Friday, June 28, 2019

Threat Roundup for June 21 to June 28


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 21 and June 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 27, 2019

Welcome Spelevo: New exploit kit full of old tricks

Nick Biasini authored this post with contributions from Caitlyn Hammond.


Executive summary

Exploit kits are an ever-present and often forgotten threat on the landscape today. Their popularity seemed to peak several years ago with the success and eventual downfall of some of the best compromise platforms ever created, including the Angler Exploit Kit. These kits generated millions of dollars from their victims and they are still effective. One of their biggest appeals today is the removal of reliance on user assistance. Increasingly, on the crimeware landscape today, user assistance is required, whether it's through blatant social engineering attacks like ongoing sextortion campaigns or through the countless malspam messages traversing the globe daily, users are required to help achieve infection. That is where exploit kits stand alone as an effective web-based platform for compromise that only requires users to surf the internet.

Today, Cisco Talos is unveiling the details of a new exploit kit campaign that proves exploit kits are still a threat and should be taken seriously by defenders: Spelevo. This recent campaign leveraged a compromised business-to-business site to deliver Spelevo, one of the first new kits we've seen in months.

Spelevo illustrates many of the challenges associated with protecting against these threats and preventing their spread. In compromising this particular website, the attackers did little more than add four lines to the code rendering the webpage — but those four lines did a lot of damage and can compromise all visitors that have poor security hygiene. Even though Angler did make use of a zero-day in Adobe Flash Player years ago, exploit kits largely depend on existing, patched exploits. However, all it takes is one missed patch on one system to lead directly to compromise. That's why you need things like a thorough defense-in-depth approach with various technologies in place to help mitigate any residual risk that comes with running an enterprise.

Threat Source newsletter (June 27, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

You never want to fall behind on Beers with Talos. So make sure to listen to the latest episode on your commute home today. This episode — featuring special guest and Talos Threat Research Summit keynote speaker Liz Wharton — was recorded live in San Diego as part of Cisco Live. So yes, there’s audience participation, and no, you are not prepared for it.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Tuesday, June 25, 2019

Beers with Talos Ep. #55: Live from San Diego!



Beers with Talos (BWT) Podcast Ep. #55 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded June 12, 2019 — God knows why, but we bring you another live episode from the Talos Threat Research Summit at Cisco Live U.S. in San Diego, California. We are joined by TTRS keynote speaker (as is tradition) Liz Wharton.

Catch the highlights of the show and stick around for hot takes from the live audience. Thanks to everyone who showed up to the recording, especially those brave enough to step up to the mic at the end.

This is our annual reminder of why we don’t do this more often. We think you'll whole-heartedly agree.

Friday, June 21, 2019

Threat Roundup for June 14 to June 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 14 and June 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 20, 2019

Threat Source newsletter (June 20, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This week, we disclosed two vulnerabilities in KCodes’ NetUSB kernel module contains that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. An attacker could send specific packets on the local network to exploit vulnerabilities in NetUSB, forcing the routers to disclose sensitive information and even giving the attacker the ability to remotely execute code.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Monday, June 17, 2019

Vulnerability Spotlight: Two bugs in KCodes NetUSB affect some NETGEAR routers



Dave McDaniel of Cisco Talos discovered these vulnerabilities.

Executive summary

KCodes’ NetUSB kernel module contains two vulnerabilities that could allow an attacker to inappropriately access information on some NETGEAR wireless routers. Specific models of these routers utilize the kernel module from KCodes, a Taiwanese company. The module is custom-made for each device, but they all contain similar functions.

The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices. An attacker could send specific packets on the local network to exploit vulnerabilities in NetUSB, forcing the routers to disclose sensitive information and even giving the attacker the ability to remotely execute code.

In accordance with our coordinated disclosure policy, Cisco Talos reached out to KCodes and NETGEAR regarding this vulnerability. After working with KCodes, they provided an update to NETGEAR, which is scheduled to release an update. Talos decided to release the details of our vulnerability after surpassing our 90-day deadline.

Friday, June 14, 2019

Threat Roundup for June 7 to June 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 07 and June 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Tuesday, June 11, 2019

Microsoft Patch Tuesday — June 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 88 vulnerabilities, 18 of which are rated “critical," 69 that are considered "important" and one "moderate." This release also includes a critical advisory regarding security updates to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra scripting engine, the Jet database engine and Windows kernel. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

Monday, June 10, 2019

How Cisco Talos helped Howard County recover from a call center attack


On Aug. 11, 2018 the 911 non-emergency call center in Howard County, Maryland was in crisis — not for the types of calls flooding into dispatchers, but simply for the sheer numbers. The center, which usually receives 300 to 400 calls a day was now getting 2,500 in a 24-hour span of time. The center, which takes calls for everything from home security alarms going off to cats getting stuck in trees was overwhelmed. What was going on?

James Cox, a network-server team manager for the Howard County government was tasked with answering that question. It turns out, a lone foreign actor created this crisis. “The phone system doesn’t care who you are,” Cox explained. “You hit that 10-digit number and the phone rings. There’s no check and there’s no balance.”

Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580


Jared Rittle of Cisco Talos discovered these vulnerabilities.

Executive summary

There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, including denial of service and the disclosure of sensitive information. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs we will discuss exist in UMAS requests made while operating the hardware.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider Electric to ensure that these issues are resolved and that an update is available for affected customers.

The sights and sounds from the Talos Threat Research Summit


More than 250 threat hunters, network defenders and analysts gathered ahead of Cisco Live for the second annual Talos Threat Research Summit on Sunday.

The conference by defenders, for defenders, returned this year after the inaugural event in 2018 to San Diego, where speakers passed on their knowledge of writing detection, stopping phishing attacks responding to ransomware, and more.

Friday, June 7, 2019

Know before you go: Talos Threat Research Summit


We are now just 48 hours away from the second annual Talos Threat Research Summit. After last year's success in Orlando, we are back and better than ever from San Diego on Sunday.

If you plan on attending, here's what you need to know before Sunday morning. Can't make it out? You can still stream our keynote address from Elizabeth Wharton at 8:10 a.m. PT by following us on Twitter.

Threat Roundup for May 31 to June 7


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 31 and June 07. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 6, 2019

Threat Source newsletter (June 6)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope to see everyone this weekend at the Talos Threat Research Summit in San Diego (or throughout the week at Cisco Live). If you’re around, stop by the Talos booth on the Cisco Live floor — who knows, we may have some swag to give out! For those of you who are attending, brush up on the schedule here.

There’s been a lot of talk about a bug in Microsoft RDP that could leave systems open to a “wormable” attack. When Microsoft disclosed the vulnerability last month, there was little guidance on how to defend against an exploit. Now, we have a new method using Cisco Firepower to block any encrypted attacks attempting to use this vulnerability. This means that you’ll be able to protect against attacks that would otherwise go undetected.

This week, we also unveiled our research on Frankenstein, a new campaign that cobbles together several open-source techniques to infect users. While it’s been used with relatively low volume so far, because of its nature, the attackers behind it have the ability to change it on the fly and evolve over time.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Tuesday, June 4, 2019

It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign

This blog was authored by Danny AdamitisDavid Maynor and Kendall McKay.

Executive summary

Cisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the "Frankenstein" campaign. We assess that the attackers carried out these operations between January and April 2019 in an effort to install malware on users' machines via malicious documents. We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors' ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.

The campaign used components of:
  • An article to detect when your sample is being run in a VM
  • A GitHub project that leverages MSbuild to execute a PowerShell command
  • A component of GitHub project called "Fruityc2" to build a stager
  • A GitHub project called "PowerShell Empire" for their agents