Monday, October 21, 2019

Gustuff return, new features for victims

By Vitor Ventura with contributions from Chris Neal.

Executive summary


The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS.

The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions. On the capability side, the addition of a "poor man scripting engine" based on JavaScript provides the operator with the ability to execute scripts while using its own internal commands backed by the power of JavaScript language. This is something that is very innovative in the Android malware space.

The first version of Gustuff that we analyzed was clearly based on Marcher, another banking trojan that's been active for several years. Now, Gustuff has lost some similarities from Marcher, displaying changes in its methodology after infection..

Today, Gustuff still relies primarily on malicious SMS messages to infect users, mainly targeting users in Australia. Although Gustuff has evolved, the best defense remains token-based two-factor authentication, such as Cisco Duo, combined with security awareness and the use of only official app stores.

Friday, October 18, 2019

Threat Roundup for October 11 to October 18

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 11 and Oct. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 17, 2019

Vulnerability Spotlight: Multiple vulnerabilities in YouPHPTube



Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Post by Jon Munshaw.

YouPHPTube contains multiple vulnerabilities that could allow an attacker to carry out a variety of malicious activities. Specially crafted, attacker-created web requests can allow an attacker to inject SQL code into the application in some of these cases. YouPHPTube is an open-source program that can allow users to create their own, custom video sites. The software is meant to mimic popular websites such as YouTube, Netflix and Vimeo, according to its website. If successful, an attacker could use these vulnerabilities to gain the ability to exfiltrate files in the database, steal user credentials and, in some configurations, access the underlying operating system.

In accordance with our coordinated disclosure policy, Cisco Talos worked with YouPHPTube to ensure that these issues are resolved and that an update is available for affected customers.

Threat Source newsletter (Oct. 17, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s rare that iOS jailbreaks make it onto the scene. Apple is usually able to patch them out quickly. But a recent exploit is actually unpatchable, and researchers are racing to release tools that can allow users to jailbreak their phone. But malicious attackers are also trying to capitalize on this opportunity. We recently discovered a malicious site that promises to offer a jailbreaking tool, but it actually just conducts click fraud and installs a malicious profile onto the user’s device.

This week, Adobe released its third patch for a vulnerability we discovered earlier this year in Acrobat Reader. An attacker could exploit this bug to gain the ability to execute arbitrary code on the victim machine.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Tuesday, October 15, 2019

Vulnerability Spotlight: Another fix for Adobe Acrobat Reader DC text field value remote code execution



Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Cisco Talos once again would like to bring attention to a remote code execution vulnerability in Adobe Acrobat Reader. Acrobat, which is one of the most popular PDF readers on the market, contains a bug when the software incorrectly counts array elements. The same code present in the previously disclosed TALOS-2018-0704 and TALOS-2019-0774 could trigger this vulnerability, allowing the attacker to potentially execute remote code. Adobe previously patched those two vulnerabilities, but the fixes did not cover all possible cases.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Checkrain fake iOS jailbreak leads to click fraud

By Warren Mercer and Paul Rascagneres.

Introduction


Attackers are capitalizing on the recent discovery of a new vulnerability that exists across legacy iOS hardware. Cisco Talos recently discovered a malicious actor using a fake website that claims to give iPhone users the ability to jailbreak their phones. However, this site just prompts users to download a malicious profile which allows the attacker to conduct click-fraud.

Checkm8 is a vulnerability in the bootrom of some legacy iOS devices that allows users to control the boot process. The vulnerability impacts all legacy models of the iPhone from the 4S through the X. The campaign we'll cover in this post tries to capitalize off of checkra1n, a project that uses the checkm8 vulnerability to modify the bootrom and load a jailbroken image onto the iPhone. Checkm8 can be exploited with an open-source tool called "ipwndfu" developed by Axi0mX.

The attackers we're tracking run a malicious website called checkrain[.]com that aims to draw in users who are looking for checkra1n.

This discovery made headlines and caught the attention of many security researchers. Jailbreaking a mobile device can be attractive to researchers, average users and malicious actors. A researcher or user may want to jailbreak phones to bypass standard restrictions put in place by the manufacturer to download additional software onto the device or look deeper into the inner workings of the phone. However, an attacker could jailbreak a device for malicious purposes, eventually obtaining full control of the device.

This new malicious actor Talos discovered claims to provide the checkra1n jailbreak. The site even claims to be working with popular jailbreaking researchers such as “CoolStar” and Google Project Zero’s Ian Beer. The page attempts to look legitimate, prompting users to seemingly download an application to jailbreak their phone. However, there is no application, this is an attempt to install malicious profile onto the end-user device

Jailbreaking iOS devices has been around since the launch of the first iPhone in 2007. These are a rare commodity in the iOS world, with Apple moving to patch most software defects swiftly. This can mean a user remains on older versions of iOS at the cost of security to keep their jailbreak — a dangerous proposition. Some users want to jailbreak their devices because it allows them to perform a lot of additional actions on their devices that Apple has locked down. This can be simple tasks like SSHing (remotely accessing) the iOS device, changing icons and themes on the iOS device, and also for illegitimate use such as pirated software and games.

Friday, October 11, 2019

Threat Roundup for October 4 to October 11

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 4 and Oct. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos Ep. #63: The third law of thermodynamics


Beers with Talos (BWT) Podcast episode No. 63 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Sept. 27, 2019 

We are missing Matt and Joel this time, so Mitch, Craig and Nigel are taking you through this episode. We cover some recent posts from Talos with Divergent and Tortoiseshell. Turns out, people get a bit excited when you target U.S. veterans with malware — even other malware authors thinks that’s scummy. That takes us into a chat about social engineering in general, and we end up talking about some interesting stuff with unpatchable vulnerabilities and why deleting /var on install could be described as "a bad idea" for a Google Chrome update.

Thursday, October 10, 2019

Threat Source newsletter (Oct. 10, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s that time again to update all your Microsoft products. The company released its monthly update Tuesday, disclosing more than 60 vulnerabilities in a variety of its products. This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software. We’ve got a rundown of the most important bugs here, and all our Snort coverage here.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

P.S., we have to give ourselves a pat on the back for the researchers who took home the top honors at the Virus Bulletin conference, winning the Péter Ször Award.

New IDA Pro plugin provides TileGX support

By Jonas Zaddach

Overview

Cisco Talos has a new plugin available for IDA Pro that provides a new disassembler for TileGX binaries. This tool should assist researchers in reverse-engineering threats in IDA Pro that target TileGX.

Talos takes home top research honors at Virus Bulletin conference


By Jon Munshaw

Researchers from Cisco Talos brought up the top award at this year’s Virus Bulletin conference.

Talos received the Péter Ször Award — named for the prolific security researcher who was a longtime contributor to Virus Bulletin and passed away in 2013 — for our research into several DNS-related attacks over the past year.

Wednesday, October 9, 2019

Vulnerability Spotlight: Multiple remote code execution bugs in NitroPDF


Cory Duplantis and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple remote code execution vulnerabilities in NitroPDF. Nitro PDF allows users to save, read, sign and edit PDF files on their machines. There are two versions of the product: a free and a paid version called “Pro.” The paid version offers several features the free one does not, including the ability to combine multiple PDFs into one file and to redact sensitive information in the file. These bugs all exist in the Pro version of the software.

In accordance with Cisco's vulnerability disclosure policy, we are disclosing these vulnerabilities without a patch from NitroPDF due to the expiration of our 90-day deadline.

Tuesday, October 8, 2019

Vulnerability spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580


Jared Rittle and Patrick DeSantis of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, the majority of which can cause a denial of service. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs we will discuss exist in the Modicon's use of FTP.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider Electric to ensure that these issues are resolved and that an update is available for affected customers. Talos previously disclosed a separate round of vulnerabilities in this product in June.

Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."

This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Friday, October 4, 2019

Threat Roundup for September 27 to October 4

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 27 and Oct. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Monday, September 30, 2019

Open Document format creates twist in maldoc landscape

By Warren Mercer and Paul Rascagneres.

Introduction


Cisco Talos recently observed attackers changing the file formats they use in an attempt to thwart common antivirus engines. This can happen across other file formats, but today, we are showing a change of approach for an actor who has deemed antivirus engines perhaps "too good" at detecting macro-based infection vectors. We've noticed that the OpenDocument (ODT) file format for some Office applications can be used to bypass these detections. ODT is a ZIP archive with XML-based files used by Microsoft Office, as well as the comparable Apache OpenOffice and LibreOffice software.

There have recently been multiple malware campaigns using this file type that are able to avoid antivirus detection, due to the fact that these engines view ODT files as standard archives and don't apply the same rules it normally would for an Office document. We also identified several sandboxes that fail to analyze ODT documents, as it is considered an archive, and the sandbox won't open the document as a Microsoft Office file. Because of this, an attacker can use ODT files to deliver malware that would normally get blocked by traditional antivirus software.

We only found a few samples where this file format was used. The majority of these campaigns using malicious documents still rely on the Microsoft Office file format, but these cases show that the ODT file format could be used in the future at a more successful rate. In this blog post, we'll walk through three cases of OpenDocument usage. The two first cases targets Microsoft Office, while the third one targets only OpenOffice and LibreOffice users. We do not know at this time if these samples were used simply for testing or a more malicious context.


Vulnerability Spotlight: Foxit PDF Reader JavaScript Array.includes remote code execution vulnerability


Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Foxit PDF Reader contains a remote code execution vulnerability in its JavaScript engine. Foxit aims to be one of the most feature-rich PDF readers on the market, and contains many similar functions to that of Adobe Acrobat Reader. The software uses JavaScript at several different points when opening a PDF. A bug exists in the JavaScript reading function that results in a large amount of memory to be allocated, which quickly uses up all available memory. An attacker could exploit this vulnerability to then gain the ability to remotely execute code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Foxit to ensure that these issues are resolved and that an update is available for affected customers.

Friday, September 27, 2019

Threat Roundup for September 20 to September 27

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 20 and Sept. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 26, 2019

Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host


Update (09/27/2019): Additional information regarding the malware interaction with various online advertisements has been included to highlight the click-fraud related network communications associated with Divergent.


Executive summary


Cisco Talos recently discovered a new malware loader being used to deliver and infect systems with a previously undocumented malware payload called "Divergent." We first dove into this malware after we saw compelling data from Cisco Advanced Malware Protection's (AMP) Exploit Prevention.

This threat uses NodeJS — a program that executes JavaScript outside of a web browser — as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware. The use of NodeJS is not something commonly seen across malware families.

The observed malware campaigns associated with Divergent feature the use of persistence techniques most commonly associated with "fileless" malware, leaving behind few artifacts for researchers to look at. This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click-fraud. It also features several characteristics that have been observed in other click-fraud malware, such as Kovter.

Threat Source newsletter (Sept. 26)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

An attacker known as “Tortoiseshell” is using a phony, malicious website to deliver malware. The site specifically targets U.S. military veterans who may be searching for a job. These types of sites are likely to be shared on social media as the general population hopes to support the veteran population.

Forget about the iPhone 11, impeachment or nation-state cyber attacks. We all know the biggest news of the past week was Area 51. And thankfully, the latest Beers with Talos talks about storming the secret military base. And some other, more cyber security-focused things.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Beers with Talos Ep. #62: Fifty shades of shady



Beers with Talos (BWT) Podcast episode No. 62 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Sept. 13, 2019 

In one of our "rantier" episodes, the BWT crew dives into the ongoing insidiousness that is cryptomining with Watchbog, and then we turn our attention to some idiot that thinks charging people $50 to bypass MFA on their own machines is a good idea, because nothing bad can happen there, right? RIGHT?! Finally, we take a look at some recent breaches and the trend of attempting to downplay the severity of a breach because the data ex-fil wasn’t “vital or important.” Again, what can go wrong with that line of thinking? This is fine. Everything is just fine. Security is solved, we can go home now.

An in-depth look at cyber insurance: We sat down with risk expert, Cisco's Leslie Lamb

Y2K is known for being one of the most widespread times of panic in IT. It was generally thought that on Dec. 31, 1999, computers across the globe would shut down when they would fail to properly process that it would become the year 2000 the next day.

It made headlines across the globe, sent everyone with a computer into a panic and even led to the creation of several U.S. government task forces to prepare for the problem.

But what you may not know is that Y2K spawned the birth of cyber security insurance.

In the buildup of panic, companies became worried that they would lose all their information stored on computers or would lose all ability to operate come Jan. 1, 2000. It was around this time that companies and organizations started to consider mitigating the risk regarding computers and digital storage.

Leslie Lamb was actually one of the first people to even negotiate for a security insurance policy on Cisco’s behalf. Today, the popularity of cyber insurance has exploded as government agencies, small cities, companies and non-profits worry about the rise in ransomware attacks.

Tuesday, September 24, 2019

How Tortoiseshell created a fake veteran hiring website to host malware



By Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.

Introduction

Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec as Tortoiseshell, deployed a website called hxxp://hiremilitaryheroes[.]com that posed as a website to help U.S. military veterans find jobs. The URL is strikingly close to that of legitimate websites, such as www.hiringourheroes.org. The site prompted users to download an app, which was actually a malware downloader, deploying malicious spying tools and other malware.

This is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on an IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs).

Friday, September 20, 2019

Threat Roundup for September 13 to September 20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 13 and Sept. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 19, 2019

Threat Source newsletter (Sept. 19, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re all still trying to shake off the summer. Gone are the early Fridays, beach vacations and days by the pool. Turns out, attackers may be brushing the same things off. The ever-present Emotet went quiet over the summer, but it’s back now with a slew of new campaigns. While this may sound concerning, the same protections and coverage you’ve always used will keep you safe.

And, speaking of things that won’t stay down, cryptocurrency miners still aren’t going anywhere. We've discovered a new threat actor we’re calling “Panda” that is rapidly spreading miners, even as digital currencies decline in value.

This was also a busy week for vulnerability discovery. We’ve got three new vulnerability spotlights out: the Aspose PDF API, Atlassian’s Jira software and the AMD ATI Radeon line of graphics cards.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Tuesday, September 17, 2019

Emotet is back after a summer break

By Colin Grady, William Largent, and Jaeson Schultz.


Emotet is still evolving, five years after its debut as a banking trojan. It is one of the world's most dangerous botnets and malware droppers-for-hire. The malware payloads dropped by Emotet serve to more fully monetize their attacks, and often include additional banking trojans, information stealers, email harvesters, self-propagation mechanisms and even ransomware.

At the beginning of June 2019, Emotet's operators decided to take an extended summer vacation. Even the command and control (C2) activities saw a major pause in activity. However, as summer begins drawing to a close, Talos and other researchers started to see increased activity in Emotet's C2 infrastructure. And as of Sept. 16, 2019, the Emotet botnet has fully reawakened, and has resumed spamming operations once again. While this reemergence may have many users scared, Talos' traditional Emotet coverage and protection remains the same. We have a slew of new IOCs to help protect users from this latest push, but past Snort coverage will still block this malware, as well traditional best security practices such as avoiding opening suspicious email attachments and using strong passwords.

Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”

By Christopher Evans and David Liebenberg.


Executive summary

A new threat actor named "Panda" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information.

Panda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers — a group infamous for publishing information from the National Security Agency — and Mimikatz, an open-source credential-dumping program.

Talos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread "MassMiner" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns.

Vulnerability Spotlight: Multiple vulnerabilities in Aspose PDF API


Marcin Noga of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered multiple remote code execution vulnerabilities in the Aspose.PDF API. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Aspose to ensure that these issues are resolved and that an update is available for affected customers.

New Cisco Talos web reputation verdicts

Cisco Talos has updated and expanded the Talos Threat Levels used to describe our web reputation verdicts. 

As you will see in the chart below, we are increasing the amount of reputation verdicts from three to five. We are retaining the Unknown category, just as before.

Cisco Security products will transition to display these new scores over time, beginning with the upcoming Cisco NGFW release of 6.5. This allows for more granular scoring of web reputation verdicts, and gives customers greater control over the defense of their networks.

Talos Email Reputation scores will not change at this time.

Monday, September 16, 2019

Vulnerability Spotlight: AMD ATI Radeon ATIDXX64.DLL shader functionality remote code execution vulnerability


Piotr Bania of Cisco Talos discovered this vulnerability.

Some AMD Radeon cards contain a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira


Ben Taylor of Cisco ASIG discovered these vulnerabilities.

Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Atlassian to ensure that these issues are resolved and that an update is available for affected customers.

Friday, September 13, 2019

Threat Roundup for September 6 to September 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 6 and Sept. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 12, 2019

Threat Source newsletter (Sept. 12, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

You’ve heard it a million times: Always patch. But in case you needed another example that it’s important, Cisco Incident Response took a deep dive into a recent wave of Watchbog infections they observed. In this post, IR breaks down why this infection occurred, and what you can learn from it. 

Speaking of patching, it’s as good of a time as any to update all of your Microsoft products. The company released its latest security update as part of their monthly Patch Tuesday. Check out our breakdown of the most important vulnerabilities here and our Snort coverage here.

Ever considered an “illustrious career in cybercrime?” Well, don’t do it. So says Craig on the latest Beers with Talos podcast where the guys talking about “hacking back” and Matt’s level of Twitter fame.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Wednesday, September 11, 2019

Watchbog and the Importance of Patching


What Happened?


Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.

This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker's intentions and abilities on a customer's network by analyzing the various Pastebins. As the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised hosts.

There were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively simple to uncover - this attacker did not practice particularly strong operational security.

The attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the organization by exploiting said weaknesses before any "real" hackers could do so. During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the "positive" intentions of this adversary. Below is a message left on a compromised system by the adversary:

Beers with Talos Ep. #61: Hacking for good is a bad idea



Beers with Talos (BWT) Podcast episode No. 61 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Aug. 30, 2019: In this extra-sized episode, we cover a lot, starting with Retadup, and discussing the intricate workings of why it’s a bad idea to execute code on other computers without permission when you have no idea what that computer is doing. WannaCry is making some headlines again, but this time it isn’t WannaCry and, frankly, it’s not news. From the mobile ecosystem operating system battleground, Google’s Project Zero announced several vulnerabilities in iOS that have been discovered being exploited in the wild, with some of the exploit chains leveraging zero-days. The most important development of the week is that journalists are now quoting Matt's Twitter timeline and this will certainly end well.

Tuesday, September 10, 2019

Microsoft Patch Tuesday — Sept. 2019: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated “critical," 65 that are considered "important" and one "moderate." There is also a critical advisory relating to the latest update to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Monday, September 9, 2019

Vulnerability Spotlight: Denial-of-service vulnerabilities in some NETGEAR routers


Dave McDaniel of Cisco Talos discovered these vulnerabilities.

The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crash entirely.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NETGEAR to ensure that these issues are resolved and that an update is available for affected customers.

Friday, September 6, 2019

Threat Roundup for August 30 to September 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 30 and Sept. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.