate” or “low” vulnerabilities in this release.

The advisories cover bugs in the Chakra scripting engine, several Microsoft Office products and the Microsoft Internet Explorer web browser.

For coverage of these vulnerabilities, check out our Snort blog post on this week's rule update.

Monday, December 10, 2018

in(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal

This blog post is authored by Vitor Ventura.

Executive summary


Messaging applications have been around since the inception of the internet. But recently, due to the increased awareness around mass surveillance in some countries, more users are installing end-to-end encrypted apps dubbed "secure instant messaging applications." These apps claim to encrypt users' messages and keep their content secure from any third parties.

However, after a deep dive into three of these secure messaging apps — Telegram, WhatsApp and Signal — we discovered that these services may not fulfill the promises they are meant to keep by putting users' confidential information at risk.

This is a serious problem, considering users download these apps in the hopes that their photos and messages will stay completely protected from third parties. These apps, which have countless users, cannot assume that their users are security educated and understand the risk of enabling certain settings on their device. As such, they have an obligation to explain the risks to users, and when possible, adopt safer defaults in their settings. In this post, we will show how an attacker could compromise these applications by performing side-channel attacks that target the operating system these apps delegated their security to. This post will dive into the methods in which these apps handle users' data. It will not include deep technical analysis of these companies' security.

Friday, December 7, 2018

Threat Roundup for Nov. 30 to Dec. 7


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 30 and Dec. 07. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, December 4, 2018

An introduction to offensive capabilities of Active Directory on UNIX

Tim Wadhwa-Brown of Portcullis Labs authored this post.

In preparation for our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises' Active Directory forests.


Monday, December 3, 2018

Vulnerability Spotlight: Netgate pfSense system_advanced_misc.php Multiple Command Injection Vulnerabilities


Brandon Stultz of Cisco Talos discovered these vulnerabilities.

Executive summary

Today, Cisco Talos is disclosing a command injection vulnerability in Netgate pfSense system_advanced_misc.php powerd_normal_mode. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Netgate to ensure that these issues are resolved and that an update is available for affected customers.