Friday, September 13, 2019

Threat Roundup for September 6 to September 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 6 and Sept. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 12, 2019

Threat Source newsletter (Sept. 12, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

You’ve heard it a million times: Always patch. But in case you needed another example that it’s important, Cisco Incident Response took a deep dive into a recent wave of Watchbog infections they observed. In this post, IR breaks down why this infection occurred, and what you can learn from it. 

Speaking of patching, it’s as good of a time as any to update all of your Microsoft products. The company released its latest security update as part of their monthly Patch Tuesday. Check out our breakdown of the most important vulnerabilities here and our Snort coverage here.

Ever considered an “illustrious career in cybercrime?” Well, don’t do it. So says Craig on the latest Beers with Talos podcast where the guys talking about “hacking back” and Matt’s level of Twitter fame.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Wednesday, September 11, 2019

Watchbog and the Importance of Patching


What Happened?


Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.

This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker's intentions and abilities on a customer's network by analyzing the various Pastebins. As the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised hosts.

There were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively simple to uncover - this attacker did not practice particularly strong operational security.

The attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the organization by exploiting said weaknesses before any "real" hackers could do so. During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the "positive" intentions of this adversary. Below is a message left on a compromised system by the adversary:

Beers with Talos Ep. #61: Hacking for good is a bad idea



Beers with Talos (BWT) Podcast episode No. 61 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Aug. 30, 2019: In this extra-sized episode, we cover a lot, starting with Retadup, and discussing the intricate workings of why it’s a bad idea to execute code on other computers without permission when you have no idea what that computer is doing. WannaCry is making some headlines again, but this time it isn’t WannaCry and, frankly, it’s not news. From the mobile ecosystem operating system battleground, Google’s Project Zero announced several vulnerabilities in iOS that have been discovered being exploited in the wild, with some of the exploit chains leveraging zero-days. The most important development of the week is that journalists are now quoting Matt's Twitter timeline and this will certainly end well.

Tuesday, September 10, 2019

Microsoft Patch Tuesday — Sept. 2019: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of which are rated “critical," 65 that are considered "important" and one "moderate." There is also a critical advisory relating to the latest update to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft services and software, including the Jet Database Engine and the Hyper-V hypervisor.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Monday, September 9, 2019

Vulnerability Spotlight: Denial-of-service vulnerabilities in some NETGEAR routers


Dave McDaniel of Cisco Talos discovered these vulnerabilities.

The NETGEAR N300 line of wireless routers contains two denial-of-service vulnerabilities. The N300 is a small and affordable wireless router that contains the basic features of a wireless router. An attacker could exploit these bugs by sending specific SOAP and HTTP requests to different functions of the router, causing it to crash entirely.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NETGEAR to ensure that these issues are resolved and that an update is available for affected customers.

Friday, September 6, 2019

Threat Roundup for August 30 to September 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 30 and Sept. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 5, 2019

Threat Source newsletter (Sept. 5, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

By now, nearly everyone has heard of BlueKeep. It definitely sounds scary, with of this talk of wormable bugs and WannaCry. But so far, no attackers have used it to launch a large-scale attack.

Of course, we knew this wouldn’t stay quiet forever. Last month, Microsoft disclosed more RDP vulnerabilities in what’s being called “DejaBlue.” These are another set of wormable bugs, but we have a walkthrough for how Cisco Firepower customers can stay protected.

Elsewhere on the vulnerability front, we have advisories out for an information disclosure in Blynk-Library and two bugs in Epignosis eFront.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

GhIDA: Ghidra decompiler for IDA Pro

By Andrea Marcelli

Executive Summary

Cisco Talos is releasing two new tools for IDA Pro: GhIDA and Ghidraaas.

GhIDA is an IDA Pro plugin that integrates the Ghidra decompiler in the IDA workflow, giving users the ability to rename and highlight symbols and improved navigation and comments. GhIDA assists the reverse-engineering process by decompiling x86 and x64 PE and ELF binary functions, using either a local installation of Ghidra, or Ghidraaas ( Ghidra as a Service) — a simple docker container that exposes the Ghidra decompiler through REST APIs.

Here is a quick video walking users through this new tool:
  

Wednesday, September 4, 2019

Vulnerability Spotlight: Information disclosure vulnerability in Blynk-Library




















Lilith Wyatt of Cisco Talos discovered this vulnerability.

Cisco Talos recently discovered an information disclosure vulnerability in Blynk-Library. Blynk-Library is a small library for connecting more than 400 different embedded device models into a private or enterprise Blynk-Server instance. According to the Git repository, it is the "most popular internet-of-things platform for connecting any hardware to the cloud."

In accordance with our coordinated disclosure policy, Cisco Talos worked with Blynk to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, September 3, 2019

The latest on BlueKeep and DejaBlue vulnerabilities — Using Firepower to defend against encrypted DejaBlue

This blog was authored by Brandon Stultz, Holger Unterbrink and Edmund Brumaghin.

Executive summary


Over the past few months, Microsoft has released several security updates for critical Remote Desktop Protocol (RDP)-related security bugs. These bugs are significant for IT infrastructure because they are classified as "wormable," meaning future malware that exploits them could spread from system to system without requiring explicit user interaction. These vulnerabilities could be exploited by an attacker sending a specially crafted request to the target system's Remote Desktop Service via RDP. We have seen how destructive these kinds of attacks can be, most notably WannaCry. We highly recommend organizations immediately apply Microsoft's patches. Cisco Talos released detection coverage for CVE-2019-0708 and also enhanced guidance to help organizations facilitate inspection of RDP sessions here. Microsoft published additional security updates last month to mitigate two additional remote code execution vulnerabilities, CVE-2019-1181 and CVE-2019-1182, affecting several versions of Microsoft Windows. These bugs are referred to as "DejaBlue" due to their similarities to BlueKeep.

Once again, Cisco Talos started working immediately to reverse-engineer the RCE vulnerabilities. Protections for both CVE-2019-1181 and CVE-2019-1182 now exist to keep your systems secure. SID 51369 for SNORT® correctly blocks exploitation of CVE-2019-1181 and CVE-2019-1182. In this post, we'll run through the details of how to protect against this "DejaBlue" exploit and walk through the steps to protect your environment.

Vulnerability Spotlight: Two vulnerabilities in Epignosis eFront


Yuri Kramarz of Security Advisory Incident Response EMEAR discovered these vulnerabilities.

Cisco Talos discovered two vulnerabilities in Epignosis eFront — one of which could allow an attacker to remotely execute code on the victim system, and another that opens the victim machine to SQL injections. eFront is an LMS platform that allows users to control their virtual training environments and data. The software boasts the ability to allow large companies to train their employees quickly and efficiently.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Epignosis to ensure that these issues are resolved and that an update is available for affected customers. Epignosis confirmed that they released eFront version 5.2.13 to address these issues.