Friday, December 20, 2019

Cisco ASA DoS bug attacked in wild


  
Cisco Talos has recently noticed a sudden spike in exploitation attempts against a specific vulnerability in our Cisco Adaptive Security Appliance (ASA) and Firepower Appliance. The vulnerability, CVE-2018-0296, is a denial-of-service and information disclosure directory traversal bug found in the web framework of the appliance. The attacker can use a specially crafted URL to cause the ASA appliance to reboot or disclose unauthenticated information.

This vulnerability was first noticed being exploited publicly back in June 2018, but it appeared to increase in frequency in the past several days and weeks. As such, we are advising all customers to ensure they are running a non-affected version of code. Additionally, we want to highlight that there is a Snort signature in place to detect this specific attack (46897). Concerned customers should ensure it is enabled in applicable policies that could detect this exploitation attempt.

Threat Roundup for December 13 to December 20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 13 and Dec. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, December 19, 2019

Threat Source newsletter (Dec. 19, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We have an early holiday present for you! This week, we introduced a new podcast to the Talos family. Talos Takes, a new short-form show, takes listeners through a quick breakdown of a particular topic or security news story, with our Talos spin. The first three episodes are available now on the Talos podcasts page, and on the Beers with Talos feed. In 2020, we’ll give Talos Takes its own feed you’ll be able to subscribe to.

Not to be overshadowed, there is also a new Beers with Talos episode available just in time for your holiday road trip. This week’s episode features special guest Joe Marshall from the Talos Outreach team, who brings his expertise on IoT and ICS security to the table.

To wrap up the year, we released a blog post running through the top malware and cyber news stories of 2019. This post is a perfect place to look back on all the major research we put out this year.

Cisco’s annual winter shutdown begins next week, so this will be the last Threat Source newsletter until Jan. 9. See you in 2020!

Wednesday, December 18, 2019

2019: The year in malware


By Jon Munshaw.

From ransomware attacks to DNS deception, attackers were just as active as ever in 2019.

This year saw a number of big-name malware families come onto the scene, including Sea Turtle, one of the most high-profile DNS hijacking attempts in recent memory. BlueKeep also stirred up controversy when the RDP vulnerability was first discovered, but researchers are still holding their breath, waiting for the first major exploits to happen.

To recap this busy year, we’ve compiled a list of the major malware, security news and more that Talos covered this year. Look through the timeline below and click through some of our other blog posts to get caught up on the year that was in malware.

Tuesday, December 17, 2019

New Talos Takes podcast puts Talos' spin on the latest cyber news


By Jon Munshaw.

Today, Cisco Talos' podcast network is growing with a new show.

Talos Takes is a new podcast that provides Talos analysts' and researchers' opinions and expertise on the hottest topics in cyber security. The first three episodes of the show — covering holiday shopping scams, protecting your new gadget and the basics of malvertising — are in the Beers with Talos podcast feed right now.

Incident Response lessons from recent Maze ransomware attacks

By JJ Cummings and Dave Liebenberg

This year, we have been flooded with reports of targeted ransomware attacks. Whether it's a city, hospital, large- or medium-sized enterprise — they are all being targeted. These attacks can result in significant damage, cost, and have many different initial infection vectors. Recently, Talos Incident Response has been engaged with a couple of these attacks, which involved the use of targeted ransomware. The concept of targeted ransomware attacks is simple: Get access to a corporate network, gain access to many systems, encrypt the data on a large chunk of them, ask for a large lump sum payment to regain access to those systems, and profit.

The first widespread targeted ransomware attacks involved the SamSam ransomware, which Cisco Talos researchers first discovered in early 2016 and were incredibly profitable, despite ending in indictments from the U.S. government.

In 2019, there have been multiple players in this space, the most prolific of which has been the Ryuk campaigns that start with Emotet and Trickbot. Other targeted ransomware attacks have involved other types of ransomware and varied attack methodology. Included in this list is ransomware like LockerGoga, MegaCortex, Maze, RobbinHood, and Crysis, among others. More recently, attackers have taken the extra step of exfiltrating data and holding it hostage, which they claim they will release to the public unless payment is received, a form of doxxing.

Beers with Talos Ep. #68: Takes from Talos on IoT (and the NEW “Talos Takes” podcast!)


By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 68 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Dec. 9, 2019 

We have a big announcement to make today! Check your feed for a few episodes of a new podcast from Talos: “Talos Takes."

On this episode of BWT, we welcome Joe Marshall to the table. Joe is a Talos ICS/IoT tech lead and he stops by to discuss issues in the IoT space — macro and micro, from both the vendor and user perspectives. Check out the crew’s advice on staying secure in this IoT gift-giving season.

We will see you in the new year, and thanks for listening in 2019. Happy Holidays to all!

Monday, December 16, 2019

Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200


Kelly Leuschner of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The WAGO PFC200 and PFC100 controllers contain multiple exploitable vulnerabilities. The PFC200 is one of WAGO’s programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. The vulnerabilities disclosed here all have their root cause within the protocol handling code of the I/O Check (iocheckd) configuration service used by the controllers. The vulnerabilities discussed here could allow an attacker to remotely execute code, deny service to the device or weaken device login credentials.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WAGO to ensure that these issues are resolved and that an update is available for affected customers.

Friday, December 13, 2019

Threat Roundup for December 6 to December 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 6 and Dec. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, December 12, 2019

Threat Source newsletter (Dec. 12, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re entering our Year in Review period. Now’s the time to look back on the top stories from 2019 and think about what we learned.

In the vulnerability space, Talos researchers were just as busy as always. We disclosed more than one vulnerability per working day this year, many of which were in internet-of-things and ICS devices. For more on what we can take away from the year in vulnerability disclosures, check out our post here.

Speaking of vulnerabilities, we had many more to add to the yearly count this week. There’s too many to name here, but some highlights include a remote code execution bug in Apple’s Safari web browser and a denial-of-service in the Linux kernel.

Microsoft also disclosed its own set of vulnerabilities as part of the last Patch Tuesday of 2019. Check out our breakdown of the most notable bugs here and our Snort rules to protect against exploitation of them here. Talos discovered two of the bugs patched this month, both in Windows Remote Desktop Protocol in older versions of Windows.

Wednesday, December 11, 2019

Talos Vulnerability Discovery Year in Review — 2019

By Martin Zeiser.

Cisco Talos' Systems Security Research Team investigates software, operating system, IoT and ICS vulnerabilities to make sure we find vulnerabilities before the bad guys do.

We provide this information to the affected vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone.

After these patches become available, the Talos detection content becomes public, as well. Talos regularly releases Vulnerability Spotlights and in-depth analyses of vulnerabilities discovered by us. You can find all of the release information via the Talos vulnerability information page here.

Vulnerability Spotlight: Apple Safari SVG marker element baseVal remote code execution vulnerability


Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Apple’s Safari web browser is open to a remote code execution vulnerability via its SVG marker element feature inside the Safari WebKit. Safari uses the WebCore DOM rendering system in WebKit. Rendering engine allows overwriting of the static SVG marker element using JavaScript code which results in memory corruption. An attacker needs to trick the user into opening this web browser in Safari in order to exploit this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Kakadu Software SDK ATK marker code execution vulnerability


Aleksandar Nikolic and Emmanuel Tacheau of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Kakadu Software’s SDK contains an exploitable heap overflow. Kakadu serves as a framework for developers to create a variety of commercial and non-commercial applications. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted, malicious jp2 file to cause a heap overflow, which could then allow them to remotely execute code on the server.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Kakadu to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Denial-of-service vulnerabilities in Linux kernel, W1.fi


Mitchell Frank and Mark Leonard of Cisco discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two denial-of-service vulnerabilities in the open-source program W1.fi. Both of these vulnerabilities target hostapd. One could allow an attacker to forge authentication requests, while another could trigger a deauthentication, both resulting in a denial of service.

In accordance with our coordinated disclosure policy, Cisco Talos worked with the manager of W1.fi to ensure that these issues are resolved and that an update is available for affected customers. TALOS-2019-0849 relates to TALOS-2019-0900, a denial-of-service vulnerability in the Linux kernel. Linux has also released an update to address that vulnerability, which makes more versions of Linux besides the mainline one safe from these vulnerabilities.

Tuesday, December 10, 2019

Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader


Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an information leak vulnerability in Adobe Acrobat Reader DC. An attacker could exploit this vulnerability by tricking the victim into opening a specially crafted, malicious PDF, likely either via an email attachment or embedded on a web page. Adobe Acrobat Reader DC supports embedded JavaScript code in the PDF to allow for interactive PDF forms. This vulnerability specifically exists in the way Acrobat processes JavaScript.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Two vulnerabilities in RDP for Windows 7, XP


A Cisco Talos researcher discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two issues in two implementations of Microsoft Remote Desktop Services: a denial-of-service vulnerability that affects Windows 7/Windows Server 2008 (when RDP 8.0 is enabled), Windows 8/Server 2012, and Windows 10/Server 2016. The Remote Desktop Protocol is used by Remote Desktop Services in order to allow a user or administrator to take control of a remote machine via a network connection. The denial-of-service vulnerability exists after the connection setup when one is able to perform the license exchange, and the information leak vulnerabilities exist during the connection setup of the process where the client and the server negotiate various aspects relevant to the session  They could be exploited by an attacker to cause a denial of service or leak information, respectively. Microsoft disclosed these issues as part of December’s Patch Tuesday. For more on the company’s latest security updates, check out Talos’ full blog here, and our Snort coverage here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. Microsoft is providing a patch for all of the affected versions of Windows with regards to the denial of service vulnerability but has declined to provide a patch for the Windows XP vulnerability due to the fact that it is out of support. It is recommended that users of Windows XP upgrade to a more recent operating system.

Microsoft Patch Tuesday — Dec. 2019: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical.

This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Vulnerability Spotlight: Multiple vulnerabilities in LEADTOOLS software


Marcin Towalski and Cory Duplantis of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in the LEADTOOLS line of imaging toolkits. LEADTOOLS is a collection of toolkits designed to perform a variety of functions aimed at integrating documents, multimedia and imaging technologies into applications. All of the software is produced by LEAD Technologies Inc. LEADTOOLS offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc.), that are all geared toward building
applications for medical systems. Various pieces of LEADTOOLS contain vulnerabilities that could be exploited by malicious actors to carry out a number of actions, including denial-of-service conditions and the exposure of sensitive information.

In accordance with our coordinated disclosure policy, Cisco Talos worked with LEAD Technologies to ensure that these issues are resolved and that an update is available for affected customers.

Monday, December 9, 2019

Beers with Talos Ep. #67: Inside Incident Response


By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 67 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Nov. 21, 2019 

Craig is out sick/injured/fighting robots (actually all three), so we brought in Sean Mason from Talos IR to talk shop today and give you the inside scoop on IR (and Sean’s next-level beard care regimen). How do incidents affect the enterprise and consumers? How has the advent of widespread ransomware fundamentally shifted the burden of responsibility in the c-suite and what have been the outcomes? What does a responder have in the bag when they arrive on-site?

Friday, December 6, 2019

Threat Roundup for November 29 to December 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 29 and Dec. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, December 5, 2019

Threat Source newsletter (Dec. 5, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope everyone had a safe and happy Thanksgiving in the U.S. The holiday shopping season is now in full swing, and there are plenty of deals to be had in stores and online. This also makes it a prime time for attackers to strike. For tips of how to stay safe when shopping this holiday season, check out our full blog post here.

This was also a busy week for vulnerabilities. We disclosed, and released protection, for bugs in the Forma learning management system, Accusoft ImageGear and EmbedThis’ GoAhead Web Server.

We also have a special surprise for you tomorrow. You’ll want to keep an eye on our blog, social media and your podcast feeds.

Vulnerability Spotlight: AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability


Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in a specific dll inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel
shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, December 3, 2019

ClamAV team shows off new Mussels dependency build automation tool


By Micah Snyder.

Today I'm very excited, and a little bit nervous, to unveil Mussels. Mussels is a cross-platform, general-purpose dependency build automation tool. You might compare it with Vcpkg, Conan, or Buildout. It serves a similar purpose, but the approach is a little different.

Mussels is intended to simplify the process of building complex applications that have lengthy dependency chains without having to write all new CMake, Meson, Bazel, XCode, or Visual Studio project files. Instead, you write (and share) simple recipes that leverage the original build systems intended by software authors of your external library dependencies.

For more on Mussels, and where to download it, read the complete post over at the ClamAV blog.

Monday, December 2, 2019

Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System


Yuri Kramarz of Security Advisory EMEAR discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered three SQL injection vulnerabilities in the authenticated portion of the Formal Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Forma to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Accusoft ImageGear PNG IHDR width code execution vulnerability


Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Two vulnerabilities in EmbedThis GoAhead


A Cisco Talos researcher discovered these vulnerabilities. Blog by Jon Munshaw. 

EmbedThis’ GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition.

GoAhead Web Server is a popular embedded web server designed to be a fully customizable web application framework and server for embedded devices. It provides all the base HTTP server functionality and provides a highly customizable platform for developers of embedded web applications.

In accordance with our coordinated disclosure policy, Cisco Talos worked with EmbedThis to ensure that these issues are resolved and that an update is available for affected customers.