Friday, May 31, 2019

Using Firepower to defend against encrypted RDP attacks like BlueKeep

This blog was authored by Brandon Stultz
Microsoft recently released fixes for a critical pre-authentication remote code execution vulnerability in Remote Desktop Protocol Services (RDP). Identified as CVE-2019-0708 in May's Patch Tuesday, the vulnerability caught the attention of researchers and the media due to the fact that it was "wormable," meaning an attack exploiting this vulnerability could easily spread from one machine to another. This was discussed at length in episode 54 of our 'Beers with Talos' podcast.

Cisco Talos started reverse-engineering work immediately to determine how exactly RDP was vulnerable. Talos wrote and released coverage as soon as we were able to determine the vulnerability condition. SID 50137 for SNORT® correctly blocks exploitation of CVE-2019-0708 and scanning attempts that leverage this vulnerability.

This rule prevents exploitation of CVE-2019-0708 by blocking any RDP connection that attempts to use the "MS_T120" virtual channel. The RDP protocol defines virtual channels that can be used to transfer different kinds of data (e.g. clipboard, audio, etc.). In addition to these client-specified channels, Microsoft creates the "MS_T120" channel in the Windows RDP system. Clients are not expected to create the "MS_T120" channel. A remote unauthenticated attacker can exploit CVE-2019-0708 by sending crafted data to this internal channel.

Threat Roundup for May 24 to May 31


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 24 and May 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 30, 2019

Threat Source newsletter (May 30)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Did you update all of your Microsoft products after Patch Tuesday earlier this month? If not, what are you waiting for? Listen to the latest Beers with Talos episode about why that’s stupid, and then immediately update.

Last week marked the one-year anniversary of VPNFilter. What has the security community learned since then? And how did this wide-reaching malware shape attacks since then? Find out in our blog post looking back on VPNFilter.

If you haven’t already, there’s still plenty of time to sign up for our upcoming spring Quarterly Threat Briefing. Talos researchers will be running down recent DNS manipulation-based attacks, and outline why your organization needs to be worried about them.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

10 years of virtual dynamite: A high-level retrospective of ATM malware

Executive summary

It has been 10 years since the discovery of Skimer, first malware specifically designed to attack automated teller machines (ATMs). At the time, the learning curve for understanding its functionality was rather steep and analysis required specific knowledge of a manufacturer's ATM API functions and parameters, which were not publicly documented.

Before the discovery of Skimer, anti-malware researchers' considered ATMs secure machines containing proprietary hardware, running non-standard operating systems, and implementing a number of advanced protection techniques designed to prevent attacks using malicious code. Researchers eventually discovered that the most popular ATM manufacturers use a standard Windows operating system and add on some auxiliary devices, such as a safe and card reader.

Over time, actors behind some of the newer ATM malware families such as GreenDispenser and Tyupkin realized that there is a generic Windows extension for Financial Services API (CEN/XFS) that can be used to make malware that runs independent of the underlying hardware platform, as long as the ATM manufacturer supports the framework. This malware can trick the machines into dispensing cash, regardless of whether the attacker has a legitimate bank card.

ATM malware has evolved to include a number of different families and different actors behind them, ranging from criminal groups to actors affiliated with nation states. The significance of ATM malware stems from the fact that it can bring significant financial benefits to attackers and as a consequence cause a significant damage to targeted banks, financial institutions and end users.

Now that this type of malware has been around for more than 10 years, we wanted to round up the specific families we've seen during that time and attempt to find out if the different families share any code.

Wednesday, May 29, 2019

Beers with Talos Ep. #54: Patch after listening, RDP and wild 0-days



Beers with Talos (BWT) Podcast Ep. #54 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded May 24, 2019 — There is another Blue(X) to talk about and guess what? YES, YOU STILL NEED TO PATCH. We talk about RDP, the source of this vulnerability and whether or not exploits exist for it (hint: they do). There is a quick look back at last year on the anniversary of VPNFilter, and we also tackle zero-days again through the lens of Project Zero’s timeline of zero-days found in the wild.

Also, Craig hasn’t seen the end of "John Wick 3" yet, so feel free to tweet him spoilers. If you are in San Diego for Cisco Live two weeks from now, come find us to see a live recording of the podcast!

Friday, May 24, 2019

Threat Roundup for May 17 to May 24


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 17 and May 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 23, 2019

One year later: The VPNFilter catastrophe that wasn't


Cisco Talos first disclosed the existence of VPNFilter on May 23, 2018. The malware made headlines across the globe, as it was a sophisticated piece of malware developed by a nation state, infecting half a million devices, and poised to cause havoc. Yet the attack was averted. The attacker’s command and control (C2) infrastructure was seized by the FBI, preventing the attacker from broadcasting orders to compromised devices. The attacker lost control of the infected systems, and potential catastrophe was prevented.

This was a wakeup call that alerted the cybersecurity community to a new kind of state-sponsored threat — a vast network of compromised devices across the globe that could stow away secrets, hide the origins of attacks and shut down networks.

This is the story of VPNFilter, and the catastrophe that was averted.

Threat Source newsletter (May 23)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Election security is a touchy — and oftentimes depressing — topic of conversation. So why not let Beer with Talos bring some levity, and more importantly, expertise, to the conversation? The latest episode focuses solely on election security, as Matt Olney runs down what he’s learned recently from spending time with various governments.

On the research end of things, we released a post earlier this week outlining the details of a new campaign called “BlackWater” that we believe could be connected to the MuddyWater APT.

And since we know everyone was waiting on this, yes, there’s coverage for that wormable Microsoft bug everyone was talking about.

There was no Threat Roundup last week, but it’ll be back tomorrow.

Sorpresa! JasperLoader targets Italy with a new bag of tricks

Nick Biasini and Edmund Brumaghin authored this blog post.

Executive summary


Over the past few months, a new malware loader called JasperLoader has emerged that targets Italy and other European countries with banking trojans such as Gootkit. We recently released a comprehensive analysis of the functionality associated with JasperLoader. Shortly after the publication of our analysis, the distribution activity associated with these campaigns halted. But after several weeks of relatively low volumes of activity, we discovered a new version of JasperLoader being spread. This new version features several changes and improvements from the initial version we analyzed. JasperLoader is typically used to infect systems with additional malware payloads which can be used to exfiltrate sensitive information, damage systems or otherwise negatively impact organizations.

The attackers behind this specific threat have implemented additional mechanisms to control where the malware can spread and are now taking steps to avoid analysis by sandboxes and antivirus companies. There's also a new command and control (C2) mechanism to facilitate communications between infected systems and the infrastructure being used to control them. The campaigns that are currently distributing JasperLoader continue to target Italian victims and further demonstrate that while JasperLoader is a relatively new threat, the developers behind it are continuing to actively refine and improve upon this malware at a rapid pace and introduce sophistication that is not commonly seen in financially motivated malware.

Tuesday, May 21, 2019

Beers with Talos Ep. #53: Shiny happy election security (and ninjas)



Beers with Talos (BWT) Podcast Ep. #53 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded May 10, 2019 — Election security has been a dominant headline for some time, so it’s high time we take a look at what that landscape looks like — where we are today, and how we got there in the first place. (Hint: there were deeper unintended consequences than Shiny Happy People on REM’s “Out of Time” album.) We anticipate gathering some first-time listeners due to the topic of this podcast... to you we say welcome, and yes, it’s always like this.

Matt kicks us off today discussing the greatest nerd rock band of all time: Ninja Sex Party. If you haven’t heard of them, you are in the wrong and should fix that quickly.

The timeline:

  • 00:45 — Roundtable: The Dark Times are here, so we present to you, Ninja Sex Party.
  • 16:15 — Election Security background: Let’s start with secret restaurants and smoking pineapples
  • 22:30 — Thanks, Stipe. How REM set us up to fail, and what’s under the hood of the US voting system
  • 38:00 — Where we are now versus even a couple years ago
  • 53:40 — Closing thoughts and parting shots

Some other links:

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).

Hosted by Mitch Neff (@MitchNeff).

Subscribe via iTunes (and leave a review!)


Subscribe to the Threat Source newsletter


Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

Talos releases coverage for 'wormable' Microsoft vulnerability

Last night, Cisco Talos released the latest SNORT® rule update, which includes coverage for the critical Microsoft vulnerability CVE-2019-0708.

The company disclosed this vulnerability last week as part of its monthly security update. This particular bug exists in Remote Desktop Services — formerly known as Terminal Services.

The vulnerability requires no user interaction and is pre-authentication. Microsoft specifically warned against this bug because it is "wormable," meaning future malware that exploits this vulnerability could spread from system to system. One of the most infamous examples of a worm was the WannaCry malware, which disabled major services across the globe in May 2017. An attacker could exploit this vulnerability by sending a specially crafted request to the target system's Remote Desktop Service via RDP.

Snort rule 50137 covers indicators associated with this vulnerability. You can learn more about this release at the Snort blog here.

Monday, May 20, 2019

Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

This blog was authored by Danny Adamitis, David Maynor, and Kendall McKay

Executive summary

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called "BlackWater" is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater's tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim's machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater's latest TTPs.

Thursday, May 16, 2019

Vulnerability Spotlight: Multiple vulnerabilities in Wacom Update Helper





Tyler Bohan of Cisco Talos discovered these vulnerabilities.

Executive summary

There are two privilege escalation vulnerabilities in the Wacom update helper. The update helper is a utility installed alongside the macOS application for Wacom tablets. The application interacts with the tablet and allows the user to manage it. These vulnerabilities could allow an attacker with local access to raise their privileges to root.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Wacom to ensure that these issues are resolved and that an update is available for affected customers.

Threat Source newsletter (May 16)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We were packed with vulnerabilities this week. For starters, there’s Microsoft Patch Tuesday, which we’ll cover farther down. We also disclosed a remote code execution bug in Antenna House Rainbow PDF Converter, and two more in Adobe Acrobat Reader. There are also a number of vulnerabilities in the Roav A1 dashboard camera, as well as the chipset it utilizes.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Tuesday, May 14, 2019

Vulnerability Spotlight: Remote code execution bug in Antenna House Rainbow PDF Office document converter



Emmanuel Tacheau of Cisco Talos discovered this vulnerability.

Executive summary

A buffer overflow vulnerability exists in Antenna House’s Rainbow PDF when the software attempts to convert a PowerPoint document. Rainbow PDF has the ability to convert Microsoft Office 97-2016 documents into a PDF. This particular bug arises when the converter incorrectly checks the bounds of a particular function, causing a vtable pointer to be overwritten. This could allow an attacker to overflow the buffer and gain the ability to execute code remotely on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Antenna House to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Remote code execution vulnerabilities in Adobe Acrobat Reader



Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.

Executive summary

There are two remote code execution vulnerabilities in Adobe Acrobat Reader that could occur if a user were to open a malicious PDF on their machine using the software. Acrobat is the most widely used PDF reader on the market, making the potential target base for these bugs fairly large. The program supports embedded JavaScript code in the PDF to allow for interactive PDF forms, giving the potential attacker the ability to precisely control memory layout and creating an additional attack surface.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Microsoft Patch Tuesday — May 2019: Vulnerability disclosures and Snort coverage
















Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 79 vulnerabilities, 22 of which are rated “critical," 55 that are considered "important" and one "moderate." This release also includes two critical advisories: one covering Microsoft Live accounts and another addressing updates to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Scripting Engine, the Microsoft Edge web browser and GDI+. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

Monday, May 13, 2019

Vulnerability Spotlight: Multiple vulnerabilities in the Roav A1 Dashcam



Lilith Wyatt of Cisco Talos discovered these vulnerabilities.

Executive Summary 

Cisco Talos is disclosing multiple vulnerabilities in the Anker Roav A1 Dashcam and the Novatek NT9665X chipset. The Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that the users can toggle settings and download videos from the dashcam, along with a host of other features. These vulnerabilities could be leveraged by an attacker to gain arbitrary code execution on affected devices.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Novatek to ensure that some of these issues are resolved and that an update is available for affected customers. However, we were unable to contact Anker, therefore, TALOS-2018-0685, TALOS-2018-0687 and TALOS-2018-0688 remain unpatched.

Friday, May 10, 2019

Threat Roundup for May 3 to May 10


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 03 and May 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 9, 2019

Threat Source newsletter (May 9)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

This was a heavy week for vulnerability discovery. Snort rules are loaded up with protections against a recent wave of attacks centered around a critical Oracle WebLogic bug. We also discovered vulnerabilities in SQLite and three different Jenkins plugins.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Vulnerability Spotlight: Remote code execution bug in SQLite


Cory Duplantis of Cisco Talos discovered this vulnerability.

Executive summary

SQLite contains an exploitable use-after-free vulnerability that could allow an attacker to gain the ability to remotely execute code on the victim machine. SQLite is a client-sidedatabase management system contained in a C programming library. SQLite implements the Window Functions feature of SQL, which allows queries over a subset, or “window,” of rows. This specific vulnerability lies in that “window” function.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SQLite to ensure that these issues are resolved and that an update is available for affected customers.

Monday, May 6, 2019

Vulnerability Spotlight: Multiple bugs in several Jenkins plugins



Peter Adkins of Cisco Umbrella discovered these vulnerabilities.

Executive summary

Jenkins is an open-source automation server written in Java. There are several plugins that exist to integrate Jenkins with other pieces of software, such as GitLab. Today, Cisco Talos is disclosing vulnerabilities in three of these plugins: Swarm, Ansible and GitLab. All three of these are information disclosure vulnerabilities that could allow an attacker to trick the plugin into disclosing credentials from the Jenkins credential database to a server that they control.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Jenkins and the associated companies to ensure that these issues are resolved and that updates are available for affected customers.

Friday, May 3, 2019

Threat Roundup for April 26 to May 3


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 26 and May 03. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 2, 2019

Threat Source (May 2, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

This week was stacked with original research. First up was the Sodinokibi ransomware, which we saw being distributed via a zero-day vulnerability in Oracle WebLogic. Today, we also released our findings on a new variant of Qakbot, which is more difficult to detect than older versions.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Qakbot levels up with new obfuscation techniques


Ashlee Benge of Cisco Talos and Nick Randolph of the Threat Grid Research and Efficacy team authored this blog post.


Executive summary

Qakbot, also known as Qbot, is a well-documented banking trojan that has been around since 2008. Recent Qakbot campaigns, however, are utilizing an updated persistence mechanism that can make it harder for users to detect and remove the trojan. Qakbot is known to target businesses with the hope of stealing their login credentials and eventually draining their bank accounts. Qakbot has long utilized scheduled tasks to maintain persistence. In this blog post, we will detail an update to these schedule tasks that allows Qakbot to maintain persistence and potentially evade detection.