Friday, March 22, 2019

Threat Roundup for March 15 to March 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 15 and March 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (March 22)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Wednesday, March 20, 2019

Ransomware or Wiper? LockerGoga Straddles the Line

Executive Summary

Ransomware attacks have been in the news with increased frequency over the past few years. This type of malware can be extremely disruptive and even cause operational impacts in critical systems that may be infected. LockerGoga is yet another example of this sort of malware. It is a ransomware variant that, while lacking in sophistication, can still cause extensive damage when leveraged against organizations or individuals. Cisco Talos has also seen wiper malware impersonate ransomware, such as the NotPetya attack.

Earlier versions of LockerGoga leverage an encryption process to remove the victim's ability to access files and other data that may be stored on infected systems. A ransom note is then presented to the victim that demands the victim pay the attacker in Bitcoin in exchange for keys that may be used to decrypt the data that LockerGoga has impacted. Some of the later versions of LockerGoga, while still employing the same encryption, have also been observed forcibly logging the victim off of the infected systems and removing their ability to log back in to the system following the encryption process. The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands. These later versions of LockerGoga could then be described as destructive.

While the initial infection vector associated with LockerGoga is currently unknown, attackers can use a wide variety of techniques to gain network access, including exploiting unpatched vulnerabilities and phishing user credentials. Expanding initial access into widespread control of the network is facilitated by similar techniques with stolen user credentials being an especially lucrative vector to facilitate lateral movement. For example, the actors behind the SamSam attacks leveraged vulnerable servers exposed to the internet as their means of obtaining initial access to environments they were targeting.

Beers with Talos Ep. #49: POS Malware, RSA Highlights, and SOL OpSec Fails



Beers with Talos (BWT) Podcast Ep. #49 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded March 15, 2019. We recorded this after coming back from RSA, with some on-location highlights included. This episode opens a bit more thought-provoking than we typically do, and we move toward discussing point-of-sale malware like Glitch. After the RSA highlights, we discuss OpSec fails, and Nigel becomes a Burning Man convert after learning there are people there on drugs with rockets that he watches for fun.

Tuesday, March 19, 2019

Vulnerability Spotlight: Multiple Vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud


Claudio Bozzato of Cisco Talos discovered these vulnerabilities.

 

Executive summary


CUJO AI produces the CUJO Smart Firewall, a device that provides protection to home networks against a myriad of threats such as malware, phishing websites and hacking attempts. Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.

In accordance with our coordinated disclosure policy, Cisco Talos worked with CUJO AI to ensure that these issues are resolved and that a firmware update is available for affected customers. In most typical scenarios the firmware update process is handled by CUJO AI, allowing this update to be deployed to affected customers automatically. Given that these devices are typically deployed to provide protection for networked environments, it is recommended that affected users confirm their devices have been updated as soon as possible to ensure that the devices are no longer affected by these vulnerabilities.

Monday, March 18, 2019

IPv6 unmasking via UPnP


Martin Zeiser and Aleksandar Nikolich authored this post.


Executive summary


With tools such as ZMap and Masscan and general higher bandwidth availability, exhaustive internet-wide scans of full IPv4 address space have become the norm after it was once impractical. Projects like Shodan and Scans.io aggregate and publish frequently updated datasets of scan results for public analysis, giving researchers greater insight into the current state of the internet.

Friday, March 15, 2019

Threat Roundup for March 8 to March 15


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 08 and March 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (March 15)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Wednesday, March 13, 2019

GlitchPOS: New PoS malware for sale



Warren Mercer and Paul Rascagneres authored this post with contributions from Ben Baker.

Executive summary


Point-of-sale malware is popular among attackers, as it usually leads to them obtaining credit card numbers and immediately use that information for financial gain. This type of malware is generally deployed on retailers' websites and retail point-of-sale locations with the goal of tracking customers' payment information. If they successfully obtain credit card details, they can use either the proceeds from the sale of that information or use the credit card data directly to obtain additional exploits and resources for other malware. Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers. Cisco Talos recently discovered a new PoS malware that the attackers are selling on a crimeware forum. Our researchers also discovered the associated payloads with the malware, its infrastructure and control panel. We assess with high confidence that this is not the first malware developed by this actor. A few years ago, they were also pushing the DiamondFox L!NK botnet. Known as "GlitchPOS," this malware is also being distributed on alternative websites at a higher price than the original.

The actor behind this malware created a video, which we embedded below, showing how easy it is to use it. This is a case where the average user could purchase all the tools necessary to set up their own credit card-skimming botnet.

Tuesday, March 12, 2019

Microsoft Patch Tuesday — March 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2.

This month’s security update covers security issues in a variety of Microsoft’s products, including the VBScript scripting engine, Dynamic Host Configuration Protocol and the Chakra scripting engine. For coverage of these vulnerabilities, read the SNORTⓇ blog post here.

Vulnerability Spotlight: Privilege escalation bug in CleanMyMac X's helper service


Tyler Bohan of Cisco Talos discovered this vulnerability.

Executive summary

CleanMyMac X contains a privilege escalation vulnerability in its helper service due to improper updating. The application fails to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. CleanMyMac X is an all-in-one cleaning tool for Macs from MacPaw. The application scans through the system and user directories looking for unused and leftover files and applications.

In accordance with our coordinated disclosure policy, Cisco Talos worked with MacPaw to ensure that these issues are resolved and that an update is available for affected customers.

Friday, March 8, 2019

The sights and sounds of Cisco Talos at RSA 2019


An estimated 45,000 people attended this year’s RSA Conference in San Francisco to hear talks from some of the greatest minds in security.

As always, Cisco and Talos had a massive presence at the conference, topping off the week with a keynote address featuring Matt Watchinski, the vice president of Cisco Talos, and Liz Centoni, a senior vice president and general manager of Cisco’s Internet-of-things business group.

Blue and orange Snorts could be seen all over the conference floor, and our researchers spent the past few days speaking at the Cisco Security booth, discussing some of the latest and most pressing threats.

Threat Roundup for Mar. 1 to Mar. 8

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 1 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (March 8)



Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Thursday, March 7, 2019

Vulnerability Spotlight: Multiple local vulnerabilities in Pixar Renderman


Tyler Bohan of Cisco Talos discovered these vulnerabilities.

Executive summary

The MacOS version of Pixar Renderman contains three local vulnerabilities in its install helper tool. An attacker could exploit these bugs to escalate their privileges to root.

Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the `Dispatch` function of this helper tool.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Pixar to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, March 5, 2019

Cisco, Talos tout importance of IoT security at RSA keynote

Matt Watchinski, the vice president of Cisco Talos, delivers a keynote address at the RSA Conference in San Francisco on Tuesday.

By Jonathan Munshaw of Cisco Talos and Liza Meak of The Network, Cisco’s technology news site.

By 2020, Gartner predicts 20 billion connected devices will be online — and more devices mean more security threats. Connected devices have exploded into the public and corporate landscape, rattling the bars of the cyber security cage.

In a keynote address at the RSA Conference in San Francisco, Matt Watchinski, the vice president of Cisco Talos, said the growing prevalence of these devices has made them an urgent priority to protect them from attackers. Liz Centoni, the senior vice president of Cisco’s IoT (internet-of-things) Business Group, presented along with Watchinski.

Beers with Talos Ep. #48: Loaders or trojans, plus an RSA preview



















Beers with Talos (BWT) Podcast Ep. #48 is now available. Download this episode and subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

March 1, 2019 - This is a super short episode. We are trying to get it out in time for RSA and Matt is MIA today. We are covering the basics of loaders (and the difference between loaders and trojans). We also talk about some RSA activities we have coming up this week at the conference out in San Francisco.

Friday, March 1, 2019

Threat Roundup for Feb. 22 to March 1


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 22 and March 01. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Cyber Security Week in Review (March 1)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.