Tuesday, September 17, 2019

Emotet is back after a summer break

This blog post was written by Colin Grady, William Largent, and Jaeson Schultz.


Emotet is still evolving, five years after its debut as a banking trojan. It is one of the world's most dangerous botnets and malware droppers-for-hire. The malware payloads dropped by Emotet serve to more fully monetize their attacks, and often include additional banking trojans, information stealers, email harvesters, self-propagation mechanisms and even ransomware.

At the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer begins drawing to a close, Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. While this reemergence may have many users scared, Talos' traditional Emotet coverage and protection remains the same. We have a slew of new IOCs to help protect users from this latest push, but past Snort coverage will still block this malware, as well traditional best security practices such as avoiding opening suspicious email attachments and using strong passwords.

Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”

By Christopher Evans and David Liebenberg.


Executive summary

A new threat actor named "Panda" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information.

Panda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers — a group infamous for publishing information from the National Security Agency — and Mimikatz, an open-source credential-dumping program.

Talos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread "MassMiner" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns.

Vulnerability Spotlight: Multiple vulnerabilities in Aspose PDF API


Marcin Noga of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Aspose to ensure that these issues are resolved and that an update is available for affected customers.

New Cisco Talos web reputation verdicts

Cisco Talos has updated and expanded the Talos Threat Levels used to describe our web reputation verdicts. 

As you will see in the chart below, we are increasing the amount of reputation verdicts from three to five, as well as retaining the Unknown category across the board. 

Cisco Security products may display these new scores over time, beginning with the upcoming Cisco NGFW release of 6.5. This allows for more granular scoring of web reputation verdicts, and gives customers greater control over the defense of their networks.

Monday, September 16, 2019

Vulnerability Spotlight: AMD ATI Radeon ATIDXX64.DLL shader functionality remote code execution vulnerability


Piotr Bania of Cisco Talos discovered this vulnerability.

Some AMD Radeon cards contain a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira


Ben Taylor of Cisco ASIG discovered these vulnerabilities.

Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Atlassian to ensure that these issues are resolved and that an update is available for affected customers.

Friday, September 13, 2019

Threat Roundup for September 6 to September 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 6 and Sept. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 12, 2019

Threat Source newsletter (Sept. 12, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

You’ve heard it a million times: Always patch. But in case you needed another example that it’s important, Cisco Incident Response took a deep dive into a recent wave of Watchbog infections they observed. In this post, IR breaks down why this infection occurred, and what you can learn from it. 

Speaking of patching, it’s as good of a time as any to update all of your Microsoft products. The company released its latest security update as part of their monthly Patch Tuesday. Check out our breakdown of the most important vulnerabilities here and our Snort coverage here.

Ever considered an “illustrious career in cybercrime?” Well, don’t do it. So says Craig on the latest Beers with Talos podcast where the guys talking about “hacking back” and Matt’s level of Twitter fame.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Wednesday, September 11, 2019

Watchbog and the Importance of Patching


What Happened?


Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.

This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker's intentions and abilities on a customer's network by analyzing the various Pastebins. As the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised hosts.

There were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively simple to uncover - this attacker did not practice particularly strong operational security.

The attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the organization by exploiting said weaknesses before any "real" hackers could do so. During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the "positive" intentions of this adversary. Below is a message left on a compromised system by the adversary:

Beers with Talos Ep. #61: Hacking for good is a bad idea



Beers with Talos (BWT) Podcast episode No. 61 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Aug. 30, 2019: In this extra-sized episode, we cover a lot, starting with Retadup, and discussing the intricate workings of why it’s a bad idea to execute code on other computers without permission when you have no idea what that computer is doing. WannaCry is making some headlines again, but this time it isn’t WannaCry and, frankly, it’s not news. From the mobile ecosystem operating system battleground, Google’s Project Zero announced several vulnerabilities in iOS that have been discovered being exploited in the wild, with some of the exploit chains leveraging zero-days. The most important development of the week is that journalists are now quoting Matt's Twitter timeline and this will certainly end well.

Tuesday, September 10, 2019

Microsoft Patch Tuesday — Sept. 2019: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated “critical," 65 that are considered "important" and one "moderate." There is also a critical advisory relating to the latest update to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Monday, September 9, 2019

Vulnerability Spotlight: Denial-of-service vulnerabilities in some NETGEAR routers


Dave McDaniel of Cisco Talos discovered these vulnerabilities.

The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crash entirely.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NETGEAR to ensure that these issues are resolved and that an update is available for affected customers.

Friday, September 6, 2019

Threat Roundup for August 30 to September 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 30 and Sept. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 5, 2019

Threat Source newsletter (Sept. 5, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

By now, nearly everyone has heard of BlueKeep. It definitely sounds scary, with of this talk of wormable bugs and WannaCry. But so far, no attackers have used it to launch a large-scale attack.

Of course, we knew this wouldn’t stay quiet forever. Last month, Microsoft disclosed more RDP vulnerabilities in what’s being called “DejaBlue.” These are another set of wormable bugs, but we have a walkthrough for how Cisco Firepower customers can stay protected.

Elsewhere on the vulnerability front, we have advisories out for an information disclosure in Blynk-Library and two bugs in Epignosis eFront.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

GhIDA: Ghidra decompiler for IDA Pro

By Andrea Marcelli

Executive Summary

Cisco Talos is releasing two new tools for IDA Pro: GhIDA and Ghidraaas.

GhIDA is an IDA Pro plugin that integrates the Ghidra decompiler in the IDA workflow, giving users the ability to rename and highlight symbols and improved navigation and comments. GhIDA assists the reverse-engineering process by decompiling x86 and x64 PE and ELF binary functions, using either a local installation of Ghidra, or Ghidraaas ( Ghidra as a Service) — a simple docker container that exposes the Ghidra decompiler through REST APIs.

Here is a quick video walking users through this new tool:
  

Wednesday, September 4, 2019

Vulnerability Spotlight: Information disclosure vulnerability in Blynk-Library




















Lilith Wyatt of Cisco Talos discovered this vulnerability.

Cisco Talos recently discovered an information disclosure vulnerability in Blynk-Library. Blynk-Library is a small library for connecting more than 400 different embedded device models into a private or enterprise Blynk-Server instance. According to the Git repository, it is the "most popular internet-of-things platform for connecting any hardware to the cloud."

In accordance with our coordinated disclosure policy, Cisco Talos worked with Blynk to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, September 3, 2019

The latest on BlueKeep and DejaBlue vulnerabilities — Using Firepower to defend against encrypted DejaBlue

This blog was authored by Brandon Stultz, Holger Unterbrink and Edmund Brumaghin.

Executive summary


Over the past few months, Microsoft has released several security updates for critical Remote Desktop Protocol (RDP)-related security bugs. These bugs are significant for IT infrastructure because they are classified as "wormable," meaning future malware that exploits them could spread from system to system without requiring explicit user interaction. These vulnerabilities could be exploited by an attacker sending a specially crafted request to the target system's Remote Desktop Service via RDP. We have seen how destructive these kinds of attacks can be, most notably WannaCry. We highly recommend organizations immediately apply Microsoft's patches. Cisco Talos released detection coverage for CVE-2019-0708 and also enhanced guidance to help organizations facilitate inspection of RDP sessions here. Microsoft published additional security updates last month to mitigate two additional remote code execution vulnerabilities, CVE-2019-1181 and CVE-2019-1182, affecting several versions of Microsoft Windows. These bugs are referred to as "DejaBlue" due to their similarities to BlueKeep.

Once again, Cisco Talos started working immediately to reverse-engineer the RCE vulnerabilities. Protections for both CVE-2019-1181 and CVE-2019-1182 now exist to keep your systems secure. SID 51369 for SNORT® correctly blocks exploitation of CVE-2019-1181 and CVE-2019-1182. In this post, we'll run through the details of how to protect against this "DejaBlue" exploit and walk through the steps to protect your environment.

Vulnerability Spotlight: Two vulnerabilities in Epignosis eFront


Yuri Kramarz of Security Advisory Incident Response EMEAR discovered these vulnerabilities.

Cisco Talos discovered two vulnerabilities in Epignosis eFront — one of which could allow an attacker to remotely execute code on the victim system, and another that opens the victim machine to SQL injections. eFront is an LMS platform that allows users to control their virtual training environments and data. The software boasts the ability to allow large companies to train their employees quickly and efficiently.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Epignosis to ensure that these issues are resolved and that an update is available for affected customers. Epignosis confirmed that they released eFront version 5.2.13 to address these issues.

Friday, August 30, 2019

Threat Roundup for August 23 to August 30

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 23 and Aug. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos Ep. #60: Summer camp flashbacks and defining your intel



Beers with Talos (BWT) Podcast episode No. 60 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Aug. 16, 2019 — The understatement of the day would be the guys were in some kind of mood when we recorded this. There is no explaining the way they are sometimes. We ended up discussing a lot of the awesome things that went on at Blackhat and DEFCON, like the time Matt and Mitch got ejected from the Aviation Village for recognizing the prowess of the greatest plane ever built. And also the time Joel ejected himself from the Cisco party. Deeper in the episode we get into threat intelligence: What is it, how to find the intel you need, and how do you leverage it to create value?

Thursday, August 29, 2019

Threat Source newsletter (Aug. 22)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

What’s old is new again.

Our research this week centers around a series of long-lasting threat actors and malware that have been given new life.

China Chopper, a 9-year-old web shell, is more prevalent than ever now that the source code is out there, so any threat actor could conceivably use it. We recently discovered three distinct campaigns using it for a variety of malicious activities.

We’ve also discovered threat actors using two of the most popular RATs — Orcus RAT and RevengeRAT — to target government entities, financial services organizations, information technology service providers and consultancies.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Wednesday, August 28, 2019

RAT Ratatouille: Backdooring PCs with leaked RATs

By Edmund Brumaghin and Holger Unterbrink.

Executive summary

Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously released to the public, allowing attackers to leverage it for their own malicious purposes. There are typically numerous, unrelated attackers attempting to leverage this RAT to compromise corporate networks for the purposes of establishing an initial point of network access, the performance of lateral movement, as well as to exfiltrate sensitive information that can be monetized. Orcus RAT was in the news earlier this year due to Canadian law enforcement activity related to the individual believed to have authored the malware.

Cisco Talos recently discovered a threat actor that has been leveraging RevengeRAT and Orcus RAT in various malware distribution campaigns targeting organizations including government entities, financial services organizations, information technology service providers and consultancies. We discovered several unique tactics, techniques, and procedures (TTPs) associated with these campaigns including the use of persistence techniques most commonly associated with "fileless" malware, obfuscation techniques designed to mask C2 infrastructure, as well as evasion designed to circumvent analysis by automated analysis platforms such as malware sandboxes.

The characteristics associated with these campaigns evolved over time, showing the attacker is constantly changing their tactics in an attempt to maximize their ability to infect corporate systems and work toward the achievement of their longer-term objectives.

Tuesday, August 27, 2019

China Chopper still active 9 years later

By Paul Rascagneres and Vanja Svajcer.

Introduction

Threats will commonly fade away over time as they're discovered, reported on, and detected. But China Chopper has found a way to stay relevant, active and effective nine years after its initial discovery. China Chopper is a web shell that allows attackers to retain access to an infected system using a client side application which contains all the logic required to control the target. Several threat groups have used China Chopper, and over the past two years, we've seen several different campaigns utilizing this web shell and we chose to document three most active campaigns in this blog post.

We decided to take a closer look at China Chopper after security firm Cybereason reported on a massive attack against telecommunications providers called "Operation Soft Cell," which reportedly utilized China Chopper. Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017, which shows that even nine years after its creation, attackers are using China Chopper without significant modifications.

This web shell is widely available, so almost any threat actor can use. This also means it's nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator.

The usage of China Chopper in recent campaigns proves that a lot of old threats never really die, and defenders on the internet need to be looking out for malware both young and old.

Friday, August 23, 2019

Threat Roundup for August 16 to August 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 16 and Aug. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 22, 2019

Threat Source newsletter (Aug. 22)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

A lot of people may think that cyber insurance is this new, unexplored field that carries a lot of questions. But did you know that these policies have actually been around since Y2K fever? There are many more misconceptions about these policies, so we aimed to clear some of these up with this cyber insurance FAQ.

If you came out and saw us at DEFCON, chances are you got your hands on our super sweet badges. Unfortunately, there were a few small bugs, but we have a step-by-step guide that shows you how to fix those problems, and we walk through how to set it up to get your own Digispark clone.

This was also a busy week for vulnerabilities. Our discovery of several bugs in Google’s Nest camera has made headlines, since an attacker could use these to leak sensitive information. We also have a breakdown of multiple remote code execution vulnerabilities in different Aspose APIs.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

New 4CAN tool helps identify vulnerabilities in on-board car computers

By Alex DeTrano, Jason Royes, and Matthew Valites.

Executive summary

Modern automobiles contain hundreds of sensors and mechanics that communicate via computers to understand their surrounding environment. Those components provide real-time information to drivers, connect the vehicle to a global network, and in some cases use that telemetry to automatically drive the vehicle. Like any computer, those in vehicles are susceptible to threats, such as vulnerabilities in software, abuse via physical-access, or even allowing remote control of the vehicle, as recently demonstrated by Wired and a DARPA-funded team of researchers.

Allied Market Research estimates the global connected car market to exceed $225 billion by 2025. To help secure this emerging technology, Cisco has dedicated resources for automobile security. The Customer Experience Assessment & Penetration Team (CX APT) represents the integration of experts from the NDS, Neohapsis, and Portcullis acquisitions. This team provides a variety of security assessment and attack simulation services to customers around the globe (more info here). CX APT specializes in identifying vulnerabilities in connected vehicle components.

Wednesday, August 21, 2019

Talos DEFCON badge build instructions and use


By Patrick Mullen.

We want to thank everyone who stopped by the Cisco Talos booth at DEFCON's Blue Team Village earlier this month. We handed out these badges at our area where we had Snort rules challenges, reverse-Capture the Flag and recruiters ready to answer attendees' career advice questions.

Unfortunately, there were two bugs in the board as created, which should be expected when it was created in such a short time, but we have a guide for how you can fix these. Once these bugs are fixed, you'll have a fully functional Digispark clone that can be used for several projects, including impersonating a USB keyboard, as our example sketch does. You can also attach leads to the open jumpers to get full access to all of the pins from the ATtiny85 to drive your own projects.

Power is provided directly by the USB port when used as a USB device, by a USB charger, or via J2 at the top of the board. The center pin is GND, the right pin is for regulated for five volts, or the left pin can handle anywhere from 5V to 20V. During Defcon, we powered it with a nine-volt battery for convenience.

Tuesday, August 20, 2019

What you — and your company — should know about cyber insurance


By Jon Munshaw and Joe Marshall. 

It’s no longer a question of “if” any given company or organization is going to be hit with a cyber attack — it’s when. And when that attack comes, who is willing to take on that risk?

For some groups, it may be that they feel they are fully prepared to take on the challenge of defending against an attack or potentially recover from one. But cyber security insurance offers the ability to transfer that risk to an insurance company that can help you with everything from covering lost revenue to providing incident response as soon as you detect an attack.

Even back in 2016, Cisco Talos called the realm of cyber insurance “new and immature.”  But since then, the market has changed drastically, and these kinds of policies are becoming more popular. Still, some businesses have been slow to adopt these policies. According to a study by J.D. Power & Associates and the Insurance Information Institute released in October 2018, 59 percent of businesses still do not have any form of cyber insurance.

But a recent wave of attacks — including the takedown of computer systems in Baltimore, a multi-million-dollar settlement from Equifax over a 2016 data breach, and the recent theft of millions of Captial One customers’ information — shows why it’s important to remain prepared for these kinds of scenarios.

Equifax is still recovering from a massive data breach in 2016 that cost the company hundreds of millions of dollars. A cyber policy the company had covered $125 million in costs associated with the attack, though Equifax admittedly could have used a bigger policy considering the breach cost a total of $1.4 billion.

Is cyber insurance the right choice for your company or organization? We spoke to two cyber insurance experts to get answers to the questions we had around cyber insurance to help you make an informed decision.

Vulnerability Spotlight: Multiple vulnerabilities in Aspose APIs


Marcin Noga of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.

Cisco Talos initially disclosed these vulnerabilities on Aug. 20, 2019 in accordance with Cisco's disclosure policy, after numerous unsuccessful attempts were made to contact Aspose to report these vulnerabilities. Aspose released an update on Aug. 30, 2019 that fixed these vulnerabilities.

Monday, August 19, 2019

Vulnerability Spotlight: Multiple bugs in OpenWeave and Nest Labs Nest Cam IQ indoor camera


Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs’ most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Weave and Nest Labs to ensure that these issues are resolved and that an update is available for affected customers.

Friday, August 16, 2019

Beers with Talos Ep. #59: The tardy episode




Beers with Talos (BWT) Podcast episode No. 59 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded 8/2/19 - Yes, I know what today’s date is. We got really busy last week and I am sorry that the podcast is late. Really, I wish I wasn’t writing these notes at 12:#0r4-j3pofw…. What? Anyway, we talk about malvertising and dig into that ecosystem a bit looking at some of the competing priorities (hint: none of them are your privacy). We also discuss BlueKeep making its debut in Canvas and surely soon to follow in other fine pen testing platforms. We use that opportunity to review a little bit of RDP knowledge and defense. We’re recording again tomorrow and I really don’t want to hear what my co-hosts will say if this isn’t out by then, so I’m going to go hit publish now.

Threat Roundup for August 9 to August 16

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 9 and Aug. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 15, 2019

Threat Source newsletter (Aug. 15)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Sorry we missed you last week, we were all away at Hacker Summer Camp. If you missed us at Black Hat, we have a roundup up on the blog of some of the “flash talks” from our researchers and analysts.

Patch Tuesday was also this week, and we’ve got you covered with Snort rules and coverage of some of the most critical bugs. 

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Wednesday, August 14, 2019

Talos Black Hat 2019 flash talk roundup


Talos went wall-to-wall at Hacker Summer Camp, showing up to Black Hat and DEFCON with talks, challenges, advice and education.

Over the course of two days at Black Hat, Cisco Security hosted more than 20 talks at our booth, many featuring Talos researchers and analysts.

In case you couldn't swing by the booth, we've got a quick recap of eight of those "flash talks" to give you a quick rundown of what our researchers wanted to get across. Click on each of these videos to hear each speaker give a quick recap, and stay tuned for a future Beers with Talos episode to hear all of them together.

Tuesday, August 13, 2019

Microsoft Patch Tuesday — Aug. 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 97 vulnerabilities, 31 of which are rated “critical," 65 that are considered "important" and one "moderate."

This month’s security update covers security issues in a variety of Microsoft services and software, including certain graphics components, Outlook and the Chakra Scripting Engine. For more on our coverage of these bugs, check out our Snort advisories here, covering all of the new rules we have for this release.

Friday, August 9, 2019

Threat Roundup for August 2 to August 9

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 2 and Aug. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Monday, August 5, 2019

Vulnerability Spotlight: Multiple vulnerabilities in NVIDIA Windows GPU Display Driver, VMware ESXi, Workstation and Fusion


Piotr Bania of Cisco Talos discovered these vulnerabilities.

Executive summary

VMware ESXi, Workstation and Fusion are affected by an out-of-bounds write vulnerability that can be triggered using a specially crafted shader file. This vulnerability can be triggered from a VMware guest, affecting the VMware host, leading to a crash (denial-of-service) of the vmware-vmx.exe process on the host (TALOS-2019-0757).

However, when the host/guest systems are using an NVIDIA graphics card, the VMware denial-of-service can be turned into a code execution vulnerability (leading to a VM escape), because of an additional security issue present in NVIDIA's Windows GPU Display Driver (TALOS-2019-0779).

Moreover, two out-of-bounds write vulnerabilities that could lead to arbitrary code execution have been found on NVIDIA Windows GPU Display Driver (TALOS-2019-0812, TALOS-2019-0813). These can be triggered by a specially crafted shader file.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NVIDIA and VMware to ensure that these issues are resolved and that updates available for affected customers.

Friday, August 2, 2019

Threat Roundup for July 26 to Aug. 2

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 26 and Aug. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 1, 2019

Threat Source newsletter (Aug. 1, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Are you heading to Vegas next week for Hacker Summer Camp? Talos will. We’ll be at Black Hat and DEFCON holding a series of talks, taking resumes, answering questions and hosting a number of challenges. Check out our talk lineup for Black Hat here and a rundown of our activities at DEFCON here.

Everyone on the internet has seen the ads on web pages that suck you in with enticing headlines, too-good-to-be-true sales or highly specific offers. But many times, these ads can lead to malware. We took a deep dive into adware to talk about a slew of recent campaigns we’ve seen that have targeted some of the most popular sites on the web.

If you work with Snort rules at all, you have to check out our new Re2PCAP tool, which allows you to generate a PCAP file in seconds just from a raw HTTP request or response.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.