Friday, June 14, 2019

Threat Roundup for June 7 to June 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 07 and June 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, June 11, 2019

Microsoft Patch Tuesday — June 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 88 vulnerabilities, 18 of which are rated “critical," 69 that are considered "important" and one "moderate." This release also includes a critical advisory regarding security updates to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra scripting engine, the Jet database engine and Windows kernel. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

Monday, June 10, 2019

How Cisco Talos helped Howard County recover from a call center attack


On Aug. 11, 2018 the 911 non-emergency call center in Howard County, Maryland was in crisis — not for the types of calls flooding into dispatchers, but simply for the sheer numbers. The center, which usually receives 300 to 400 calls a day was now getting 2,500 in a 24-hour span of time. The center, which takes calls for everything from home security alarms going off to cats getting stuck in trees was overwhelmed. What was going on?

James Cox, a network-server team manager for the Howard County government was tasked with answering that question. It turns out, a lone foreign actor created this crisis. “The phone system doesn’t care who you are,” Cox explained. “You hit that 10-digit number and the phone rings. There’s no check and there’s no balance.”

Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580


Jared Rittle of Cisco Talos discovered these vulnerabilities.

Executive summary

There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, including denial of service and the disclosure of sensitive information. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs we will discuss exist in UMAS requests made while operating the hardware.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider Electric to ensure that these issues are resolved and that an update is available for affected customers.

The sights and sounds from the Talos Threat Research Summit


More than 250 threat hunters, network defenders and analysts gathered ahead of Cisco Live for the second annual Talos Threat Research Summit on Sunday.

The conference by defenders, for defenders, returned this year after the inaugural event in 2018 to San Diego, where speakers passed on their knowledge of writing detection, stopping phishing attacks responding to ransomware, and more.

Friday, June 7, 2019

Know before you go: Talos Threat Research Summit


We are now just 48 hours away from the second annual Talos Threat Research Summit. After last year's success in Orlando, we are back and better than ever from San Diego on Sunday.

If you plan on attending, here's what you need to know before Sunday morning. Can't make it out? You can still stream our keynote address from Elizabeth Wharton at 8:10 a.m. PT by following us on Twitter.

Threat Roundup for May 31 to June 7


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 31 and June 07. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 6, 2019

Threat Source newsletter (June 6)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope to see everyone this weekend at the Talos Threat Research Summit in San Diego (or throughout the week at Cisco Live). If you’re around, stop by the Talos booth on the Cisco Live floor — who knows, we may have some swag to give out! For those of you who are attending, brush up on the schedule here.

There’s been a lot of talk about a bug in Microsoft RDP that could leave systems open to a “wormable” attack. When Microsoft disclosed the vulnerability last month, there was little guidance on how to defend against an exploit. Now, we have a new method using Cisco Firepower to block any encrypted attacks attempting to use this vulnerability. This means that you’ll be able to protect against attacks that would otherwise go undetected.

This week, we also unveiled our research on Frankenstein, a new campaign that cobbles together several open-source techniques to infect users. While it’s been used with relatively low volume so far, because of its nature, the attackers behind it have the ability to change it on the fly and evolve over time.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Tuesday, June 4, 2019

It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign

This blog was authored by Danny AdamitisDavid Maynor and Kendall McKay.

Executive summary

Cisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the "Frankenstein" campaign. We assess that the attackers carried out these operations between January and April 2019 in an effort to install malware on users' machines via malicious documents. We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors' ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.

The campaign used components of:
  • An article to detect when your sample is being run in a VM
  • A GitHub project that leverages MSbuild to execute a PowerShell command
  • A component of GitHub project called "Fruityc2" to build a stager
  • A GitHub project called "PowerShell Empire" for their agents