Wednesday, July 31, 2019

Malvertising: Online advertising's darker side



By Nick Biasini, Chris Neal and Matt Valites.


Executive summary

One of the trickiest challenges enterprises face is managing the balance between aggressively blocking malicious advertisements (aka malvertising) and allowing content to remain online, accessible for the average user. The days of installing a basic ad blocker on your web browser and expecting full protection are gone. Between the sites that require them to be disabled and the ability for advertisers to pay to evade them, ad blockers alone are not sufficient.

As this blog will cover in detail, malvertising is a problem not strictly associated with basic web browsing. It can also come with other software programs including adware or potentially unwanted applications (PUA). These latter examples require the most attention. In today's enterprise, an aggressive approach to advertising is required to be protected against malicious threats. That may include securing your DNS or adding additional layers of inspection through a firewall, intrusion prevention system, or a web security platform. Regardless of the approach, it needs to be thorough and take into account not just the security impacts, but the potential of cascading impact on your users.

Advertising is a key part of the internet as a whole and, whether you realize it or not, is one of the most foundational aspects of it. It is one of the reasons that a large chunk of the content available on the internet is free. It allows people to support their passion projects, their small businesses, and the food blogs of people around the world. However, it is a highly complex and convoluted system that is ripe for abuse. This is an issue that should not be ignored by the public, as these malicious ads can deliver malware out of nowhere and trick traditional internet users who may not be aware of the threats that exist on some pages.

This blog is going to walk through how online advertising works, what malvertising is and why it's dangerous including real life examples, and finally the options that exist for organizations and private citizens to try and protect themselves from these threats.

Tuesday, July 30, 2019

New Re2PCAP tool speeds up PCAP process for Snort rules



By Amit Raut

We often joke that for SNORT® rule development, you have to live by the saying “PCAP or it didn’t happen.” PCAP files are very important for Snort rule development, and a new tool from Cisco Talos called “Re2Pcap” allows users to generate a PCAP file in seconds just from a raw HTTP request or response.

Re2Pcap consumes a small number of resources — the docker image is less than 90MB, reduces Snort rule development processing time and there’s no complex setup.

Monday, July 29, 2019

Reverse-CTF, Snort rule challenge and more — What to expect from Talos at Defcon

Want to get up close and personal with Talos researchers?

Then be sure to stick around for the second half of “Hacker Summercamp:” Defcon. After our series of talks at Blackhat, we’re headed elsewhere on the strip for Defcon.

Specifically, we’ll have a huge presence at this year’s Blue Team Village, where you can speak with our researchers, test your threat detection and prevention skills and even get a few tips on your resume.

This year’s Defcon runs from Aug. 8 – 11, and the Blue Team Village specifically runs Aug. 9 – 11 — look for us just past the main entrance near the three stages. Here’s a rundown of what you can expect to see from us at Defcon, and start preparing for our challenges now.

All the places you can see and hear Talos at Black Hat 2019


It is once again time for Security Summer Camp – the annual week when security experts descend upon Las Vegas for Black Hat and DEFCON. Talos will be around all week, but we want to start off with a Black Hat preview — the Defcon one will be here later today.

Throughout the conference, Talos researchers and analysts will be at the Cisco Security booth giving “lightning talks,” where they’ll be tackling complex topics and giving attendees a 20-minute overview that will give you actionable intelligence to bring back to your organization.

Stop by and see us to listen to talks, pick up some exclusive swag (including special Snort colors) and chat with our researchers.

Friday, July 26, 2019

Threat Roundup for July 19 to July 26

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 19 and July 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 25, 2019

Threat Source newsletter (July 25, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

No one really likes talking about election security. It’s a sticky subject, costs lots of money and doesn’t come with an easy fix. But that doesn’t mean the conversation shouldn’t happen.

With another presidential election just around the corner, we decided to take up the topic and examine the approach a potential attacker may take to disrupting a democratic election. Matt Olney took a deep dive into their psyche here, and wrote about what may happen in a real-life attack scenario.

He and the rest of the Beers with Talos crew broke down these scenarios more in this week’s Beers with Talos episode, too.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Wednesday, July 24, 2019

Beers with Talos Ep. #58: Defending Democracy and Doing DEFCON




Beers with Talos (BWT) Podcast episode No. 58 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded July 19, 2019 — Wow, we packed a lot in this one: election security, burner phones, social apps' terms of service, and maybe the worst opsec of all time. Of course, Nigel blames Canada for all of it.

Fair warning, this episode set a new record for beeps and train horns. We primarily take a look at how an attacker would see disrupting democracy (and not in the cool startup way) by looking at the available attack surface with their intentions in mind. We also lay out some cases where burner devices make sense and where they might not. We close out with some helpful tips to enjoy a massive con like BlackHat or DEFCON. But seriously, that was a lot of beeps.

Monday, July 22, 2019

Let's Destroy Democracy

Election security through an adversary's eyes


By Matt Olney.


Executive summary

Over the past few years, Cisco Talos has increasingly been involved in election security research and support, most recently supporting the Security Service of Ukraine in their efforts to secure the two Ukrainian presidential elections in April. Experiences like these, along with discussions with state and local elections officials and other parties, have helped us better understand the election security space. These discussions are especially important to us because combining their expertise with our experience in the security space — and specifically our understanding of some of the actors that may be involved — is a powerful model to achieve the ultimate goal of providing free and fair elections.

Based on our research and real-world experience working to secure elections, we have recommendations for several different groups, each of which have a role to play in working against attackers who would interfere in free and fair elections:
  • Everyone should understand that interference in, and attacks on, the election system are part of a larger, coordinated attack on the very concept of free democracies.
  • Security improvements in election security can best be achieved by combining the expertise of election officials with that of traditional security practitioners.
  • Election officials should extract maximum value from this period of heightened interest in election security.
  • Security practitioners should recognize the specialized nature of the elections environment and be careful to provide the best advice for that unique environment.
  • Everyone has a role to play in ensuring that faith in democratic institutions is reinforced and that social divides aren't unnecessarily aggravated.

Friday, July 19, 2019

Threat Roundup for July 12 to July 19

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 12 and July 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 18, 2019

Threat Source newsletter (July 18, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

A group we’re calling “SWEED” may be behind years of Agent Tesla attacks. This week, we uncovered everything we know about this actor, and ran down their TTPs and discussed how users can stay safe.

If you didn’t get enough of the ransomware debate last week, we have even more talk of extortion payments on the latest Beers with Talos episode, too.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.

Beers with Talos Ep. #57 - It’s a business decision, not rocket science



Beers with Talos (BWT) Podcast Ep. #57 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded July 8, 2019 — Matt skipped this episode podcast in favor of a meeting (for real). The rest of the crew carried on to discuss a few of this week’s hot-button issues, such as municipalities paying (or not paying) the ransom, NASA JPL reporting APT breached their network via a rogue Pi (in true Mr. Robot fashion), and looking at rogue devices in general. Next episode will be our last before Black Hat and DEFCON, so tune in to find out where you can find Talos at those conferences.

Monday, July 15, 2019

SWEED: Exposing years of Agent Tesla campaigns

By Edmund Brumaghin and other Cisco Talos researchers.

Executive summary


Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.

SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).

Friday, July 12, 2019

Threat Roundup for July 5 to July 12

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 5 and July 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, July 11, 2019

Threat Source newsletter (July 11, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Generally, when we write about a threat group or attack, that threat will calm down for a while. After all, it’s much for difficult for these threats to survive once awareness spreads about them. However, in the case of Sea Turtle, they’ve actually doubled down on their DNS hijacking techniques. Our new research indicates this group has developed a new way to secretly redirect DNSs, and they’re unlikely to slow down any time soon.

Ransomware has been making headlines over the past 12 months. Between Atlanta, Baltimore and, most recently, two cities in Florida, governments have been taken down by attackers looking for extortion payments. In the case of the two Florida cities, they chose to pay the extortion payment to the attackers, while Atlanta and Baltimore chose to go the more expensive route and manually recover their data. Which route is best? Which makes the most fiscal sense? We tried to find out in a roundtable featuring experts from Cisco Talos and Cisco Incident Response.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.

Should governments pay extortion payments after a ransomware attack?



By Jonathan Munshaw. 

When it comes to ransomware attacks this year, it’s been a tale of three cities.

In May, the city of Baltimore suffered a massive ransomware attack that took many of its systems down for weeks — restricting employees’ access to email, closing online payment portals and even preventing parking enforcement officials from writing parking tickets. After the attack, the city’s mayor said several times the city would not be paying the extortion request, but it’s still expected to cost the city more than $10 million to recover.

But two cities — albeit smaller ones — in Florida chose to take a different route. Last month, the governments in Lake City and Riviera Beach chose to pay off their attackers in exchange for the return of their data after ransomware attacks, though they still face some work in decrypting the stolen data.

The cities paid the hackers a combined $1 million in Bitcoin — and researchers say these kinds of attacks aren’t going to slow down. So when the next city or state government gets hit, should they pay up, or start the long process of manually recovering their data? We asked experts from Cisco Talos and Cisco Security to weigh in.

Tuesday, July 9, 2019

Microsoft Patch Tuesday — July 2019: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 77 vulnerabilities, 16 of which are rated “critical," 60 that are considered "important" and one "moderate."

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra scripting engine, Internet Explorer and the Windows Server DHCP service. For more on our coverage of these bugs, check out the SNORT® blog post here, covering all of the new rules we have for this release.

Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques



By Danny Adamitis with contributions from Paul Rascagneres.

Executive summary

After several months of activity, the actors behind the "Sea Turtle" DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.

Additionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. This new technique has only been observed in a few highly targeted operations. We also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent.

Friday, July 5, 2019

Threat Roundup for June 28 to July 5

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 28 and July 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, July 3, 2019

Beers with Talos Ep. #56 - Flatlined: Breach to Bankrupt



Beers with Talos (BWT) Podcast Ep. #56 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded 6/24/19 - Back in the studio for EP 56 and off the top, Matt got some new audio toy for his side hustle as a Twitch star - I still can’t figure out exactly how he did what he did, but it was not helpful from a producer’s perspective. It’s repaired, but still enough to apologize for. This is why we can’t have nice things. We discuss the issues around the AMCA data heist - a breach that caused a bankruptcy - and the complexity of securely moving sensitive data, like PII and HIPAA data, to the cloud. As we get deeper, we end up discussing the issues inherent in medical data - namely, it’s sensitivity and data security issues so systemic in nature that not even HIPAA can help.

Threat Source newsletter (July 3, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We disclosed several vulnerabilities this week, including two in Simple DirectMedia Layer, and a memory corruption bug in the V8 JavaScript engine in Google Chrome.

This week also saw the rise of an old favorite — exploit kits. While we don’t see them as often as we used to, Talos recently discovered a campaign using the infamous “Heaven’s Gate” technique to deliver a series of remote access trojans and information-stealers.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.

Tuesday, July 2, 2019

Vulnerability Spotlight: Remote code execution vulnerabilities in Simple DirectMedia Layer


Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities.

Simple DirectMedia Layer contains two vulnerabilities that could an attacker to remotely execute code on the victim’s machine. Both bugs are present in the SDL2_image library, which is used for loading images in different formats. There are vulnerabilities in the function responsible for loading PCX files. A specially crafted PCX file can lead to a heap buffer overflow and remote code execution in both cases.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SDL to ensure that these issues are resolved and that an update is available for affected customers. (UPDATE: SDL released an additional update that fixes four additional vulnerabilities.)

Monday, July 1, 2019

RATs and stealers rush through “Heaven’s Gate” with new loader


Executive summary

Malware is constantly finding new ways to avoid detection. This doesn't mean that some will never be detected, but it does allow adversaries to increase the period of time between initial release and detection. Flying under the radar for just a few days is enough to infect sufficient machines to earn a decent amount of revenue for an attack. Cisco Talos recently discovered a new campaign delivering the HawkEye Reborn keylogger and other malware that proves attackers are constantly creating new ways to avoid antivirus detection. In this campaign, the attackers built a complex loader to ensure antivirus systems to not detect the payload malware. Among these features is the infamous "Heaven's Gate" technique — a trick that allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment. In this blog, we will show how to analyze this loader quickly, and provide an overview of how these attackers deliver the well-known HawkEye Reborn malware. During our analysis, we also discovered several notable malware families, including Remcos and various cryptocurrency mining trojans, leveraging the same loader in an attempt to evade detection and impede analysis.

Vulnerability Spotlight: Google V8 Array.prototype memory corruption vulnerability


The V8 JavaScript engine in Google Chrome contains a memory corruption vulnerability that could allow an attacker to gain the ability to execute arbitrary code on the victim’s machine. V8 is the core JavaScript engine that runs in the Chrome browser. As part of Chrome and node.is, it is the most popular JavaScript engine currently available.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers. Google initially fixed this vulnerability in March and merged it in April. However, the company just publicly disclosed it on June 26, per its vulnerability disclosure policies.