Friday, March 22, 2019

Threat Roundup for March 15 to March 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 15 and March 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (March 22)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Wednesday, March 20, 2019

Ransomware or Wiper? LockerGoga Straddles the Line

Executive Summary

Ransomware attacks have been in the news with increased frequency over the past few years. This type of malware can be extremely disruptive and even cause operational impacts in critical systems that may be infected. LockerGoga is yet another example of this sort of malware. It is a ransomware variant that, while lacking in sophistication, can still cause extensive damage when leveraged against organizations or individuals. Cisco Talos has also seen wiper malware impersonate ransomware, such as the NotPetya attack.

Earlier versions of LockerGoga leverage an encryption process to remove the victim's ability to access files and other data that may be stored on infected systems. A ransom note is then presented to the victim that demands the victim pay the attacker in Bitcoin in exchange for keys that may be used to decrypt the data that LockerGoga has impacted. Some of the later versions of LockerGoga, while still employing the same encryption, have also been observed forcibly logging the victim off of the infected systems and removing their ability to log back in to the system following the encryption process. The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands. These later versions of LockerGoga could then be described as destructive.

While the initial infection vector associated with LockerGoga is currently unknown, attackers can use a wide variety of techniques to gain network access, including exploiting unpatched vulnerabilities and phishing user credentials. Expanding initial access into widespread control of the network is facilitated by similar techniques with stolen user credentials being an especially lucrative vector to facilitate lateral movement. For example, the actors behind the SamSam attacks leveraged vulnerable servers exposed to the internet as their means of obtaining initial access to environments they were targeting.

Beers with Talos Ep. #49: POS Malware, RSA Highlights, and SOL OpSec Fails



Beers with Talos (BWT) Podcast Ep. #49 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded March 15, 2019. We recorded this after coming back from RSA, with some on-location highlights included. This episode opens a bit more thought-provoking than we typically do, and we move toward discussing point-of-sale malware like Glitch. After the RSA highlights, we discuss OpSec fails, and Nigel becomes a Burning Man convert after learning there are people there on drugs with rockets that he watches for fun.

Tuesday, March 19, 2019

Vulnerability Spotlight: Multiple Vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud


Claudio Bozzato of Cisco Talos discovered these vulnerabilities.

 

Executive summary


CUJO AI produces the CUJO Smart Firewall, a device that provides protection to home networks against a myriad of threats such as malware, phishing websites and hacking attempts. Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.

In accordance with our coordinated disclosure policy, Cisco Talos worked with CUJO AI to ensure that these issues are resolved and that a firmware update is available for affected customers. In most typical scenarios the firmware update process is handled by CUJO AI, allowing this update to be deployed to affected customers automatically. Given that these devices are typically deployed to provide protection for networked environments, it is recommended that affected users confirm their devices have been updated as soon as possible to ensure that the devices are no longer affected by these vulnerabilities.

Monday, March 18, 2019

IPv6 unmasking via UPnP


Martin Zeiser and Aleksandar Nikolich authored this post.


Executive summary


With tools such as ZMap and Masscan and general higher bandwidth availability, exhaustive internet-wide scans of full IPv4 address space have become the norm after it was once impractical. Projects like Shodan and Scans.io aggregate and publish frequently updated datasets of scan results for public analysis, giving researchers greater insight into the current state of the internet.

Friday, March 15, 2019

Threat Roundup for March 8 to March 15


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 08 and March 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (March 15)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Wednesday, March 13, 2019

GlitchPOS: New PoS malware for sale



Warren Mercer and Paul Rascagneres authored this post with contributions from Ben Baker.

Executive summary


Point-of-sale malware is popular among attackers, as it usually leads to them obtaining credit card numbers and immediately use that information for financial gain. This type of malware is generally deployed on retailers' websites and retail point-of-sale locations with the goal of tracking customers' payment information. If they successfully obtain credit card details, they can use either the proceeds from the sale of that information or use the credit card data directly to obtain additional exploits and resources for other malware. Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers. Cisco Talos recently discovered a new PoS malware that the attackers are selling on a crimeware forum. Our researchers also discovered the associated payloads with the malware, its infrastructure and control panel. We assess with high confidence that this is not the first malware developed by this actor. A few years ago, they were also pushing the DiamondFox L!NK botnet. Known as "GlitchPOS," this malware is also being distributed on alternative websites at a higher price than the original.

The actor behind this malware created a video, which we embedded below, showing how easy it is to use it. This is a case where the average user could purchase all the tools necessary to set up their own credit card-skimming botnet.

Tuesday, March 12, 2019

Microsoft Patch Tuesday — March 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2.

This month’s security update covers security issues in a variety of Microsoft’s products, including the VBScript scripting engine, Dynamic Host Configuration Protocol and the Chakra scripting engine. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

Vulnerability Spotlight: Privilege escalation bug in CleanMyMac X's helper service


Tyler Bohan of Cisco Talos discovered this vulnerability.

Executive summary

CleanMyMac X contains a privilege escalation vulnerability in its helper service due to improper updating. The application fails to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. CleanMyMac X is an all-in-one cleaning tool for Macs from MacPaw. The application scans through the system and user directories looking for unused and leftover files and applications.

In accordance with our coordinated disclosure policy, Cisco Talos worked with MacPaw to ensure that these issues are resolved and that an update is available for affected customers.

Friday, March 8, 2019

The sights and sounds of Cisco Talos at RSA 2019


An estimated 45,000 people attended this year’s RSA Conference in San Francisco to hear talks from some of the greatest minds in security.

As always, Cisco and Talos had a massive presence at the conference, topping off the week with a keynote address featuring Matt Watchinski, the vice president of Cisco Talos, and Liz Centoni, a senior vice president and general manager of Cisco’s Internet-of-things business group.

Blue and orange Snorts could be seen all over the conference floor, and our researchers spent the past few days speaking at the Cisco Security booth, discussing some of the latest and most pressing threats.

Threat Roundup for Mar. 1 to Mar. 8

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 1 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (March 8)



Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Thursday, March 7, 2019

Vulnerability Spotlight: Multiple local vulnerabilities in Pixar Renderman


Tyler Bohan of Cisco Talos discovered these vulnerabilities.

Executive summary

The MacOS version of Pixar Renderman contains three local vulnerabilities in its install helper tool. An attacker could exploit these bugs to escalate their privileges to root.

Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the `Dispatch` function of this helper tool.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Pixar to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, March 5, 2019

Cisco, Talos tout importance of IoT security at RSA keynote

Matt Watchinski, the vice president of Cisco Talos, delivers a keynote address at the RSA Conference in San Francisco on Tuesday.

By Jonathan Munshaw of Cisco Talos and Liza Meak of The Network, Cisco’s technology news site.

By 2020, Gartner predicts 20 billion connected devices will be online — and more devices mean more security threats. Connected devices have exploded into the public and corporate landscape, rattling the bars of the cyber security cage.

In a keynote address at the RSA Conference in San Francisco, Matt Watchinski, the vice president of Cisco Talos, said the growing prevalence of these devices has made them an urgent priority to protect them from attackers. Liz Centoni, the senior vice president of Cisco’s IoT (internet-of-things) Business Group, presented along with Watchinski.

Beers with Talos Ep. #48: Loaders or trojans, plus an RSA preview



















Beers with Talos (BWT) Podcast Ep. #48 is now available. Download this episode and subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

March 1, 2019 - This is a super short episode. We are trying to get it out in time for RSA and Matt is MIA today. We are covering the basics of loaders (and the difference between loaders and trojans). We also talk about some RSA activities we have coming up this week at the conference out in San Francisco.

Friday, March 1, 2019

Threat Roundup for Feb. 22 to March 1


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 22 and March 01. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (March 1)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Thursday, February 28, 2019

Vulnerability Spotlight: Remote code execution vulnerability in Antenna House Rainbow PDF Office Server Document Converter


Emmanuel Tacheau of Cisco Talos discovered this vulnerability.


Executive summary

Antenna House Rainbow PDF Office Server Document Converter contains a heap overflow vulnerability that could allow an attacker to remotely execute code on the victim machine. Rainbow PDF is a software solution that converts Microsoft Office documents into a PDF. This specific flaw lies in the way the software converts PowerPoint files into PDFs.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Antenna House to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, February 26, 2019

Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters




Christopher Evans of Cisco Talos conducted the research for this post.

Executive Summary


Cisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads.

Beers with Talos Ep. #47: Privacy, Underwear, and Arias




Beers with Talos (BWT) Podcast Ep. #47 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #47 show notes: 

Recorded Feb. 15, 2019

We are joined by special guest Michelle Dennedy, a vice president and the chief privacy officer at Cisco. This is a long episode that is worth every minute — covering everything from the modern privacy landscape, privacy as a fundamental human right, and all the ways you didn’t know underwear can protect you. We were a bit concerned about having a VP on, but after Michelle knocked us around a bit we figured out what was up. However, if this is the last EP you see listed, I think we all know what happened.

Friday, February 22, 2019

Threat Roundup for Feb. 15 to Feb. 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 15 and Feb. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (Feb. 22)



Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • U.S. officials charged a former member of the Air Force with defecting in order to help an Iranian cyber espionage unit. The Department of Justice say the woman collected information on former colleagues, and then the Iranian hackers attempted to target those individuals and install spyware on their computers.
  • The U.S. Department of Justice is dismantling two task forces aimed at protecting American elections. The groups were originally created after the 2016 presidential election to prevent foreign interference but after the 2018 midterms, the Trump administration shrunk their sizes significantly. 
  • Facebook and the U.S. government are closing in on a settlement over several privacy violations. Sources familiar with the discussions say it will likely result in a multimillion-dollar fine, likely to be the largest the Federal Trade Commission has ever imposed on a technology company. 

From Talos


  • There’s been a recent uptick in the Brushaloader infections. While the malware has been around since mid-2018, this new variant makes it more difficult than ever to detect on infected machines. New features include the ability to evade detection in sandboxes and the avoidance of anti-virus protection. 
  • New features in WinDbg makes it easier for researchers to debug malware. A new JavaScript bridge brings WinDbg in line with other modern programs. Cisco Talos walks users through these new features and shows off how to use them. 

Malware roundup


  • Google says it’s stepping up its banning of malicious apps. The company says it’s seen a 66 percent increase in the number of apps its banned from the Google Play store over the past year. Google says it scans more than 50 billion apps a day on users’ phones for malicious activity. 
  • A new campaign using the Separ malware is attempting to steal login credentials at large businesses. The malware uses short scripts and legitimate executable files to avoid detection. 
  • A new ATM malware called "WinPot" turns the machines into "slot machines." This allows hackers to essentially gamify ATM hacking, randomizing how much money the machine dispenses. 

The rest of the news


  • The U.S. is reviving a secret program to carry out supply-chain attacks against Iran. The cyber attacks are targeted at the country’s missile program. Over the past two months, two of Iran’s efforts to launch satellites have failed within minutes, though it’s difficult to assign those failures to the U.S. 
  • Australia says a “sophisticated state actor” carried out a cyber attack on its parliament. The ruling Liberal-National coalition parties say their systems were compromised in the attack. Since then, the country says it’s put “a number of measures” in place to protect its election system. 
  • Cisco released security updates for 15 vulnerabilities. Two critical bugs could allow attackers to gain root access to a system, and a third opens the door for a malicious actor to bypass authentication altogether. 
  • Facebook keeps a list of users that it believes could be a threat to the company or its employees. The database is made up of users who have made threatening posts against the company in the past. 


Wednesday, February 20, 2019

Combing Through Brushaloader Amid Massive Detection Uptick


Nick Biasini and Edmund Brumaghin authored this blog post with contributions from Matthew Molyett.

Executive Summary


Over the past several months, Cisco Talos has been monitoring various malware distribution campaigns leveraging the malware loader Brushaloader to deliver malware payloads to systems. Brushaloader is currently characterized by the use of various scripting elements, such as PowerShell, to minimize the number of artifacts left on infected systems. Brushaloader also leverages a combination of VBScript and PowerShell to create a Remote Access Trojan (RAT) that allows persistent command execution on infected systems.

Brushaloader is an evolving threat that is being actively developed and refined over time as attackers identify areas of improvement and add additional functionality. We have identified multiple iterations of this threat since mid-2018. Most of the malware distribution activity that we observe associated with Brushaloader leverages malicious email campaigns targeting specific geographic regions to distribute various malware payloads, primarily Danabot. Danabot has already been described in detail here and here, so this post will focus on the analysis of Brushaloader itself. Talos has recently identified a marked increase in the quantity of malware distribution activity associated with Brushaloader, as well as the implementation of various techniques and evasive functionality that has resulted in significantly lower detection rates, as well as sandbox evasion.

The advanced command-line auditing and reporting available within ThreatGrid make analyzing threats such as Brushaloader much more efficient. Threats such as Brushaloader demonstrate the importance of ensuring that PowerShell logging is enabled and configured on endpoints in most corporate environments.

Monday, February 18, 2019

JavaScript bridge makes malware analysis with WinDbg easier

Introduction

As malware researchers, we spend several days a week debugging malware in order to learn more about it. We have several powerful and popular user mode tools to choose from, such as OllyDbg, x64dbg, IDA Pro and Immunity Debugger.

All these debuggers utilize some scripting language to automate tasks, such as Python or proprietary languages like OllyScript. When it comes to analyzing in kernel mode, there is really one option: Windows debugging engine and its interfaces CDB, NTSD, KD and WinDbg.

Friday, February 15, 2019

Threat Roundup for Feb. 8 to Feb. 15


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 08 and Feb. 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (Feb. 15, 2019)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement. 
  • Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
  • Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device. 

From Talos


  • Microsoft released its monthly security update this week, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player. 
  • Adobe released security updates for several of its products, including Flash and Acrobat Reader. Cisco Talos specifically discovered a critical remote code execution vulnerability in Adobe Acrobat Reader DC. An attacker could cause a heap overflow by tricking the user into opening a specially crafted PDF, which would allow the attacker to gain code execution privileges. 
  • A new tool from Talos can allow you to study the effect of cyber attacks on oil pump jacks. We released a 3-D printed, small-scale model of a pump jack that can be “hacked” from a smartphone, causing it to eventually overheat. We’ll also be taking this exhibit on the road over the course of the year. 

Malware roundup


  • A new variant of the Astaroth trojan is targeting Brazil via multiple spam campaigns. Once infected, the malware can steal users’ personal information and uses several deobfuscation techniques to make it more difficult to detect. The spam emails are also hitting users in parts of Europe.
  • Credit unions across the U.S. received phishing emails last week targeting anti-money laundering efforts. The phony emails claim to have information on unauthorized wire transfers and ask them to open a PDF that displays the alleged transaction and contains a link to a malicious web page. The attackers used information that’s believed to only be available to the National Credit Union Administration.
  • Google removed a cryptocurrency-stealing malware from its store. The malicious app disguised itself as the legitimate MetaMask service. Once downloaded, it would steal login credentials to steal users’ Ethereum funds. 

The rest of the news


  • Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
  • India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
  • Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.  


Thursday, February 14, 2019

Beers with Talos Ep. #46 - Privacy Pwnd: ExileRAT and Collecting Bad Karma




Beers with Talos (BWT) Podcast Ep. #46 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #46 show notes: 

Recorded Feb. 1, 2019

Today we discuss threats that bridge the gap between violating privacy and classic cybersecurity threats - malware and systems that are tracking voices of dissent and using their own devices as recon tools against them. The two cases cited in this EP are ExileRAT, a trojan delivered via malicious Office docs targeting supporters of the Tibetan government-in-exile; and Karma, a zero-touch toolkit used by at least one nation-state to remotely surveil essentially all the valuable data in their targets iPhones. We are going to continue this topic on the next episode as we continue to dig deeper into the idea of privacy as a fundamental human right with a very special guest (hint: it’s Michelle Dennedy) so make sure to catch the next EP as well.

Tuesday, February 12, 2019

Microsoft Patch Tuesday — February 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.” This release also includes a critical security advisory regarding a security update to Adobe Flash Player

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine and the Internet Explorer and Exchange web browsers. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

Vulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerability


Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Executive summary

Adobe Acrobat Reader DC contains a vulnerability that could allow an attacker to remotely execute code on the victim’s machine. If the attacker tricks the user into opening a specially crafted PDF with specific JavaScript, they could cause heap corruption. The user could also trigger this bug if they open a specially crafted email attachment.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Monday, February 11, 2019

What you can learn from Cisco Talos’ new oil pumpjack workshop

Paul Rascagneres wrote this blog post with contributions from Patrick DeSantis from Cisco Talos ARES (Advanced Research/Embedded Systems).

Executive summary


Every day, more industrial control systems (ICS) become vulnerable to cyber attacks. As these massive, critical machines become more interconnected to networks, it increases the ways in which attackers could disrupt their operations and makes it tougher for those who protect organizations' networks to cover all possible attack vectors. To demonstrate how these ICSs interact with a network, we are releasing a model of a 3-D printed oil pumpjack connected to a simulated programmable logic controller (PLC) supporting two industrial protocols. Throughout the year, Talos will have this model at several workshops where attendees can try it out for themselves. For convenience, we are also providing the blueprints and code to even test this out for yourself at home.


We are releasing the 3-D printed model of the pumpjack, the Arduino source code (including the Modbus over TCP and the EtherNet/IP protocols), as well as the code for the human-machine interface (HMI) to control the pump over a network.

Friday, February 8, 2019

Threat Roundup for Feb. 1 to Feb. 8


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 01 and Feb. 08. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (Feb. 8)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Wednesday, February 6, 2019

2018 in Snort Rules

This blog post was authored by Benny Ketelslegers of Cisco Talos

The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to cryptocurrency miners. Talos researchers identified APT campaigns including VPNFilter, predominantly affecting small business and home office networking equipment, as well as Olympic Destroyer, apparently designed to disrupt the Winter Olympics.

But these headline-generating attacks were only a small part of the day-to-day protection provided by security systems. In this post, we'll review some of the findings created by investigating the most frequently triggered SNORTⓇ rules as reported by Cisco Meraki systems. These rules protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer. Snort is a free, open-source network intrusion prevention system. Cisco Talos provides new rule updates to Snort every week to protect against software vulnerabilities and the latest malware.

Monday, February 4, 2019

ExileRAT shares C2 with LuckyCat, targets Tibet

Warren Mercer, Paul Rascagneres and Jaeson Schultz authored this post.

Executive summary

Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile. The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document. In our case, we received an email message from the CTA mailing list containing an attachment, "Tibet-was-never-a-part-of-China.ppsx," meant to attack subscribers of this Tibetan news mailing list. Given the nature of this malware and the targets involved, it is likely designed for espionage purposes rather than financial gain. This is just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons.

Friday, February 1, 2019

Cyber Security Week in Review (Feb. 1)

Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Threat Roundup for Jan. 25 to Feb. 1


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 25 and Feb. 01. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, January 30, 2019

Fake Cisco Job Posting Targets Korean Candidates


Edmund Brumaghin and Paul Rascagneres authored this post, with contributions from Jungsoo An.

Executive summary


Cisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific organizations. The infection vector associated with this campaign was a Microsoft Word document that was disguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on various websites. EST Security also described this campaign in a blog post this week. This malicious Office document appears to have been the initial portion of what was designed to be a multi-stage infection process.

During our analysis of this campaign, we located additional samples that we believe are linked to multiple previous campaigns associated with the same threat actor. Each of the campaigns leveraged malicious documents and initial stage payloads that all featured similar tactics, techniques, and procedures (TTP). Due to the targeted nature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the targeting, this appears to be associated with a sophisticated attacker. This sort of attack has become more common as threat actors continue to target users to gain an initial foothold in environments. Organizations are encouraged to employ a defense-in-depth approach to security and disallow the execution of macros where possible.

Vulnerability Spotlight: Multiple vulnerabilities in ACD Systems Canvas Draw 5


Tyler Bohan of Cisco Talos discovered these vulnerabilities. Vanja Svajcer authored this blog post.

Cisco Talos is disclosing several vulnerabilities in ACD Systems' Canvas Draw 5, a graphics-editing tool for Mac. The vulnerable component of Canvas Draw 5 lies in the handling of TIFF and PCX images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format that's used in Canvas Draw. PCX was a popular image format with early computers, and although it's been replaced by more sophisticated formats, it is still in use and fully supported by Canvas Draw.

In accordance with our coordinated disclosure policy, Cisco Talos worked with ACD Systems to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, January 29, 2019

Vulnerability Spotlight: Multiple vulnerabilities in coTURN


Nicolas Edet of Cisco discovered these vulnerabilities.

Executive summary

Today, Cisco Talos is disclosing three vulnerabilities in coTURN. coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable from the internet — to provide firewall traversal solutions.

In accordance with our coordinated disclosure policy, Cisco Talos worked with coTURN to ensure that these issues are resolved and that an update is available for affected customers.

Monday, January 28, 2019

Vulnerability Spotlight: Python.org certificate parsing denial-of-service


Colin Read and Nicolas Edet of Cisco Talos discovered these vulnerabilities.

Executive summary

Python.org contains an exploitable denial-of-service vulnerability in its X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. Python can crash if getpeercert() is called on a TLS connection, which uses a certificate with invalid DistributionPoint in its extension.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Python to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Multiple WIBU SYSTEMS WubiKey vulnerabilities


Marcin "Icewall" Noga of Cisco Talos discovered these vulnerabilities.

Executive Summary


Cisco Talos discovered two vulnerabilities that could allow remote code execution and memory disclosure at the kernel level in WIBU-SYSTEMS WibuKey. WibuKey is a USB key designed to protect software and intellectual properties. It allows the users to manage software license via USB key. A third vulnerability is located in userland and can be triggered remotely, as it's located in the network manager.

In accordance with our coordinated disclosure policy, Talos worked with WIBU SYSTEMS to ensure that these issues are resolved and that an update is available for affected customers.