Friday, April 3, 2020

Threat Roundup for March 27 to April 3

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 27 and April 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, April 2, 2020

Threat Source newsletter (April 2, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

As long as COVID-19 is in the headlines (which is going to be a long time) actors are going to try and capitalize. We fully expect to see a rise in spam that’s now related to the economic assistance package passed by the U.S. government.

In non-virus-related news, we also have a new overview of the Trickbot banking trojan. This family has been around for a while, but we’ve recently seen a spike in distribution related to the aforementioned COVID-19 campaigns. What does Trickbot look like? And what are some best practices to defend against it? We run through all that here.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

AZORult brings friends to the party


By Vanja Svajcer.

NEWS SUMMARY


  • We are used to ransomware attacks and big game hunting making the headlines, but there is an undercurrent of other attack types that allow attackers to monetize their efforts in a less intrusive way.
  • Here, we discuss a multi-pronged cyber criminal attack using a number of techniques that should alert blue team members with appropriate monitoring capability but are not immediately obvious to end-users.
  • These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1089 (Disabling Security Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086 (PowerShell), T1202 (Indirect Command Execution), T1055 (Process Injection), T1064 (Scripting), T1053 (Scheduled Task) and T1011 (Exfiltration Over Other Network Medium)
Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign with several different executable payloads, all focused on providing financial benefits for the attacker in a slightly different way. The first payload is a Monero cryptocurrency miner based on XMRigCC, and the second is a trojan that monitors the clipboard and replaces its content. There's also a variant of the infamous AZORult information-stealing malware, a variant of Remcos remote access tool and, finally, the DarkVNC backdoor trojan.

What's new?


Embedding an executable downloader in an ISO image file is a relatively new method of delivery for AZORult. It's also unusual to see attackers using multiple methods to make money.

How did it work?


The infection chain starts with a ZIP file, which contains an ISO disk image file. When the user opens the ISO file, a disk image containing an executable loader is mounted. When the loader is launched, it deobfuscates malicious code which downloads the first obfuscated PowerShell loader stage that kickstarts the overall infection, disables security tools and Windows update service and downloads and launches the payloads.

So what?


Defenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are like water — they will attempt to find the smallest crack to achieve their goals. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.

Tuesday, March 31, 2020

Trickbot: A primer



By Chris Neal

Executive Summary


  • Trickbot remains one of the most sophisticated banking trojans in the landscape while constantly evolving.
  • Highly modular, Trickbot can adapt to different environments with the help of its various modules.
  • The group behind Trickbot has expanded their activities beyond credential theft into leasing malware to APT groups.

Overview

In recent years, the modular banking trojan known as Trickbot has evolved to become one of the most advanced trojans in the threat landscape. It has gone through a diverse set of changes since it was first discovered in 2016, including adding features that focus on Windows 10 and modules that target point of sale (POS) systems. Not only does it function as a standalone trojan, Trickbot is also commonly used as a dropper for other malware such as the Ryuk ransomware. The wide range of functionality allows this malware to adapt to different environments and maximize effectiveness in a compromised network.

Monday, March 30, 2020

COVID-19 relief package provides another platform for bad actors

The ongoing COVID-19 pandemic continues to yield new subject matter that bad actors can turn into fodder for enticing victims into clicking on malicious links and attachments. On March 27, the CARES Act was signed into law by the President, enacting a wide range of stimulus packages designed to aid Americans and businesses during the crisis. One such measure will authorize a supplemental stimulus check to American citizens.

Along with the general increase in coronavirus and COVID-19-themed attacks, this stimulus package will also be leveraged as a lure to deliver additional attacks to harm the unsuspecting victim into divulging personal information or be subject to financially based exploitation.

Talos has already detected an increase in suspicious stimulus-based domains being registered and we anticipate they will be leveraged to launch malicious campaigns against users.

As noted earlier by Talos, we anticipate existing malicious campaigns to leverage this new material into their attacks. In our previous blog post about COVID-19, we emphasized that enterprises should take precautions to avoid being victimized by these attacks.

Everyone should be aware and expect to see campaigns focused around stimulus checks or other benefits. Stay alert and vigilant.

Friday, March 27, 2020

Threat Roundup for March 20 to March 27

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 20 and March 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, March 26, 2020

Threat Source newsletter (March 26, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Just because we’re all still working from home doesn’t mean you can stop patching. We’ve been busy this week with a new wave of vulnerabilities we disclosed, including in Intel Web Raid Console, Videolabs and GStreamer.

If you’re looking to fill some silence at home or just want to hear a friendly voice, we’re still uploading new podcasts every week, so subscribe to Beers with Talos and Talos Takes on your favorite podcatcher.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Threat Update: COVID-19

Executive Summary 

The COVID-19 pandemic is changing everyday life for workers across the globe. Cisco Talos continues to see attackers take advantage of the coronavirus situation to lure unsuspecting users into various pitfalls such as phishing, fraud, and disinformation campaigns. Talos has not yet observed any new techniques during this event. Rather, we have seen malicious actors shift the subject matter of their attacks to focus on COVID themes. We continue to monitor the situation and are sharing intel with the security community, customers, law enforcement, and governments.

Protecting your organization from threats that leverage COVID themes relies on the same strong security infrastructure foundation that your organization hopefully already has. However, security organizations must ensure existing protections and capabilities function in a newly remote environment, that users are aware of the threats and how to identify them and that organizations have implemented security best practices for remote work.

Tuesday, March 24, 2020

Vulnerability Spotlight: Intel Raid Web Console 3 denial-of-service bugs


Geoff Serrao of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered two denial-of-service vulnerabilities in the web API functionality of Intel RAID Web Console 3. The Raid Web Console is a web-based application that provides several
configuration functions for the Intel RAID line of products, which includes controllers and storage expanders. The console monitors, maintains and troubleshoots these products. An attacker could exploit both of these bugs by sending a malicious POST request to the API.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Intel to ensure that these issues are resolved and that an update is available for affected customers.

Monday, March 23, 2020

Vulnerability Spotlight: Multiple vulnerabilities in Videolabs libmicrodns


Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

A specific library in the Videolabs family of software contains multiple vulnerabilities that could lead to denial of service and code execution. Videolabs is a company founded by VideoLAN members and is the current editor of the VLC mobile applications and one of the largest contributors to VLC. They
also develop libmicrodns, a library which is used by VLC media player for mDNS services discovery. The libmicrodns library contains multiple vulnerabilities that could allow attackers to carry out a variety of malicious actions, including causing a denial of service and gaining the ability to execute arbitrary code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Videolabs to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Denial-of-service vulnerability in GStreamer


Peter Wang of Cisco ASIG discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in GStreamer, a pipeline-based
multimedia framework. GStreamer contains gst-rtsp-server, an open-source library that allows the user to build RTSP servers. This function contains an exploit that an attacker could use to cause a null pointer deference, resulting in a denial of service.

In accordance with our coordinated disclosure policy, Cisco Talos worked with GStreamer to ensure that these issues are resolved and that an update is available for affected customers.

Friday, March 20, 2020

Threat Roundup for March 13 to March 20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 13 and March 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos Ep. #75: Now That Coronavirus Made a Global WFH Policy...


Beers with Talos (BWT) Podcast episode No. 74 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded March 13, 2020

Of course, we have to talk about the implications of coronavirus. It's affecting the way business and security are getting done. While everything about the COVID-19 pandemic seems to be a fluid situation, a rare constant has been the same rehashed disaster scams. But that could quickly change with the mass shift toward remote work. This episode takes a look at both securing that shift as well as practical advice for those of us finding ourselves newly remote employees.

Thursday, March 19, 2020

Threat Source newsletter (March 19, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope everyone is staying home (if possible) and staying safe. Unfortunately, the bad guys aren’t going anywhere, so we’re still plugging away remotely. Hasn’t anyone told them we need a break?

COVID-19 is obviously on the top of everyone’s mind. We are working on some new content around working from home and COVID-related malware. In the meantime, go back and read our post from February about attackers trying to take advantage of coronavirus panic.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Friday, March 13, 2020

Threat Roundup for March 6 to March 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 6 and March 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos Ep. #74: Impacting civil society


Beers with Talos (BWT) Podcast episode No. 74 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded March 2, 2020

We open up the show with a sugary sweet poem before talking about RSA and our annual trip through the startup hall. Matt expertly segues the crew into talking about the impact the security industry can have on public-interest technologies and civil society - both in the industry sense as well as in the interpersonal sense. Finally, we take a look at opposing mindsets and approaches, discussing how partnering with an adversarial approach is not near the oxymoron it seems.

Thursday, March 12, 2020

Threat Source newsletter (March 12, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Obviously, COVID-19 is dominating headlines everywhere, and for good reason. We hope everyone out there is staying safe and healthy and making the appropriate decisions when it comes to traveling and working.

In certainly less serious news, we have our monthly Microsoft Patch Tuesday post and the accompanying Snort rules out. There is also a large Vulnerability Spotlight out on several vulnerabilities we discovered in WAGO products, a popular producer of automation software.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Tuesday, March 10, 2020

Microsoft Patch Tuesday — March 2020: Vulnerability disclosures and Snort coverage



















By Jon Munshaw and Vitor Ventura.

Update (March 12, 2020): Microsoft released an out-of-band patch for CVE-2020-0796, a code execution vulnerability SMB client and server for Windows. An unauthenticated attacker could exploit this vulnerability to execute remote code. Snort rules 53425 - 53428 protect against exploitation of CVE-2020-0796.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 117 vulnerabilities, 25 of which are considered critical. There is also one moderate vulnerability and 91 that are considered important.

This month's patches include updates to Microsoft Media Foundation, the GDI+ API and Windows Defender, among others.

Talos released a new set of SNORTⓇ rules today that provide coverage for some of these vulnerabilities, which you can see here.

Vulnerability Spotlight: Information disclosure in Windows 10 Kernel


Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an information disclosure vulnerability in the Windows 10 kernel. An attacker could exploit this vulnerability by tricking the victim into opening a specially crafted executable, causing an out-of-bounds read, which leads to the disclosure of sensitive information.
Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Monday, March 9, 2020

Vulnerability Spotlight: WAGO products contain remote code execution, other vulnerabilities


Patrick DeSantis, Carl Hurd, Kelly Leuschner and Lilith [-_-]; of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered several vulnerabilities in multiple products from the company WAGO. WAGO produces a line of automation software called “e!COCKPIT,” an integrated development environment that aims to speed up automation tasks and machine and system startup.
The e!COCKPIT software interfaces with different automation controllers, including the PFC100 and PFC200. The vulnerabilities described here exist within the e!COCKPIT software or the two associated automation controllers. A remote attacker could exploit these vulnerabilities to carry out a variety of malicious activities, including command injection, information disclosure and remote code execution.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WAGO to ensure that these issues are resolved and that updates are available for affected customers.

Friday, March 6, 2020

Threat Roundup for February 28 to March 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 28 and March 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, March 5, 2020

Threat Source newsletter (March 5, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Sure, all anyone wants to talk about is coronavirus. But what about cyber security? We’ve still got cool stuff, like this huge write-up on the Bisonal malware and how it’s changed over the past 10 years. While its victimology has always stayed the same, we walk through how its creators have added on new features over time to avoid detection.

There’s also another entry in our Incident Response “Stories from the Field” video series. This time, Matt Aubert discusses ransomware infections he’s seen in the wild and passes on some lessons to you.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Bisonal: 10 years of play


By Warren Mercer, Paul Rascagneres and Vitor Ventura.

Update 06/03/20: added samples from 2020.


Executive summary


  • Security researchers detected and exposed the Bisonal malware over the past 10 years. But the Tonto team, the threat actor behind it, didn't stop.
  • The victimology didn't change over time, either. Japanese, South Korean and Russian organizations were the prime targets for this threat actor.
  • The malware evolved to lower its detection ratio and improve the initial vector success rate.

What's new?

Bisonal is a remote access trojan (RAT) that's part of the Tonto Team arsenal. The peculiarity of the RAT is that it's been in use for more than 10 years — this is an uncommon and long period for malware. Over the years, it has evolved and adapted mechanisms to avoid detection while keeping the core of its RAT the same. We identified specific functions here for more than six years.

How did it work?

Bisonal used multiple lure documents to entice their victims to open and then be infected with Bisonal malware. This group has continued its operations for over a decade and they continue to evolve their malware to avoid detection. Bisonal primarily used spear phishing to obtain a foothold within their victims' networks. Their campaigns had very specific targets which would suggest their end game was more around operational intelligence gathering and espionage.

So what?

This is an extremely experienced group likely to keep their activities even after exposure, even if we identified mistakes and bad copy/paste, they are doing this job for more than 10 years. We think that exposing this malware, explaining the behavior and the campaigns where Bisonal was used is important to protect the potential future targets. The targets to this point are located in the public and private sectors with a focus on Russia, Japan and South Korea. We recommend the entities located in this area to prepare for this malware and actor and implement detections based on the technical details provided in this article.

Tuesday, March 3, 2020

Video: What defenders can learn from past ransomware attacks


The Cisco Talos Incident Response "Stories from the Field" video series returns with another entry from Matt Aubert.

This time, Matt discusses ransomware infections he's seen in real-time, and shares what defenders can learn from others' mistakes and recovery.

Is it ever smart to pay attackers' request extortion payment? Which ransomware families should organizations be most worried about? Matt covers all of this in just six minutes.

You can watch the full video above or over on our YouTube page here. You can get all of the Stories from the Field videos in one place on our playlist, too.

Friday, February 28, 2020

Threat Roundup for February 21 to February 28

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 21 and Feb. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, February 27, 2020

Threat Source newsletter (Feb. 27, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We know we’ve kept you waiting for a while, but the new Snort Resources page is finally here. We’ve got new and improved documentation, but our most exciting feature is the new Snort 101 video series. In these short tutorials, you’ll learn everything you need to know about configuring Snort 2 and 3, and even dives a little bit into rule writing. Head over to the Snort blog for more.

If you’re hanging out at RSA, what better way to escape the crowds for a few minutes than slinking off to listen to the new Beers with Talos episode. It’s shorter than usual, but we’ve still got plenty of talk of vulnerability research and software licenses.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Beers with Talos Ep. #73: Feature ownership, vuln advisories and fancy audio FX


Beers with Talos (BWT) Podcast episode No. 73 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Feb. 19, 2020

Craig made an oopsie. Pardon his echo-chamber reverb. We had no idea until he sent in his audio for mixing. This is a shorter episode focusing on software licencing and features, as well as vulnerability disclosure. Join us to talk about vendors' abilities to disable feature sets and owning versus using products. We further chat about vulnerabilities and how a vendor with no security advisories is often seen as a “more secure” option, when in fact, that can mean the exact opposite.

Tuesday, February 25, 2020

New Research Paper: Prevalence and impact of low-entropy packing schemes in the malware ecosystem

Detection of malware is a constant battle between the technologies designed to detect and prevent malware and the authors creating them. One common technique adversaries leverage is packing binaries. Packing an executable is similar to applying compression or encryption and can inhibit the ability of some technologies to detect the packed malware. High entropy is traditionally a tell-tale sign of the presence of a packer, but many malware analysts may have probably encountered low-entropy packers more than once. Numerous popular tools (e.g., PEiD, Manalyze, Detect It Easy), malware-related courses, and even reference books on the topic, affirm that packed malware often shows a high entropy. As a consequence, many researchers use this heuristic in their analysis routines. It is also well known that the tools typically used to detect packers are based on signature matching and may sometimes combine other heuristics, but again, the results are not completely faithful, as many of the signatures that circulate are prone to false positives.

Monday, February 24, 2020

Vulnerability Spotlight: Multiple vulnerabilities in Moxa AWK-3131A


Jared Rittle and Carl Hurd of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The Moxa AWK-3131A networking device contains several different vulnerabilities that an attacker could exploit to carry out malicious activities in an industrial environment. The AWK-3131A is a wireless networking device that is meant to be used in large-scale, industrial cases to provide
communication across the environment in which it's deployed. This device contains several bugs that could lead to numerous malicious activities, including remote code execution and privilege escalation.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Moxa to ensure that these issues are resolved and that an update is available for affected customers.

Friday, February 21, 2020

Threat Roundup for February 14 to February 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 14 and Feb. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, February 20, 2020

Threat Source newsletter (Feb. 20, 2020)


Newsletter compiled by Jon Munshaw.


Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’ve got more ways than ever for you to get Talos content. We continue to grow our YouTube page with the second entry in the “Stories from the Field” series, this time with Matt Aubert discussing when to get lawyers involved in an incident.

Our podcast family also continues to grow, with new episodes this week of Talos Takes and Beers with Talos.

On the old-fashioned write-up end of things, we have the latest on our research into adversaries’ use of living-off-the-land binaries (also known as “LoLBins”). Recently, we’ve seen a wave of attacks utilizing the Microsoft Build Engine to conduct post-infection activities.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week. 

ObliqueRAT: New RAT hits victims' endpoints via malicious documents

By Asheer Malhotra.

  • Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we're calling "ObliqueRAT."
  • These maldocs use malicious macros to deliver the second stage RAT payload.
  • This campaign appears to target organizations in Southeast Asia.
  • Network based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

What's New?

Cisco Talos has recently discovered a new campaign distributing a malicious remote access trojan (RAT) family we're calling "ObliqueRAT." Cisco Talos also discovered a link between ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT sharing similar maldocs and macros. CrimsonRAT has been known to target diplomatic and government organizations in Southeast Asia.

How did it work?

This RAT is dropped to a victim's endpoint using malicious Microsoft Office Documents (maldocs). The maldocs aim to achieve persistence for the second-stage implant that contains a variety of RAT capabilities, which we're calling "ObliqueRAT." In this post, we illustrate the core technical capabilities of the maldocs and the RAT components including:

  • The maldocs based infection chain
  • A variant distributed using a dropper EXE.
  • Detailed capabilities and command codes of the RAT implant (2nd stage payload).
  • Communication mechanisms used.

So what?

This malware is an example of how a simple, yet effective RAT, is used to implement a wide variety of malicious capabilities. Key capabilities of ObliqueRAT include:

  • Ability to execute arbitrary commands on an infected endpoint.
  • Ability to exfiltrate files.
  • Ability to drop additional files.
  • Ability to terminate process on the infected endpoint etc.


Analysis of a recently discovered preliminary variant of ObliqueRAT in this post presents insights into the evolution of this threat. Analyses of the key similarities and differences between the two campaigns of ObliqueRAT and CrimsonRAT show us the changes in tactics and techniques of the attackers used to continue attacks while trying to bypass detections. This campaign also shows us that while network-based detection is important, it can be complemented with system behavior analysis and endpoint protections for additional layers of security.

Wednesday, February 19, 2020

Cisco Talos Incident Response "Stories from the Field" #2: When do lawyers get involved?



The second video in our "Stories in the Field" series from Cisco Talos Incident Response is here, with Matt Aubert talking about lawyers.

While getting a general counsel involved may seem like an arduous process for many incident response teams, Matt Aubert argues in this video that in his expereince, it's best to get lawyers involved early on in the recovery process.

Watch the full video above or over at our YouTube page here. And to learn more about Talos Incident Response, click here.

Tuesday, February 18, 2020

Vulnerability Spotlight: Memory corruption, DoS vulnerabilities in CoTURN


Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

CoTURN contains denial-of-service and memory corruption vulnerabilities in the way its web server parses POST requests. CoTURN is a TURN server implementation that can be used as a general-
purpose network traffic TURN server and gateway. The software includes a web server for administration purposes, which is where these two vulnerabilities exist.

In accordance with our coordinated disclosure policy, Cisco Talos worked with CoTURN to ensure that these issues are resolved and that an update is available for affected customers. CoTURN notified Talos that these vulnerabilities were also discovered by Quarkslab.

Building a bypass with MSBuild


By Vanja Svajcer.


NEWS SUMMARY


  • Living-off-the-land binaries (LoLBins) continue to pose a risk to security defenders.
  • We analyze the usage of the Microsoft Build Engine by attackers and red team personnel.
  • These threats demonstrate techniques T1127 (Trusted Developer Utilities) and T1500 (Compile After Delivery) of MITRE ATT&CK framework.


In one of our previous posts, we discussed the usage of default operating system functionality and other legitimate executables to execute the so-called "living-off-the-land" approach to the post-compromise phase of an attack. We called those binaries LoLBins. Since then, Cisco Talos has analyzed telemetry we received from Cisco products and attempted to measure the usage of LoLBins in real-world attacks.

Specifically, we are going to focus on MSBuild as a platform for post-exploitation activities. For that, we are collecting information from open and closed data repositories as well as the behavior of samples submitted for analysis to the Cisco Threat Grid platform.

What's new?


We collected malicious MSBuild project configuration files and documented their structure, observed infection vectors and final payloads. We also discuss potential actors behind the discovered threats.

How did it work?


MSBuild is part of the Microsoft Build Engine, a software build system that builds applications as specified in its XML input file. The input file is usually created with Microsoft Visual Studio. However, Visual Studio is not required when building applications, as some .NET framework and other compilers that are required for compilation are already present on the system.

The attackers take advantage of MSBuild characteristics that allow them to include malicious source code within the MSBuild configuration or project file.

So What?


Attackers see a few benefits when using the MSBuild engine to include malware in a source code format. This technique was discovered a few years ago and is well-documented by Casey Smith, whose proof of concept template is often used in the samples we collected.

  • First of all, this technique can be used to bypass application whitelisting technologies such as Windows Applocker.
  • Another benefit is that the code is compiled in memory so that no permanent files exist on the disk, which would otherwise raise a level of suspicion by the defenders.
  • Finally, the attackers can employ various methods to obfuscate the payload, such as randomizing variable names or encrypting the payload with a key hosted on a remote site, which makes detection using traditional methods more challenging.


Friday, February 14, 2020

Beers with Talos Ep. #72: Getting to Patch Day - Understanding Vulnerability Risks and Options


Beers with Talos (BWT) Podcast episode No. 72 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Jan. 31, 2020

When a vulnerability is released, regardless if it has a website and logo or not, we need to understand the risk to the network and what defense options are possible before the patch is ready for production. Can you defend against the vulnerability or do you go straight for known exploits? What happens if an exploit occurs? Also discussed: Talos begins releasing Threat Assessment Reports based on IR engagement data and known prevalent threats. Snort has a new series of training and lab video available for Snort 2 and Snort3.