Thursday, July 18, 2019

Threat Source newsletter (July 18, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

A group we’re calling “SWEED” may be behind years of Agent Tesla attacks. This week, we uncovered everything we know about this actor, and ran down their TTPs and discussed how users can stay safe.

If you didn’t get enough of the ransomware debate last week, we have even more talk of extortion payments on the latest Beers with Talos episode, too.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.

Beers with Talos Ep. #57 - It’s a business decision, not rocket science



Beers with Talos (BWT) Podcast Ep. #57 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded July 8, 2019 — Matt skipped this episode podcast in favor of a meeting (for real). The rest of the crew carried on to discuss a few of this week’s hot-button issues, such as municipalities paying (or not paying) the ransom, NASA JPL reporting APT breached their network via a rogue Pi (in true Mr. Robot fashion), and looking at rogue devices in general. Next episode will be our last before Black Hat and DEFCON, so tune in to find out where you can find Talos at those conferences.

Monday, July 15, 2019

SWEED: Exposing years of Agent Tesla campaigns

By Edmund Brumaghin and other Cisco Talos researchers.

Executive summary


Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.

SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).

Friday, July 12, 2019

Threat Roundup for July 5 to July 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 5 and July 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 11, 2019

Threat Source newsletter (July 11, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Generally, when we write about a threat group or attack, that threat will calm down for a while. After all, it’s much for difficult for these threats to survive once awareness spreads about them. However, in the case of Sea Turtle, they’ve actually doubled down on their DNS hijacking techniques. Our new research indicates this group has developed a new way to secretly redirect DNSs, and they’re unlikely to slow down any time soon.

Ransomware has been making headlines over the past 12 months. Between Atlanta, Baltimore and, most recently, two cities in Florida, governments have been taken down by attackers looking for extortion payments. In the case of the two Florida cities, they chose to pay the extortion payment to the attackers, while Atlanta and Baltimore chose to go the more expensive route and manually recover their data. Which route is best? Which makes the most fiscal sense? We tried to find out in a roundtable featuring experts from Cisco Talos and Cisco Incident Response.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.

Should governments pay extortion payments after a ransomware attack?



By Jonathan Munshaw. 

When it comes to ransomware attacks this year, it’s been a tale of three cities.

In May, the city of Baltimore suffered a massive ransomware attack that took many of its systems down for weeks — restricting employees’ access to email, closing online payment portals and even preventing parking enforcement officials from writing parking tickets. After the attack, the city’s mayor said several times the city would not be paying the extortion request, but it’s still expected to cost the city more than $10 million to recover.

But two cities — albeit smaller ones — in Florida chose to take a different route. Last month, the governments in Lake City and Riviera Beach chose to pay off their attackers in exchange for the return of their data after ransomware attacks, though they still face some work in decrypting the stolen data.

The cities paid the hackers a combined $1 million in Bitcoin — and researchers say these kinds of attacks aren’t going to slow down. So when the next city or state government gets hit, should they pay up, or start the long process of manually recovering their data? We asked experts from Cisco Talos and Cisco Security to weigh in.

Tuesday, July 9, 2019

Microsoft Patch Tuesday — July 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 77 vulnerabilities, 16 of which are rated “critical," 60 that are considered "important" and one "moderate."

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra scripting engine, Internet Explorer and the Windows Server DHCP service. For more on our coverage of these bugs, check out the SNORT® blog post here, covering all of the new rules we have for this release.

Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques



By Danny Adamitis with contributions from Paul Rascagneres.

Executive summary

After several months of activity, the actors behind the "Sea Turtle" DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.

Additionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. This new technique has only been observed in a few highly targeted operations. We also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent.

Friday, July 5, 2019

Threat Roundup for June 28 to July 5

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 28 and July 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, July 3, 2019

Beers with Talos Ep. #56 - Flatlined: Breach to Bankrupt



Beers with Talos (BWT) Podcast Ep. #56 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded 6/24/19 - Back in the studio for EP 56 and off the top, Matt got some new audio toy for his side hustle as a Twitch star - I still can’t figure out exactly how he did what he did, but it was not helpful from a producer’s perspective. It’s repaired, but still enough to apologize for. This is why we can’t have nice things. We discuss the issues around the AMCA data heist - a breach that caused a bankruptcy - and the complexity of securely moving sensitive data, like PII and HIPAA data, to the cloud. As we get deeper, we end up discussing the issues inherent in medical data - namely, it’s sensitivity and data security issues so systemic in nature that not even HIPAA can help.

Threat Source newsletter (July 3, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We disclosed several vulnerabilities this week, including two in Simple DirectMedia Layer, and a memory corruption bug in the V8 JavaScript engine in Google Chrome.

This week also saw the rise of an old favorite — exploit kits. While we don’t see them as often as we used to, Talos recently discovered a campaign using the infamous “Heaven’s Gate” technique to deliver a series of remote access trojans and information-stealers.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.

Tuesday, July 2, 2019

Vulnerability Spotlight: Remote code execution vulnerabilities in Simple DirectMedia Layer


Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities.

Simple DirectMedia Layer contains two vulnerabilities that could an attacker to remotely execute code on the victim’s machine. Both bugs are present in the SDL2_image library, which is used for loading images in different formats. There are vulnerabilities in the function responsible for loading PCX files. A specially crafted PCX file can lead to a heap buffer overflow and remote code execution in both cases.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SDL to ensure that these issues are resolved and that an update is available for affected customers.

Monday, July 1, 2019

RATs and stealers rush through “Heaven’s Gate” with new loader


Executive summary

Malware is constantly finding new ways to avoid detection. This doesn't mean that some will never be detected, but it does allow adversaries to increase the period of time between initial release and detection. Flying under the radar for just a few days is enough to infect sufficient machines to earn a decent amount of revenue for an attack. Cisco Talos recently discovered a new campaign delivering the HawkEye Reborn keylogger and other malware that proves attackers are constantly creating new ways to avoid antivirus detection. In this campaign, the attackers built a complex loader to ensure antivirus systems to not detect the payload malware. Among these features is the infamous "Heaven's Gate" technique — a trick that allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment. In this blog, we will show how to analyze this loader quickly, and provide an overview of how these attackers deliver the well-known HawkEye Reborn malware. During our analysis, we also discovered several notable malware families, including Remcos and various cryptocurrency mining trojans, leveraging the same loader in an attempt to evade detection and impede analysis.

Vulnerability Spotlight: Google V8 Array.prototype memory corruption vulnerability


The V8 JavaScript engine in Google Chrome contains a memory corruption vulnerability that could allow an attacker to gain the ability to execute arbitrary code on the victim’s machine. V8 is the core JavaScript engine that runs in the Chrome browser. As part of Chrome and node.is, it is the most popular JavaScript engine currently available.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers. Google initially fixed this vulnerability in March and merged it in April. However, the company just publicly disclosed it on June 26, per its vulnerability disclosure policies.

Friday, June 28, 2019

Threat Roundup for June 21 to June 28


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 21 and June 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 27, 2019

Welcome Spelevo: New exploit kit full of old tricks

Nick Biasini authored this post with contributions from Caitlyn Hammond.


Executive summary

Exploit kits are an ever-present and often forgotten threat on the landscape today. Their popularity seemed to peak several years ago with the success and eventual downfall of some of the best compromise platforms ever created, including the Angler Exploit Kit. These kits generated millions of dollars from their victims and they are still effective. One of their biggest appeals today is the removal of reliance on user assistance. Increasingly, on the crimeware landscape today, user assistance is required, whether it's through blatant social engineering attacks like ongoing sextortion campaigns or through the countless malspam messages traversing the globe daily, users are required to help achieve infection. That is where exploit kits stand alone as an effective web-based platform for compromise that only requires users to surf the internet.

Today, Cisco Talos is unveiling the details of a new exploit kit campaign that proves exploit kits are still a threat and should be taken seriously by defenders: Spelevo. This recent campaign leveraged a compromised business-to-business site to deliver Spelevo, one of the first new kits we've seen in months.

Spelevo illustrates many of the challenges associated with protecting against these threats and preventing their spread. In compromising this particular website, the attackers did little more than add four lines to the code rendering the webpage — but those four lines did a lot of damage and can compromise all visitors that have poor security hygiene. Even though Angler did make use of a zero-day in Adobe Flash Player years ago, exploit kits largely depend on existing, patched exploits. However, all it takes is one missed patch on one system to lead directly to compromise. That's why you need things like a thorough defense-in-depth approach with various technologies in place to help mitigate any residual risk that comes with running an enterprise.

Threat Source newsletter (June 27, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

You never want to fall behind on Beers with Talos. So make sure to listen to the latest episode on your commute home today. This episode — featuring special guest and Talos Threat Research Summit keynote speaker Liz Wharton — was recorded live in San Diego as part of Cisco Live. So yes, there’s audience participation, and no, you are not prepared for it.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Tuesday, June 25, 2019

Beers with Talos Ep. #55: Live from San Diego!



Beers with Talos (BWT) Podcast Ep. #55 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded June 12, 2019 — God knows why, but we bring you another live episode from the Talos Threat Research Summit at Cisco Live U.S. in San Diego, California. We are joined by TTRS keynote speaker (as is tradition) Liz Wharton.

Catch the highlights of the show and stick around for hot takes from the live audience. Thanks to everyone who showed up to the recording, especially those brave enough to step up to the mic at the end.

This is our annual reminder of why we don’t do this more often. We think you'll whole-heartedly agree.

Friday, June 21, 2019

Threat Roundup for June 14 to June 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 14 and June 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 20, 2019

Threat Source newsletter (June 20, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This week, we disclosed two vulnerabilities in KCodes’ NetUSB kernel module contains that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. An attacker could send specific packets on the local network to exploit vulnerabilities in NetUSB, forcing the routers to disclose sensitive information and even giving the attacker the ability to remotely execute code.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Monday, June 17, 2019

Vulnerability Spotlight: Two bugs in KCodes NetUSB affect some NETGEAR routers



Dave McDaniel of Cisco Talos discovered these vulnerabilities.

Executive summary

KCodes’ NetUSB kernel module contains two vulnerabilities that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. Specific models of these routers utilize the kernel module from KCodes, a Taiwanese company. The module is custom-made for each device, but they all contain similar functions.

The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices. An attacker could send specific packets on the local network to exploit vulnerabilities in NetUSB, forcing the routers to disclose sensitive information and even giving the attacker the ability to remotely execute code.

In accordance with our coordinated disclosure policy, Cisco Talos reached out to KCodes and NETGEAR regarding this vulnerability. After working with KCodes, they provided an update to NETGEAR, which is scheduled to release an update. Talos decided to release the details of our vulnerability after surpassing our 90-day deadline.

Friday, June 14, 2019

Threat Roundup for June 7 to June 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 07 and June 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, June 11, 2019

Microsoft Patch Tuesday — June 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 88 vulnerabilities, 18 of which are rated “critical," 69 that are considered "important" and one "moderate." This release also includes a critical advisory regarding security updates to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra scripting engine, the Jet database engine and Windows kernel. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

Monday, June 10, 2019

How Cisco Talos helped Howard County recover from a call center attack


On Aug. 11, 2018 the 911 non-emergency call center in Howard County, Maryland was in crisis — not for the types of calls flooding into dispatchers, but simply for the sheer numbers. The center, which usually receives 300 to 400 calls a day was now getting 2,500 in a 24-hour span of time. The center, which takes calls for everything from home security alarms going off to cats getting stuck in trees was overwhelmed. What was going on?

James Cox, a network-server team manager for the Howard County government was tasked with answering that question. It turns out, a lone foreign actor created this crisis. “The phone system doesn’t care who you are,” Cox explained. “You hit that 10-digit number and the phone rings. There’s no check and there’s no balance.”

Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580


Jared Rittle of Cisco Talos discovered these vulnerabilities.

Executive summary

There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, including denial of service and the disclosure of sensitive information. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs we will discuss exist in UMAS requests made while operating the hardware.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider Electric to ensure that these issues are resolved and that an update is available for affected customers.

The sights and sounds from the Talos Threat Research Summit


More than 250 threat hunters, network defenders and analysts gathered ahead of Cisco Live for the second annual Talos Threat Research Summit on Sunday.

The conference by defenders, for defenders, returned this year after the inaugural event in 2018 to San Diego, where speakers passed on their knowledge of writing detection, stopping phishing attacks responding to ransomware, and more.

Friday, June 7, 2019

Know before you go: Talos Threat Research Summit


We are now just 48 hours away from the second annual Talos Threat Research Summit. After last year's success in Orlando, we are back and better than ever from San Diego on Sunday.

If you plan on attending, here's what you need to know before Sunday morning. Can't make it out? You can still stream our keynote address from Elizabeth Wharton at 8:10 a.m. PT by following us on Twitter.

Threat Roundup for May 31 to June 7


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 31 and June 07. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 6, 2019

Threat Source newsletter (June 6)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope to see everyone this weekend at the Talos Threat Research Summit in San Diego (or throughout the week at Cisco Live). If you’re around, stop by the Talos booth on the Cisco Live floor — who knows, we may have some swag to give out! For those of you who are attending, brush up on the schedule here.

There’s been a lot of talk about a bug in Microsoft RDP that could leave systems open to a “wormable” attack. When Microsoft disclosed the vulnerability last month, there was little guidance on how to defend against an exploit. Now, we have a new method using Cisco Firepower to block any encrypted attacks attempting to use this vulnerability. This means that you’ll be able to protect against attacks that would otherwise go undetected.

This week, we also unveiled our research on Frankenstein, a new campaign that cobbles together several open-source techniques to infect users. While it’s been used with relatively low volume so far, because of its nature, the attackers behind it have the ability to change it on the fly and evolve over time.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Tuesday, June 4, 2019

It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign

This blog was authored by Danny AdamitisDavid Maynor and Kendall McKay.

Executive summary

Cisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the "Frankenstein" campaign. We assess that the attackers carried out these operations between January and April 2019 in an effort to install malware on users' machines via malicious documents. We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors' ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.

The campaign used components of:
  • An article to detect when your sample is being run in a VM
  • A GitHub project that leverages MSbuild to execute a PowerShell command
  • A component of GitHub project called "Fruityc2" to build a stager
  • A GitHub project called "PowerShell Empire" for their agents

Friday, May 31, 2019

Using Firepower to defend against encrypted RDP attacks like BlueKeep

This blog was authored by Brandon Stultz
Microsoft recently released fixes for a critical pre-authentication remote code execution vulnerability in Remote Desktop Protocol Services (RDP). Identified as CVE-2019-0708 in May's Patch Tuesday, the vulnerability caught the attention of researchers and the media due to the fact that it was "wormable," meaning an attack exploiting this vulnerability could easily spread from one machine to another. This was discussed at length in episode 54 of our 'Beers with Talos' podcast.

Cisco Talos started reverse-engineering work immediately to determine how exactly RDP was vulnerable. Talos wrote and released coverage as soon as we were able to determine the vulnerability condition. SID 50137 for SNORT® correctly blocks exploitation of CVE-2019-0708 and scanning attempts that leverage this vulnerability.

This rule prevents exploitation of CVE-2019-0708 by blocking any RDP connection that attempts to use the "MS_T120" virtual channel. The RDP protocol defines virtual channels that can be used to transfer different kinds of data (e.g. clipboard, audio, etc.). In addition to these client-specified channels, Microsoft creates the "MS_T120" channel in the Windows RDP system. Clients are not expected to create the "MS_T120" channel. A remote unauthenticated attacker can exploit CVE-2019-0708 by sending crafted data to this internal channel.

Threat Roundup for May 24 to May 31


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 24 and May 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 30, 2019

Threat Source newsletter (May 30)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Did you update all of your Microsoft products after Patch Tuesday earlier this month? If not, what are you waiting for? Listen to the latest Beers with Talos episode about why that’s stupid, and then immediately update.

Last week marked the one-year anniversary of VPNFilter. What has the security community learned since then? And how did this wide-reaching malware shape attacks since then? Find out in our blog post looking back on VPNFilter.

If you haven’t already, there’s still plenty of time to sign up for our upcoming spring Quarterly Threat Briefing. Talos researchers will be running down recent DNS manipulation-based attacks, and outline why your organization needs to be worried about them.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

10 years of virtual dynamite: A high-level retrospective of ATM malware

Executive summary

It has been 10 years since the discovery of Skimer, first malware specifically designed to attack automated teller machines (ATMs). At the time, the learning curve for understanding its functionality was rather steep and analysis required specific knowledge of a manufacturer's ATM API functions and parameters, which were not publicly documented.

Before the discovery of Skimer, anti-malware researchers' considered ATMs secure machines containing proprietary hardware, running non-standard operating systems, and implementing a number of advanced protection techniques designed to prevent attacks using malicious code. Researchers eventually discovered that the most popular ATM manufacturers use a standard Windows operating system and add on some auxiliary devices, such as a safe and card reader.

Over time, actors behind some of the newer ATM malware families such as GreenDispenser and Tyupkin realized that there is a generic Windows extension for Financial Services API (CEN/XFS) that can be used to make malware that runs independent of the underlying hardware platform, as long as the ATM manufacturer supports the framework. This malware can trick the machines into dispensing cash, regardless of whether the attacker has a legitimate bank card.

ATM malware has evolved to include a number of different families and different actors behind them, ranging from criminal groups to actors affiliated with nation states. The significance of ATM malware stems from the fact that it can bring significant financial benefits to attackers and as a consequence cause a significant damage to targeted banks, financial institutions and end users.

Now that this type of malware has been around for more than 10 years, we wanted to round up the specific families we've seen during that time and attempt to find out if the different families share any code.

Wednesday, May 29, 2019

Beers with Talos Ep. #54: Patch after listening, RDP and wild 0-days



Beers with Talos (BWT) Podcast Ep. #54 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded May 24, 2019 — There is another Blue(X) to talk about and guess what? YES, YOU STILL NEED TO PATCH. We talk about RDP, the source of this vulnerability and whether or not exploits exist for it (hint: they do). There is a quick look back at last year on the anniversary of VPNFilter, and we also tackle zero-days again through the lens of Project Zero’s timeline of zero-days found in the wild.

Also, Craig hasn’t seen the end of "John Wick 3" yet, so feel free to tweet him spoilers. If you are in San Diego for Cisco Live two weeks from now, come find us to see a live recording of the podcast!

Friday, May 24, 2019

Threat Roundup for May 17 to May 24


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 17 and May 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 23, 2019

One year later: The VPNFilter catastrophe that wasn't


Cisco Talos first disclosed the existence of VPNFilter on May 23, 2018. The malware made headlines across the globe, as it was a sophisticated piece of malware developed by a nation state, infecting half a million devices, and poised to cause havoc. Yet the attack was averted. The attacker’s command and control (C2) infrastructure was seized by the FBI, preventing the attacker from broadcasting orders to compromised devices. The attacker lost control of the infected systems, and potential catastrophe was prevented.

This was a wakeup call that alerted the cybersecurity community to a new kind of state-sponsored threat — a vast network of compromised devices across the globe that could stow away secrets, hide the origins of attacks and shut down networks.

This is the story of VPNFilter, and the catastrophe that was averted.

Threat Source newsletter (May 23)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Election security is a touchy — and oftentimes depressing — topic of conversation. So why not let Beer with Talos bring some levity, and more importantly, expertise, to the conversation? The latest episode focuses solely on election security, as Matt Olney runs down what he’s learned recently from spending time with various governments.

On the research end of things, we released a post earlier this week outlining the details of a new campaign called “BlackWater” that we believe could be connected to the MuddyWater APT.

And since we know everyone was waiting on this, yes, there’s coverage for that wormable Microsoft bug everyone was talking about.

There was no Threat Roundup last week, but it’ll be back tomorrow.