Monday, July 15, 2019

SWEED: Exposing years of Agent Tesla campaigns

By Edmund Brumaghin and other Cisco Talos researchers.

Executive summary

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.

SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).

Friday, July 12, 2019

Threat Roundup for July 5 to July 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 5 and July 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 11, 2019

Threat Source newsletter (July 11, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Generally, when we write about a threat group or attack, that threat will calm down for a while. After all, it’s much for difficult for these threats to survive once awareness spreads about them. However, in the case of Sea Turtle, they’ve actually doubled down on their DNS hijacking techniques. Our new research indicates this group has developed a new way to secretly redirect DNSs, and they’re unlikely to slow down any time soon.

Ransomware has been making headlines over the past 12 months. Between Atlanta, Baltimore and, most recently, two cities in Florida, governments have been taken down by attackers looking for extortion payments. In the case of the two Florida cities, they chose to pay the extortion payment to the attackers, while Atlanta and Baltimore chose to go the more expensive route and manually recover their data. Which route is best? Which makes the most fiscal sense? We tried to find out in a roundtable featuring experts from Cisco Talos and Cisco Incident Response.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.

Should governments pay extortion payments after a ransomware attack?



By Jonathan Munshaw. 

When it comes to ransomware attacks this year, it’s been a tale of three cities.

In May, the city of Baltimore suffered a massive ransomware attack that took many of its systems down for weeks — restricting employees’ access to email, closing online payment portals and even preventing parking enforcement officials from writing parking tickets. After the attack, the city’s mayor said several times the city would not be paying the extortion request, but it’s still expected to cost the city more than $10 million to recover.

But two cities — albeit smaller ones — in Florida chose to take a different route. Last month, the governments in Lake City and Riviera Beach chose to pay off their attackers in exchange for the return of their data after ransomware attacks, though they still face some work in decrypting the stolen data.

The cities paid the hackers a combined $1 million in Bitcoin — and researchers say these kinds of attacks aren’t going to slow down. So when the next city or state government gets hit, should they pay up, or start the long process of manually recovering their data? We asked experts from Cisco Talos and Cisco Security to weigh in.

Tuesday, July 9, 2019

Microsoft Patch Tuesday — July 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 77 vulnerabilities, 16 of which are rated “critical," 60 that are considered "important" and one "moderate."

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra scripting engine, Internet Explorer and the Windows Server DHCP service. For more on our coverage of these bugs, check out the SNORT® blog post here, covering all of the new rules we have for this release.

Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques



By Danny Adamitis with contributions from Paul Rascagneres.

Executive summary

After several months of activity, the actors behind the "Sea Turtle" DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.

Additionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. This new technique has only been observed in a few highly targeted operations. We also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent.

Friday, July 5, 2019

Threat Roundup for June 28 to July 5

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 28 and July 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, July 3, 2019

Beers with Talos Ep. #56 - Flatlined: Breach to Bankrupt



Beers with Talos (BWT) Podcast Ep. #56 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded 6/24/19 - Back in the studio for EP 56 and off the top, Matt got some new audio toy for his side hustle as a Twitch star - I still can’t figure out exactly how he did what he did, but it was not helpful from a producer’s perspective. It’s repaired, but still enough to apologize for. This is why we can’t have nice things. We discuss the issues around the AMCA data heist - a breach that caused a bankruptcy - and the complexity of securely moving sensitive data, like PII and HIPAA data, to the cloud. As we get deeper, we end up discussing the issues inherent in medical data - namely, it’s sensitivity and data security issues so systemic in nature that not even HIPAA can help.

Threat Source newsletter (July 3, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We disclosed several vulnerabilities this week, including two in Simple DirectMedia Layer, and a memory corruption bug in the V8 JavaScript engine in Google Chrome.

This week also saw the rise of an old favorite — exploit kits. While we don’t see them as often as we used to, Talos recently discovered a campaign using the infamous “Heaven’s Gate” technique to deliver a series of remote access trojans and information-stealers.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.

Tuesday, July 2, 2019

Vulnerability Spotlight: Remote code execution vulnerabilities in Simple DirectMedia Layer


Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities.

Simple DirectMedia Layer contains two vulnerabilities that could an attacker to remotely execute code on the victim’s machine. Both bugs are present in the SDL2_image library, which is used for loading images in different formats. There are vulnerabilities in the function responsible for loading PCX files. A specially crafted PCX file can lead to a heap buffer overflow and remote code execution in both cases.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SDL to ensure that these issues are resolved and that an update is available for affected customers.

Monday, July 1, 2019

RATs and stealers rush through “Heaven’s Gate” with new loader


Executive summary

Malware is constantly finding new ways to avoid detection. This doesn't mean that some will never be detected, but it does allow adversaries to increase the period of time between initial release and detection. Flying under the radar for just a few days is enough to infect sufficient machines to earn a decent amount of revenue for an attack. Cisco Talos recently discovered a new campaign delivering the HawkEye Reborn keylogger and other malware that proves attackers are constantly creating new ways to avoid antivirus detection. In this campaign, the attackers built a complex loader to ensure antivirus systems to not detect the payload malware. Among these features is the infamous "Heaven's Gate" technique — a trick that allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment. In this blog, we will show how to analyze this loader quickly, and provide an overview of how these attackers deliver the well-known HawkEye Reborn malware. During our analysis, we also discovered several notable malware families, including Remcos and various cryptocurrency mining trojans, leveraging the same loader in an attempt to evade detection and impede analysis.

Vulnerability Spotlight: Google V8 Array.prototype memory corruption vulnerability


The V8 JavaScript engine in Google Chrome contains a memory corruption vulnerability that could allow an attacker to gain the ability to execute arbitrary code on the victim’s machine. V8 is the core JavaScript engine that runs in the Chrome browser. As part of Chrome and node.is, it is the most popular JavaScript engine currently available.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers. Google initially fixed this vulnerability in March and merged it in April. However, the company just publicly disclosed it on June 26, per its vulnerability disclosure policies.