Wednesday, January 30, 2019

Fake Cisco Job Posting Targets Korean Candidates


Edmund Brumaghin and Paul Rascagneres authored this post, with contributions from Jungsoo An.

Executive summary


Cisco Talos recently observed a targeted malware campaign being leveraged in an attempt to compromise specific organizations. The infection vector associated with this campaign was a Microsoft Word document that was disguised as a job posting for Cisco Korea, and leveraged legitimate content available as part of job postings on various websites. EST Security also described this campaign in a blog post this week. This malicious Office document appears to have been the initial portion of what was designed to be a multi-stage infection process.

During our analysis of this campaign, we located additional samples that we believe are linked to multiple previous campaigns associated with the same threat actor. Each of the campaigns leveraged malicious documents and initial stage payloads that all featured similar tactics, techniques, and procedures (TTP). Due to the targeted nature of this campaign, the lack of widespread indicator of compromise data, and the apparent nature of the targeting, this appears to be associated with a sophisticated attacker. This sort of attack has become more common as threat actors continue to target users to gain an initial foothold in environments. Organizations are encouraged to employ a defense-in-depth approach to security and disallow the execution of macros where possible.

Vulnerability Spotlight: Multiple vulnerabilities in ACD Systems Canvas Draw 5


Tyler Bohan of Cisco Talos discovered these vulnerabilities. Vanja Svajcer authored this blog post.

Cisco Talos is disclosing several vulnerabilities in ACD Systems' Canvas Draw 5, a graphics-editing tool for Mac. The vulnerable component of Canvas Draw 5 lies in the handling of TIFF and PCX images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format that's used in Canvas Draw. PCX was a popular image format with early computers, and although it's been replaced by more sophisticated formats, it is still in use and fully supported by Canvas Draw.

In accordance with our coordinated disclosure policy, Cisco Talos worked with ACD Systems to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, January 29, 2019

Vulnerability Spotlight: Multiple vulnerabilities in coTURN


Nicolas Edet of Cisco discovered these vulnerabilities.

Executive summary

Today, Cisco Talos is disclosing three vulnerabilities in coTURN. coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable from the internet — to provide firewall traversal solutions.

In accordance with our coordinated disclosure policy, Cisco Talos worked with coTURN to ensure that these issues are resolved and that an update is available for affected customers.

Monday, January 28, 2019

Vulnerability Spotlight: Python.org certificate parsing denial-of-service


Colin Read and Nicolas Edet of Cisco Talos discovered these vulnerabilities.

Executive summary

Python.org contains an exploitable denial-of-service vulnerability in its X509 certificate parser. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. Python can crash if getpeercert() is called on a TLS connection, which uses a certificate with invalid DistributionPoint in its extension.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Python to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Multiple WIBU SYSTEMS WubiKey vulnerabilities


Marcin "Icewall" Noga of Cisco Talos discovered these vulnerabilities.

Executive Summary


Cisco Talos discovered two vulnerabilities that could allow remote code execution and memory disclosure at the kernel level in WIBU-SYSTEMS WibuKey. WibuKey is a USB key designed to protect software and intellectual properties. It allows the users to manage software license via USB key. A third vulnerability is located in userland and can be triggered remotely, as it's located in the network manager.

In accordance with our coordinated disclosure policy, Talos worked with WIBU SYSTEMS to ensure that these issues are resolved and that an update is available for affected customers.

Friday, January 25, 2019

Threat Roundup for Jan. 18 to Jan. 25


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 18 and Jan. 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 24, 2019

Cisco AMP tracks new campaign that delivers Ursnif

This blog post was authored by John Arneson of Cisco Talos

Executive Summary

Cisco Talos once again spotted the Ursnif malware in the wild. We tracked this information stealer after Cisco's Advanced Malware Protection (AMP) Exploit Prevention engine alerted us to these Ursnif infections. Thanks to AMP, we were able to prevent Ursnif from infecting any of its targets. The alert piqued our curiosity, so we began to dig a bit deeper and provide some recent IoCs related to this threat, which traditionally attempts to steal users' banking login credentials and other login information. Talos has covered Ursnif in the past, as it is one of the most popular malware that attackers have deployed recently. In April, we detected that Ursnif was being delivered via malicious emails along with the IceID banking trojan.

Tuesday, January 22, 2019

Beers with Talos Ep. #45: SoHo attacks, IoT devices, and the cesspool setting



Beers with Talos (BWT) Podcast Ep. #45 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #45 show notes: 

Recorded Jan. 18, 2019

We have an extended roundtable today (even more than usual) because we accidentally discussed some relevant security topics in the meantime. Eventually, we move on to talk about recent releases, primarily the PyLocky decryptor and more internet-of-things vulnerabilities. We move on to discuss what’s going on in the small and home office device space, with some specific advice and a lot of rage. This episode closes out discussing the release of a new plugin for IDA called "Dynamic Data Resolver" (download available) and reminding everyone of the TTRS CFP (closing soon!) here.

Friday, January 18, 2019

Threat Roundup for Jan. 11 to Jan. 18


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 11 and Jan. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 17, 2019

What we learned by unpacking a recent wave of Imminent RAT infections using AMP

This blog post was authored by Chris Marczewski

Cisco Talos has been tracking a series of Imminent RAT infections for the past two months following reported data from Cisco Advanced Malware Protection's (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but an initial analysis showed a strong indication that stages exist before the deployment of the RAT. Surprisingly, the recovered samples showed no sign of Imminent RAT, but instead a commercial grade packer.

This was a series of attacks engineered to evade detection and frustrate analysis. From the outside, we have a commercially available, yet affordable packer called "Obsidium" that has been used in the past to protect the intellectual property of some legitimate software vendors. The payload results in a RAT called Imminent that has also been used previously for legitimate purposes. Imminent is a commercially available RAT that retails for $25 to $100, depending upon the size of the customer's expected user base. While it is not intended for malicious use, in this case, its detection suggested otherwise.

Although a Potentially Unwanted Application (PUA) detection approach could suffice, not everyone enables blocking of PUAs. We have other technologies in place, such as the Exploit Prevention engine, that are well-suited to detect such threats. We hope that after reading this research, you'll have a better understanding of not only what it takes to investigate an attack using a complex packer, but also how AMP is equipped to stop such attacks that planned on successfully evading static detection or thwarting the benefits of dynamic analysis from a malware sandbox.

Cisco Talos' new reputation dispute system

We know users have been waiting for this feature for a while, and we are here to say: It’s ready.  Cisco Talos’ new reputation system rolled out Jan. 14 on TalosIntelligence.com. We have been working on this change since the rollout was initially announced this past summer.

Beers with Talos EP44: Fun with 2018’s Worst and Talks We Want to Hear



Beers with Talos (BWT) Podcast Ep. #44 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #44 show notes: 

Recorded Jan. 7, 2019

Most of the episode (after an extended roundtable — we all had a lot to get out after time off), we look back at the 2018 Malware Year in Review, including Olympic Destroyer, VPNFilter, MDM and other unique, large-scale, or otherwise interesting bits of malware that Talos encountered. We also discuss the things we would love to see conference talks about in the new year. Of course, we use that to announce the CFP for Talos Threat Research Summit 2019. If you do defense and want to talk to other defenders, make sure to submit before Jan. 25 here.

Wednesday, January 16, 2019

Dynamic Data Resolver (DDR) - IDA Plugin


This blog post was authored by Holger Unterbrink


Executive Summary

Static reverse-engineering in IDA can often be problematic. Certain values are calculated at run time, which makes it difficult to understand what a certain basic block is doing. But, if you try to perform dynamic analysis by debugging a piece of malware, the malware will often detect it and start behaving differently. Cisco Talos is here with Dynamic Data Resolver (DDR) a new plugin for IDA that aims to make the reverse-engineering of malware easier.

Tuesday, January 15, 2019

Emotet re-emerges after the holidays

While Emotet has been around for many years and is one of the most well-known pieces of malware in the wild, that doesn't mean attackers don't try to freshen it up. Cisco Talos recently discovered several new campaigns distributing the infamous banking trojan via email. These new campaigns have been observed following a period of relatively low Emotet distribution activity, corresponding with the observance of Orthodox Christmas in certain geographic regions. These new malicious efforts involve sending victims malicious Microsoft Word attachments with embedded macros that download Emotet.

This latest strain has also gained the ability to check if the infected IP where the malicious email is being sent from is already blacklisted on a spam list. This could allow attackers to deliver more emails to users' inboxes without any pushback from spam filters.

Vulnerability Deep Dive: TP-Link TL-R600VPN remote code execution vulnerabilities

Vulnerability discovery and research by Jared Rittle and Carl Hurd of Cisco Talos.


Introduction


TP-Link recently patched three vulnerabilities in their TL-R600VPN gigabit broadband VPN router, firmware version 1.3.0. Cisco Talos publicly disclosed these issues after working with TP-Link to ensure that a patch was available. Now that a fix is out there, we want to take the time to dive into the inner workings of these vulnerabilities and show the approach we took with our proof-of-concept code.

Background


The TP-Link TL-R600VPN is a five-port small office/home office (SOHO) router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. Except for a few proprietary instructions for handling unaligned load and store operations, these two instruction sets are essentially the same. The instructions that are not included in Lexra are LWL, SWL, LWR, and SWR. These proprietary instructions are often used when compiling a program for the more common MIPS-1 architecture and cause a segfault when encountered in Lexra. The knowledge of this key difference is imperative to assembling working code for the target.

For more information about Lexra MIPS and its differences with the MIPS-1 architecture, refer to 'The Lexra Story' and the MIPS-1 patent filing.

Thursday, January 10, 2019

Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor

This tool was developed by Mike Bautista.


PyLocky is a family of ransomware written in Python that attempts to masquerade as a Locky variant. This ransomware will encrypt all files on a victim machine before demanding that the user pay a ransom to gain access to their decrypted files. To combat this ransomware, Cisco Talos is releasing a free decryption tool. Because our tool requires the capturing of the initial PyLocky command and control (C2) traffic of an infected machine, it will only work to recover the files on an infected machine where network traffic has been monitored. If the initial C2 traffic has not been captured, our decryption tool will not be able to recover files on an infected machine. This is because the initial callout is used by the malware to send the C2 servers information that it uses in the encryption process.

Wednesday, January 9, 2019

Why we want users' feedback on Snort rule documentation

Today, Talos is launching a new community survey to solicit feedback on SNORTⓇ documentation.

When Snort alerts the end user, the rule documentation is their first and possibly only avenue to find information on malicious traffic in their network. We know this can be better, and we want your help in determining what we can do to make Snort users more knowledgable and provide them more information.

Tuesday, January 8, 2019

Microsoft Patch Tuesday — January 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, seven of which are rated “critical,” 40 that are considered “important” and one that is “moderate.” This release also includes a critical security advisory for multiple bugs in Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Jet Database Engine, Office SharePoint and the Chakra Scripting Engine. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

Vulnerability Spotlight: Multiple Apple IntelHD5000 privilege escalation vulnerabilities


Tyler Bohan of Cisco Talos discovered this vulnerability.

Executive Summary

A memory corruption vulnerability exists in the IntelHD5000 kernel extension when dealing with graphics resources inside of Apple OSX 10.13.4. A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.

Wednesday, January 2, 2019

Vulnerability Spotlight: Multiple privilege escalation vulnerabilities in CleanMyMac X



Tyler Bohan of Cisco Talos discovered these vulnerabilities.

Executive summary


Today, Cisco Talos is disclosing several vulnerabilities in MacPaw’s CleanMyMac X software. CleanMyMac X is a cleanup application for Mac operating systems that allows users to free up extra space on their machines by scanning for unused or unnecessary files and deleting them. In all of these bugs, an attacker with local access to the victim machine could modify the file system as root.

In accordance with our coordinated disclosure policy, Cisco Talos worked with MacPaw to ensure that these issues are resolved and that an update is available for affected customers.