Friday, December 6, 2019

Threat Roundup for November 29 to December 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 29 and Dec. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, December 5, 2019

Threat Source newsletter (Dec. 5, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope everyone had a safe and happy Thanksgiving in the U.S. The holiday shopping season is now in full swing, and there are plenty of deals to be had in stores and online. This also makes it a prime time for attackers to strike. For tips of how to stay safe when shopping this holiday season, check out our full blog post here.

This was also a busy week for vulnerabilities. We disclosed, and released protection, for bugs in the Forma learning management system, Accusoft ImageGear and EmbedThis’ GoAhead Web Server.

We also have a special surprise for you tomorrow. You’ll want to keep an eye on our blog, social media and your podcast feeds.

Vulnerability Spotlight: AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability


Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in a specific dll inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel
shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, December 3, 2019

ClamAV team shows off new Mussels dependency build automation tool


By Micah Snyder.

Today I'm very excited, and a little bit nervous, to unveil Mussels. Mussels is a cross-platform, general-purpose dependency build automation tool. You might compare it with Vcpkg, Conan, or Buildout. It serves a similar purpose, but the approach is a little different.

Mussels is intended to simplify the process of building complex applications that have lengthy dependency chains without having to write all new CMake, Meson, Bazel, XCode, or Visual Studio project files. Instead, you write (and share) simple recipes that leverage the original build systems intended by software authors of your external library dependencies.

For more on Mussels, and where to download it, read the complete post over at the ClamAV blog.

Monday, December 2, 2019

Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System


Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered three SQL injection vulnerabilities in the authenticated portion of the Formal Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Forma to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Accusoft ImageGear PNG IHDR width code execution vulnerability


Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Two vulnerabilities in EmbedThis GoAhead


A Cisco Talos researcher discovered these vulnerabilities. Blog by Jon Munshaw. 

EmbedThis’ GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition.

GoAhead Web Server is a popular embedded web server designed to be a fully customizable web application framework and server for embedded devices. It provides all the base HTTP server functionality and provides a highly customizable platform for developers of embedded web applications.

In accordance with our coordinated disclosure policy, Cisco Talos worked with EmbedThis to ensure that these issues are resolved and that an update is available for affected customers.

Monday, November 25, 2019

Best practices for staying safe online during the holiday shopping season


By Jon Munshaw.

This holiday shopping season, the basics of avoiding a malware infection boils down to: If it sounds too good to be true, it probably is.

While sometimes retailers do give out small-dollar gift cards, that $500 discount on a new iPhone is probably not real. If it is a scam, it will definitely not help you get your new iPhone 11 Pro Max.

With Black Friday and Cyber Monday, Talos researchers are hitting radio and television networks to alert customers of what to do to stay safe while shopping online. Common attack vectors this time of year include fake websites, coupons, invoices and more, all designed to get shoppers to click on malicious links that eventually lead to adversaries stealing login, banking or personal information.

Friday, November 22, 2019

Threat Roundup for November 15 to November 22

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 15 and Nov. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 21, 2019

Threat Source newsletter (Nov. 21, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s nearly holiday shopping season, which means it’s prime scam season. On the latest Beers with Talos episode, we run down the best ways to stay safe while shopping online and how to detect phony emails. It’s also election season, which makes for some good discussion.

And, as it’s time to look back on the year that was, we have a new feature from Talos Incident Response where we take a quarter-by-quarter look at the top threats we’ve seen in the wild. In Q4 of Cisco’s fiscal year, our IR analysts mainly saw ransomware and cryptocurrency miners.

IR also had another exciting announcement this week, with the unveiling of a new cyber range that can help train employees to avoid common scams that can lead to malware infection. The cyber range now comes with any IR retainer.

The Threat Source newsletter is getting a week off next week for the Thanksgiving holiday in the U.S., so we’ll talk to you again in December.

Vulnerability Spotlight: Tenda AC9 /goform/WanParameterSetting command injection vulnerability


Amit Raut of Cisco Talos discovered this vulnerability.

Cisco Talos recently discovered a command injection vulnerability in the Tenda AC9 router. The Tenda AC9 is one of the most popular and affordable dual-band gigabit WiFi Router available online, especially on Amazon. A command injection vulnerability exists in the
`/goform/WanParameterSetting` resource. A locally authenticated attacker can execute arbitrary commands to post parameters to execute commands on the router. The attacker can get reverse shell running as root using this command injection.

Cisco Talos is disclosing this vulnerability after Tenda failed to patch it per Cisco’s 90-day deadline. Read more about the Cisco vulnerability disclosure policy here.

Vulnerability Spotlight: Two remote code execution vulnerabilities in Xcftools


Claudio Bozzato of Cisco Talos discovered these vulnerabilities. 

Xcftools contains two remote code execution vulnerabilities in its flattenIncrementally function. Xcftools is a set of tools for handling Gimp’s XCF files. The software provides tools to extract information from an XCF file, and then converting XCF files into a PNG or PNM file. An attacker could exploit these bugs by tricking a user into opening a specially crafted XCF file.

Cisco Talos is disclosing these vulnerabilities after xcftools failed to patch them per Cisco’s 90-day deadline. Read more about the Cisco vulnerability disclosure policy here.

Wednesday, November 20, 2019

Beers with Talos Ep. #66: I Choose YOU! Attackers view of targets, RLAs, scam season

By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 66 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Nov. 8, 2019 

Joel is out on PTO, so Mitch, Matt, Nigel, and Craig carry the banner this episode discussing how attackers approach targets like investors look at portfolios. We also talk about how the most recent off-cycle elections in the US give us a glimpse of improvements and changes in election security. Finally, we take a quick look at popular scams and how attackers use seasonality to increase the relevance of their scams for emotional responses.

Cryptominers, ransomware among top malware in IR engagements in Q4


By David Liebenberg and Kendall McKay.

This summer’s most popular malware families were common and used in unsophisticated attacks, with phishing being the top infection vector, according to Cisco Talos Incident Response (CTIR) data. In addition to threat actors repeatedly deploying common threats like ransomware as final payloads, we found that adversaries also leveraged similarly well-known open-source frameworks post-compromise to enable activities such as traversing victim networks, reaching out to command and control (C2) nodes, and exfiltrating data. These findings indicate that organizations across a variety of industry verticals continue to face challenges in defending against common threats and attack methods, most of which have the potential to cause critical damage if not detected and remediated quickly and effectively.

The discoveries outlined in this blog were observed during CTIR engagements between May and July, which corresponds to Cisco’s fourth quarter in fiscal year 2019. These reports, which we intend to publish quarterly, are intended to provide executives and network defenders with regular updates and analysis on the threat landscape.

Monday, November 18, 2019

How the new Talos IR Cyber Range can prepare your employees for a cyber attack

By Gerard Johansen, Charles Iszard and Luke DuCharme.

With the surge of ransomware attacks, information leaks and other cyber attacks in the headlines, most companies and organizations are aware that their employees need to be trained on how to stay safe online. But the real challenge lies in how to develop these pieces of training and tools in-house to build the necessary muscle memory to prevent and respond to an event.  Sending an analyst or two to a distant location for training depletes travel and training budgets, and when they return, there is little time to transfer this knowledge back to colleagues or managers.

Vendor-provided training focuses on the vendor’s proprietary technology and often neglects the concepts that need to be incorporated into an organization’s ability to respond.

To address these issues, Cisco Talos Incident Response (CTIR) created an interactive Cyber Range focused on Incident Response. This immersive experience is designed and delivered by incident response professionals for security professionals who need to increase their competency and muscle memory in incident response-related tasks.

Thursday, November 14, 2019

Threat Source newsletter (Nov. 14, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It was all about the bugs this week. Patch Tuesday was especially busy for us, including our usual recap of all the vulnerabilities Microsoft's security update this month (two of which we discovered). On top of that, we also disclosed a remote code execution vulnerability in some Intel graphics drivers and another in Exhibitor’s web user interface.

We also recently discovered a wave of actors using living-off-the-land binaries to keep their malware from being detected. We run through how to detect these so-called “LoLBins,” and walk through some campaigns where we’ve seen them being used in the wild.

And, as always, we have our latest Threat Roundup with runs through the top threats we’ve seen (and blocked) over the past week.

Custom dropper hide and seek

Executive summary

Most users assume they are safe when surfing the web on a daily basis. But information-stealing malware can operate in the background of infected systems, looking to steal users' passwords, track their habits online and hijack personal information.

Cisco Talos has monitored adversaries which are behind a wave of ongoing campaigns dropping well-known information-stealer like Agent Tesla, Loki-bot and others since at least January 2019. The adversaries using custom droppers, which inject the final malware into common processes on the victim machine. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers.

The injection techniques we're seeing in the wild are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware. In this post, we'll walk through one of these campaigns in detail and how the different stages of the dropper hide the malware. Any internet user is a potential target of this malware, and if infected, has the potential to completely take away a user's online privacy.

Wednesday, November 13, 2019

Hunting for LoLBins


By Vanja Svajcer.

Introduction

Attackers' trends tend to come and go. But one popular technique we're seeing at this time is the use of living-off-the-land binaries — or "LoLBins". LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we're seeing, there are binaries supplied by the victim's operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

In this post, we will take a look at the use of LOLBins through the lense of Cisco's product telemetry. We'll also walk through the most frequently abused Windows system binaries and measure their usage by analyzing data from Cisco AMP for Endpoints.

You'll also find an overview of a few recent campaigns we've seen using LoLBins, along with recommendations for how to detect malicious LoLBins' activities.

Vulnerability Spotlight: Command injection bug in Exhibitor UI


Logan Sanderson of Cisco ASIG discovered this vulnerability. Blog by Jon Munshaw.

Exhibitor Web UI contains an exploitable command injection vulnerability in its Config editor. Exhibitor is a ZooKeeper supervisory process. Exhibitor's Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. This could eventually allow an attacker to manipulate Exhibitor when launching ZooKeeper.

Per Cisco's vulnerability disclosure policy, we are publishing the details of this vulnerability without a patch from Exhibitor after a set deadline.

Vulnerability Spotlight: Denial-of-service vulnerability in Intel IGC64 graphics driver


Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Intel’s IGC64.dll graphics driver contains a denial-of-service vulnerability. An attacker could exploit this bug by supplying a malformed pixel shader if the graphics driver is operating inside a VMware guest operating system. This type of attack can be triggered from VMware guest usermode to cause a denial-of-service attack due to an out-of-bounds read in the driver.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Intel to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, November 12, 2019

Microsoft Patch Tuesday — Nov. 2019: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered "critical," with the rest being deemed "important."

This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel. For more on this bug, read our full Vulnerability Spotlight here. We are also disclosing a remote code execution vulnerability in Microsoft Media Foundation.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Vulnerability Spotlight: Remote code execution vulnerability in Microsoft Media Foundation


Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Media Foundation’s framework contains a remote code execution vulnerability that exists due to a use-after-free condition. This specific bug lies in Media Foundation's MPEG4 DLL. An attacker could provide a user with a specially crafted QuickTime file to exploit this vulnerability. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates here, and see the Snort rules that provide coverage here.
Microsoft released, read Talos’ full blog

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Remote code execution vulnerability in Microsoft Excel


Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a remote code execution vulnerability in Microsoft Excel. Microsoft disclosed this bug as part of their monthly security update Tuesday. This vulnerability exists in the component responsible for handling the “MicrosoftÆ Office HTML and XML” format introduced in Microsoft Office 2000. A specially crafted XLS file could lead to a user-after-free vulnerability and remote code execution. Microsoft released a patch for this vulnerability in this month's Patch Tuesday security update, which you can read more about here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

New partnership brings together Talos’ visibility with IR’s unmatched response capabilities


By Jon Munshaw.

The threat landscape has evolved into a complex, challenging environment for organizations everywhere. A talent shortage, combined with an increase in incidents, has led to a generally weak security posture among most organizations. Defenders’ backs are up against the wall. Organizations around the world now realize that sitting back and waiting for an alert or receiving information from law enforcement about an incident in their environment brings stiff fines, increased scrutiny, lost intellectual property, data privacy concerns and lost business.

Cisco Talos announced last week that it is bringing Cisco Incident Response into the Talos family. With this new partnership, Cisco Talos Incident Response hopes to use Talos’ actionable intelligence and unprecedented visibility to assist defenders to answer threats faster.

Friday, November 8, 2019

Threat Roundup for November 1 to November 8

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 1 and Nov. 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 7, 2019

Threat Source newsletter (Nov. 7, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

The only news we’re going to cover this week is the biggest news we’ve had in a while. Tuesday, we announced that Cisco Incident Response was becoming part of the Talos family. We’ve been working together for years, but now we’ll be closer than ever, so Incident Response can benefit from Talos’ intelligence, while their boots-on-the-ground experience will only add to Talos’ portfolio.

Check out our announcement blog post for more information. The Talos Incident Response at-a-glance also provides an overview of the services IR provides. And the new IR page on TalosIntelligence.com gives you an easy way to contact IR, should you need their services.

We also have a special edition of the Beers with Talos podcast, where Amy Henderson of Talos’ Threat Interdiction team joins us to talk about the benefits of this new relationship.

Wednesday, November 6, 2019

Vulnerability Spotlight: Code execution vulnerabilities in LEADTOOLS


Marcin Towalski and Cory Duplantis of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in the LEADTOOLS line of imaging toolkits. LEADTOOLS is a collection of toolkits designed to perform a variety of functions aimed at integrating documents, multimedia and imaging technologies into applications. All of the software is produced by LEAD Technologies Inc. LEADTOOLS offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc.), that are all geared toward building
applications for medical systems. Various pieces of LEADTOOLS contain vulnerabilities that could be exploited by malicious actors to carry out a number of actions, including denial-of-service conditions and the execution of code remotely.

In accordance with our coordinated disclosure policy, Cisco Talos worked with LEAD Technologies to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, November 5, 2019

Talos, Cisco Incident Response team up to offer more protection than ever












By Sean Mason

Over the years, I've had the honor and privilege to work within some of the greatest security teams on the planet, working alongside such passionate and talented people at Cisco makes delivering this announcement perhaps the greatest honor yet.

The best security organizations on the planet excel at preventing, defending, and responding, which boils down to one key aspect – an intelligence-driven approach to security.

Several years ago, Cisco Talos intelligence started to support Cisco’s Incident Response Services group, with IR feeding highly contextualized data back into the Talos Detection and Response efforts. This was key to building a market-leading, albeit standalone, incident response service offering at Cisco.

Today, we are excited to announce the next step in the evolving relationship between intelligence, research, and IR – Cisco Talos Incident Response.

Beers with Talos Ep. #65: Please welcome to the show… Talos Incident Response

By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 65 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Oct. 25, 2019 

Today is a bit different. We normally keep things pretty neutral on this show (not really), but today is all about the new service Talos is launching: Say hello to Talos Incident Response. Amy Henderson from the Talos Intel and Interdiction group joins us as we discuss the full circle of threat intelligence — from global visibility to hyper-local context, and how IR allows those to feed into each other. Listen to the announcement as we discuss what IR is, what it means in general, and what Talos brings to that equation. We hope you are half as excited as we are because that is still pretty dang excited. Lastly, Craig isn’t with us today, but you get to decide his fate for being dishonest with you, dear listeners. We will give you justice.

How adversaries use politics for compromise


By Nick Biasini and Edmund Brumaghin.


Executive Summary


With the U.S. presidential primaries just around the corner, even malware authors can't help but get behind the frenzy. Cisco Talos recently discovered several malware distribution campaigns where the adversaries were utilizing the names and likenesses of several prominent political figures, chief among them U.S. President Donald Trump. We discovered a series of ransomware, screenlockers, remote access trojans (RATs) and other malicious applications that play off of Trump's likeness, as well as former presidential candidate Hillary Clinton.

Some of the applications are designed to coerce victims into paying ransom demands, while others could be used to gain backdoor access to systems and provide attackers the ability to operate within organizational networks. In many cases, it is clear that the authors of these applications were motivated by their political beliefs, which were reflected in the software that they created. In this post, we'll analyze several of these examples and provide a look at the types of malware they deployed.

There is a wide array of threats that adversaries are willing to deliver through any means necessary, including leveraging political themes and overtones. This is one of the reasons why organizations need to be diligent in protecting their environments through various technologies, applying best practices, and taking a thorough defense-in-depth approach when implementing various security controls. Additionally, ensure you have an employee information security education program that exposes users to the variety of lures that can be leveraged by adversaries to deliver these threats.

Monday, November 4, 2019

C2 With It All: From Ransomware To Carding


By Warren Mercer, Paul Rascagneres and Vitor Ventura.

Summary


Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims' infrastructure — all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack.

We found a great variety of malicious files on this server, ranging from ransomware like the DoppelPaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2)

The data found on this server shows how malicious actors can diversify their activities to target different organizations and individuals, while still using the same infrastructure. The tools we studied paint a picture of an adversary that is resourceful and has a widespread infrastructure shared across different operations.

The latest on BlueKeep and DejaBlue vulnerabilities — Using Firepower to defend against encrypted DejaBlue

Update (11/04/2019):

There have been several public reports of active exploitation of CVE-2019-0708, commonly referred to as “BlueKeep.” Preliminary reports indicate that the vulnerability is being exploited by adversaries who are leveraging access to compromised systems to install cryptocurrency mining malware. At this time, there has been no evidence to suggest that the exploitation is due to the emergence of a new worm, and it is likely being done as part of a mass exploitation campaign, similar to what we have seen in previous instances of mass exploitation campaigns. Existing coverage for BlueKeep continues to be an effective way to mitigate possible exploitation attempts. For additional information related to protecting against attacks leveraging BlueKeep, please refer to the blog posts here.

Note: This post was originally published on 09/03/2019.

This blog was authored by Brandon Stultz, Holger Unterbrink and Edmund Brumaghin.

Executive summary


Over the past few months, Microsoft has released several security updates for critical Remote Desktop Protocol (RDP)-related security bugs. These bugs are significant for IT infrastructure because they are classified as "wormable," meaning future malware that exploits them could spread from system to system without requiring explicit user interaction. These vulnerabilities could be exploited by an attacker sending a specially crafted request to the target system's Remote Desktop Service via RDP. We have seen how destructive these kinds of attacks can be, most notably WannaCry. We highly recommend organizations immediately apply Microsoft's patches. Cisco Talos released detection coverage for CVE-2019-0708 and also enhanced guidance to help organizations facilitate inspection of RDP sessions here. Microsoft published additional security updates last month to mitigate two additional remote code execution vulnerabilities, CVE-2019-1181 and CVE-2019-1182, affecting several versions of Microsoft Windows. These bugs are referred to as "DejaBlue" due to their similarities to BlueKeep.

Once again, Cisco Talos started working immediately to reverse-engineer the RCE vulnerabilities. Protections for both CVE-2019-1181 and CVE-2019-1182 now exist to keep your systems secure. SID 51369 for SNORT® correctly blocks exploitation of CVE-2019-1181 and CVE-2019-1182. In this post, we'll run through the details of how to protect against this "DejaBlue" exploit and walk through the steps to protect your environment.

Vulnerability Spotlight: Two remote code execution vulnerabilities in Investintech Able2Extract


Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two remote code execution vulnerabilities in Investintech’s Able2Extract Professional. This software is a cross-platform PDF tool for Windows, Mac and Linux that converts PDFs and allows users to create and edit them. Other features include PDF signing, redactions and annotations. An attacker could exploit these vulnerabilities to execute arbitrary code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Investintech to ensure that these issues are resolved and that updates are available for affected customers on various operating systems.

Friday, November 1, 2019

Threat Roundup for October 25 to November 1

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 25 and Nov. 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.