Monday, December 21, 2020

2020: The year in malware



By Jon Munshaw.

Nothing was normal in 2020. Our ideas of working from offices, in-person meetings, hands-on learning and basically everything else was thrown into disarray early in the year. Since then, we defenders have had to adapt. But so have workers around the globe, and those IT and security professionals in charge of keeping those workers’ information secure.  

Adversaries saw all these changes as an opportunity to capitalize on strained health care systems, schools scrambling to adapt to online learning and companies who now had employees bringing home sensitive information and data while working on their personal networks. This led to a huge spike in ransomware attacks and headlines all over of companies spending millions of dollars to recover their data and get back to work quickly.  

Oh, and there was a presidential election this year, too, which came with its own set of challenges. 

To recap this crazy year, we’ve compiled a list of the major malware, security news and more that Talos covered this year. Look through the timeline below and click through some of our other blog posts to get caught up on the year that was in malware. 

Talos Vulnerability Discovery Year in Review — 2020


While major attacks like ransomware and COVID-19-themed campaigns made headlines across the globe this year, many attacks were prevented through simple practices of finding, disclosing and patching vulnerabilities. Cisco Talos' Systems Vulnerability Research Team discovered 231 vulnerabilities this year across a wide range of products. And thanks to our vendor partners, these vulnerabilities were patched and published before any attackers could exploit them. Each vulnerability Talos addresses is an opportunity lost for attackers. Mitigating possible zero-day breeches in your defenses is the easiest and fastest way to prevent wide-ranging and business-critical cyber attacks.

Like everything else, COVID has changed the threat landscape. The global workforce shifted to a largely remote working environment and remote communication software has skyrocketed in popularity. Although there is no clear timeline on when the current pandemic will subside, fully remote and connected workforces are here to stay. This is reflected in the increased attention that Talos gave to library, web/mobile and driver vulnerabilities this year. In this post, we'll give an overview of all of our vulnerability work from 2020 and fill you in on patches you may have missed.

Philosophy

Cisco Talos' Systems Vulnerability Research Team protects our customers and the broader online community by investigating software, operating systems, internet-of-things (IoT) devices, service, web and mobile vulnerabilities. Talos fosters coordinated vulnerability disclosure via a 90-day default timeline. Working together with any vendor to responsibly close and address any vulnerable attack vector that our research uncovers which ensures timely patch and mitigation strategies. Our research provides detection content which protects our customers during the vendor response window. Upon coordinated disclosure, Talos detection content is made publicly available as well as a detailed report that you can find for each vulnerability on the Talos vulnerability information page here.

Talos also regularly releases Vulnerability Spotlight blog posts which feature an in-depth technical analysis of vulnerabilities discovered as well as a brief summary highlighting the possible impact of exploitation. You can find these Vulnerability Spotlight blog posts here.

Talos' timeline of reporting and disclosing a vulnerability, per Cisco's Vendor Vulnerability and Disclosure Policy:




In fiscal year 2020, we published 231 advisories resulting in 277 CVEs, in a wide range of software including operating systems, IoT devices, Microsoft Office products, browsers, PDF readers and more. This is a marked increase in both advisories and assigned CVE's from 2019.

While we do our best to increase coverage and thus the overall security of the Internet, bulletproof software just doesn't exist. Even vendors with large security teams make mistakes, and many don't even have those. Cisco Talos strives to increase our coverage of vulnerabilities in a landscape of insecure software and hardware. This is not an indictment of vendors - everyone makes mistakes, and not everyone has the same resources to devote to secure coding and development.

Advisories by percentage



Some highlights of this year:

  • Multiple vulnerabilities in major PDF apps, including Adobe PDF, Foxit PDF, NitroPDF and Google PDFium.
  • Multiple vulnerabilities in graphics drivers from Intel, Nvidia and AMD. These graphics drivers vulnerabilities resulted in Microsoft deciding to deprecate and disable RemoteFX in Windows and will fully remove it in February 2021.
  • Multiple vulnerabilities in Pixar OpenUSD, a library that is used by default on Mac OS X and iOS for USD files.
  • As part of our participation in Microsoft's Azure Sphere research challenge, we also found another 16 vulnerabilities in Azure Sphere.
  • Multiple vulnerabilities in major web browsers such as Firefox, Chrome and Safari — including the WebKit system used by many of these browsers.
  • Other major applications that we found issues include Synology's SRM and DSM firmware and Microsoft Office and Windows.


Advisories by total numbers



We work closely with all vendors under our coordinated disclosure policy, while ensuring our customers and communities are protected with detection content until patches are issued. This proactive research and content advances security for everyone, as we all benefit from more secure software and hardware.

For vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal here.

To review our Vulnerability Disclosure Policy, please visit this site here.

Friday, December 18, 2020

Threat Roundup for December 11 to December 18


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 11 and Dec. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, December 17, 2020

Threat Source newsletter (Dec. 17, 2020)

  

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

This will be our last Threat Source newsletter of the year. We’ll be on a few-week break for the holidays until Jan. 7. 

Of course, all anyone wants to talk about this week is the SolarWinds supply chain attack. There are still many outstanding questions yet to be answered. But everything Cisco Talos knows about this incident and our coverage can be found here. And our pre-existing coverage keeps users protected from the exploitation of any of the FireEye vulnerabilities that arose out of this attack. 

While we’re away for the holidays, why not do some reverse-engineering and threat hunting of your own with some of our open-source tools? We just released new versions of GhIDA and Dynamic Data Resolver as an early holiday present.  

Talos tools of the trade



By Andrea Marcelli and Holger Unterbrink.

If you're looking for something to keep you busy while we're all stuck inside during the holidays, Cisco Talos has a few tools for you you can play with in the coming days and weeks.

We recently updated GhIDA to work with the latest version of IDA and we are releasing new features for the award-winning Dynamic Data Resolver (DDR).

Wednesday, December 16, 2020

Vulnerability Spotlight: Multiple vulnerabilities in NZXT computer monitoring software



Carl Hurd of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

NZXT’s CAM computer monitoring software contains multiple vulnerabilities an attacker could use to carry out a range of malicious actions. CAM provides users information on their machines, such as fan speeds, temperature, RAM usage and network activity. The software also holds an inventory of all peripheral devices installed in the PC at a given time.

A specific driver on this software contains several vulnerabilities Cisco Talos recently discovered. If exploited, a malicious user could carry out such actions on the victim machine as elevating their privileges and disclosing sensitive information.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NZXT to disclose these vulnerabilities and ensure that an update is available.

Vulnerability Spotlight: Two vulnerabilities in Lantronix XPort EDGE



Kelly Leuschner of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Executive summary

Cisco Talos recently discovered two vulnerabilities in the Web Manager functionality of Lantronix XPort EDGE. The XPort EDGE is a next-generation wired Ethernet gateway for providing secure Ethernet connectivity to serial devices. An adversary could send the victim various requests to trigger two vulnerabilities that could later allow them to shut down access to the device and disclose sensitive information.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Lantronix to ensure that these issues are resolved and that an update is available for affected customers.

Monday, December 14, 2020

Threat Advisory: SolarWinds supply chain attack


Update 12/21: IOC section updated to include new information and associated stage.

Update 12/18: We have been able to verify the name server for the DGA domain was updated as far back as late February. Compromised binaries appear to have been available on the SolarWinds website until very recently. The blog below has been amended with this informaiton. The IOC list has been modified. 

Update 12/17: Additional IOCs added related to teardrop secondary payload.

Update 12/16: Based on the announcement from FireEye, Microsoft, and GoDaddy avsvmcloud[.]com has been unblocked as it is now functioning as a kill switch in an effort to help limit adversaries access. Please note that this does not imply that this is a complete protection from these attacks. Additional remediation steps will should and must be taken. Additional details here.

Update 12/14: We note there is a discrepancy in guidance coming from DHS and SolarWinds. The SolarWinds advisory suggests users upgrade to the latest version, Orion Platform version 2020.2.1 HF 1, while DHS guidance says 2020.2.1 HF1 is affected. However, we note that SolarWinds announced they will be releasing another hot-fix, 2020.2.1 HF 2, on December 15, which “replaces the compromised component and provides several additional security enhancements.” Talos urges customers to follow DHS guidance at this time and install 2020.2.1 HF 2 as soon as it becomes available.


Cisco Talos is monitoring yesterday's announcements by FireEye and Microsoft that a likely state-sponsored actor compromised potentially thousands of high-value government and private organizations around the world via the SolarWinds Orion product. FireEye reported on Dec. 8 that it had been compromised in a sophisticated attack in which state-sponsored actors stole sensitive red team tools. Upon investigating the breach further, FireEye and Microsoft discovered that the adversary gained access to victims' networks via trojanized updates to SolarWinds' Orion software.

Threat activity details


In another sophisticated supply-chain attack, adversaries compromised updates to the SolarWinds Orion IT monitoring and management software, specifically a component called "SolarWinds.Orion.Core.BusinessLayer.dll" in versions 2019.4 HF 5 through 2020.2.1. The digitally signed updates were posted on the SolarWinds website until recently. This backdoor is being tracked by FireEye as SUNBURST, and it can communicate to third-party servers using HTTP. The backdoor is loaded by the actual SolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss.

After a period of dormancy, which can last up to two weeks, the backdoor can execute commands to transfer and execute files, profile the system, reboot the machine and disable system services. Note that a number of SUNBURST samples have been observed along with varying payloads, including a memory-only dropper dubbed "Teardrop," which was then used to deploy Cobalt Strike beacons.

FireEye Breach Detection Guidance



Update 12/14: Cisco Talos has implemented additional blocks in relation to the supply chain attack on SolarWinds® Orion® Platform. The U.S. Cybersecurity and Infrastructure Security Agency has issued Emergency Directive 21-01 due to this campaign. Talos is continuing to investigate this matter. If necessary, we will release additional coverage. Please follow the Talos blog or Talos on Twitter for the latest updates. Additional details are available here, here and here.

Friday, December 11, 2020

Threat Roundup for December 4 to December 11


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 4 and Dec. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, December 10, 2020

Threat Source newsletter (Dec. 10, 2020)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements. We know this is going to be top-of-mind for many users, so for more, check out all our coverage that covers these vulnerabilities here. We also have new Snort rules out, which you can read about here

Patch Tuesday was also this week, albeit a quieter one compared to the other months this year. Microsoft disclosed just under 60 vulnerabilities, though there are still a few critical ones we wanted to point out.

Lastly, we have our latest Cisco Talos Incident Response Quarterly Trends report out. Our incident response team is seeing just as much ransomware in the wild as ever. For more insights into what we’re seeing in the field, check out the full report here

Beers with Talos Ep. #97: Getting to better security outcomes (feat. Wendy Nather)

 

Beers with Talos (BWT) Podcast episode No. 97 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Nov. 24, 2020 – On this episode, Mitch and Matt are joined by Wendy Nather to discuss the newly released Cisco Security Outcomes Study. The results and findings of the research are interesting and somewhat surprising. As often happens with most good research, we end up asking more questions — in this case, geared toward the nature of the relationships found in the data. Special thanks to Wendy for coming on and joining us. As usual, her insight is stellar and she is much more entertaining than the rest of us.

Wednesday, December 9, 2020

Vulnerability Spotlight: Multiple vulnerabilities in Foxit PDF Reader JavaScript engine



Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Executive summary

Cisco Talos recently discovered multiple vulnerabilities in Foxit PDF Reader’s JavaScript engine. Foxit PDF Reader is a commonly used PDF reader that contains many features, including the support of JavaScript, which allows it to support interactive documents and dynamic forms. An adversary could take advantage of this JavaScript functionality, sending the victim a specially crafted file to trigger several different vulnerabilities.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Foxit to disclose these vulnerabilities and ensure that an update is available.

Quarterly Report: Incident Response trends from Fall 2020



By David Liebenberg and Caitlin Huey

For the sixth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. However, for the first quarter since we began compiling these reports, no engagements that were closed out involved the ransomware Ryuk (though there were engagements that were kicked off this quarter involving Ryuk, but have yet to close). The top ransomware families observed were Maze and Sodinokibi, though barely more than any others, continuing a trend of “democratization” for ransomware families observed in last quarter’s report, in which no one family was dominant. With Maze adversaries’ recent announcement of retirement, the possibility remains that more ransomware groups will step up to fill the void, accelerating this trend.  

Besides the drop in Ryuk, we saw a continuing decline in commodity trojans such as Trickbot and Emotet, as ransomware adversaries rely more on open-source tools, the Cobalt Strike framework, and a  combination of various living-off-the-land tools and utilities, or “LoLBins."

Vulnerability Spotlight: Remote code execution vulnerabilities in Schneider Electric EcoStruxure

Alexander Perez-Palma and Jared Rittle of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two code execution vulnerabilities in Schneider Electric EcoStruxure. An attacker could exploit these vulnerabilities by sending the victim a specially crafted network request or project archive. coStruxure Control Expert (formerly UnityPro) is Schneider Electric's flagship software for program development, maintenance, and monitoring of industrial networks.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, December 8, 2020

Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel



Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a code execution vulnerability in some versions of Microsoft Excel. An
attacker could exploit this vulnerability by tricking the victim into opening a specially crafted XLS file, triggering a use-after-free condition and allowing them to execute remote code on the victim machine. Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Microsoft Patch Tuesday (Dec. 2020) — Snort rules and notable vulnerabilities

By Jon Munshaw, with contributions from Bill Largent. 

Microsoft released its monthly security update Tuesday, disclosing 58 vulnerabilities across its suite of products, the lowest number of vulnerabilities in any Patch Tuesday since January. 

There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.  

Friday, December 4, 2020

Threat Roundup for November 27 to December 4


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 27 and Dec. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, December 3, 2020

Threat Source newsletter (Dec. 3, 2020)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

While ransomware has made all the headlines this year, that doesn’t mean cryptocurrency miners are going anywhere. We recently discovered a new actor we’re calling “Xanthe” that’s mining Monero on targets’ machines. The main payload, in this case, is a variant of the XMRig Monero-mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration. 

We’ll also have a string of Beers with Talos episodes to round out the year (hopefully one new one a week). This week, the guys discuss QR codes and whether we should still care about them, and how they could potentially aid in the robots’ uprising against Craig. 

Wednesday, December 2, 2020

Vulnerability Spotlight: DoS, code execution vulnerabilities in EIP Stack Group OpENer



Martin Zeiser and Jared Rittle of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Executive summary

Cisco Talos recently discovered two vulnerabilities in the Ethernet/IP function of EIP Stack Group
OpENer. OpENer is an Ethernet/IP stack for I/O adapter devices. It supports multiple I/O and explicit connections and includes objects and services for making Ethernet/IP-compliant products as defined in the ODVA specifications. The software contains two vulnerabilities that could allow an attacker to execute code on the victim machine and cause a denial of service, respectively.

In accordance with our coordinated disclosure policy, Cisco Talos worked with EIP Stack Group to disclose these vulnerabilities and ensure that an update is available.

Tuesday, December 1, 2020

Beers with Talos Ep. #96: The boogeyman and QR codes


Beers with Talos (BWT) Podcast episode No. 96 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

We got delayed with Thanksgiving and PTO, but here is a long-awaited episode. We're ready to get an episode a week ahead of the holidays, so fret not. In this episode, we talk about QR codes becoming pervasive as easily deployed “touchless tech” (and how they could help the robots try to kill Craig), and then we take a look at some recent DOJ and APT activity that begs the question: Is bringing charges against foreign APT actors anything more than a symbolic gesture?

Xanthe - Docker aware miner



By Vanja Svajcer and Adam Pridgen, Cisco Incident Command

NEWS SUMMARY


  • Ransomware attacks and big-game hunting making the headlines, but adversaries use plenty of other methods to monetize their efforts in less intrusive ways.
  • Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Xanthe," which attempted to compromise one of Cisco's security honeypots for tracking Docker-related threats.
  • These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably Disabling Security Tools - T1089, External Remote Services - T1133, Exploit Public-Facing Application - T1190, Resource Hijacking - T1496, Scheduled Task - T1053, Bash History - T1139, SSH Hijacking - T1184 and Rootkit - T1014.


Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered an interesting campaign affecting Linux systems employing a multi-modular botnet with several ways to spread and a payload focused on providing financial benefits for the attacker by mining Monero online currency.

The actor employs various methods to spread across the network, like harvesting client-side certificates for spreading to known hosts using ssh, or spreading to systems with an incorrectly configured Docker API.

What's new?


We believe this is the first time anyone's documented Xanthe's operations. The actor is actively maintaining all the modules and has been active since March this year.

How did it work?


The infection starts with the downloader module, which downloads the main installer module, which is also tasked with spreading to other systems on the local and remote networks. The main module attempts to spread to other known hosts by stealing the client-side certificates and connecting to them without the requirement for a password.

Two additional bash scripts terminate security services, removing competitor's botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts.

The main payload is a variant of the XMRig Monero mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration.

So what?


Defenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are like water — they look for the smallest crack to seep in, like we see in Xanthe's potential to spread using systems with exposed Docker API. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not specifically targeted at their infrastructure.

Monday, November 30, 2020

Vulnerability Spotlight: Multiple vulnerabilities in WebKit



Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Executive summary

The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that these issues are resolved and that an update is available for affected customers.

Friday, November 20, 2020

Threat Roundup for November 13 to November 20


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 13 and Nov. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 19, 2020

Threat Source newsletter (Nov. 19, 2020)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In case you hadn’t already realized, Snort somehow became a meme this week, so that was fun. 

As 2020 (finally...or already...I can’t decide which) comes to an end, we’re going to start doing a look back at the year that was in malware. And although Emotet has been around long before this year, 2020 was particularly peculiar for the botnet because it went virtually dormant over the summer before coming back over the few months. After we obtained ownership of several C2 domains that are part of Emotet, we looked at this threat’s trends and recent changes. 

We also released a new decryptor tool for the Nibiru ransomware. Any victims can use this to safely recover any files locked up as part of an infection. 

Wednesday, November 18, 2020

Back from vacation: Analyzing Emotet’s activity in 2020



By Nick Biasini, Edmund Brumaghin, and Jaeson Schultz.

Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems attempting to infect new systems with Emotet to continue growing the size of the botnets associated with this threat. Emotet is often the initial malware that is delivered as part of a multi-stage infection process and is not targeted in nature. Emotet has impacted systems in virtually every country on the planet over the past several years and often leads to high impact security incidents as the network access it provides to adversaries enables further attacks, such as big-game hunting and double-extortion ransomware attacks.

Cisco Talos obtained ownership of several domains that Emotet uses to send SMTP communications. We leveraged these domains to sinkhole email communications originating from the Emotet botnets for the purposes of observing the characteristics of these email campaigns over time and to gain additional insight into the scope and profile of Emotet infections and the organizations being impacted by this threat. Emotet has been observed taking extended breaks over the past few years, and 2020 was no exception. Let's take a look at what Emotet has been up to in 2020 and the effect it's had on the internet as a whole.

Tuesday, November 17, 2020

Nibiru ransomware variant decryptor



Nikhil Hegde developed this tool.

Weak encryption

The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant.

Ransomware

Nibiru ransomware is a poorly executed ransomware variant. It traverses directories and encrypts files with Rijndael-256. The files are given an extension, .Nibiru, after encryption. The ransomware targets numerous common file extensions but skips critical directories like Program Files, Windows and System Volume Information.

Extensions targeted by Nibiru:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .jpeg, .png, .psd, .txt, .zip, .rar, .html, .php, .asp, .aspx, .mp4, .avi, .3gp, .wmv, .MOV, .mp3, .wav, .flac, .wma, .mov, .raw, .apk, .encrypt, .crypted, .ahok, .cs, .vb.

Compiling

We've tested the Nibiru Ransomware Variant Decryptor tusing Visual Studio Community 2019, version 16.7.6 on Windows 10 running .NET Framework, version 4.8.03752. No additional packages are necessary to compile.

You can download the decryptor over at the Talos GitHub.

Example hash:

e0a681902f4f331582670e535a7d1eb3d6eff18d3fbed3ffd2433f898219576f

Friday, November 13, 2020

Threat Roundup for November 6 to November 13


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 6 and Nov. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 12, 2020

Vulnerability Spotlight: Multiple vulnerabilities in Pixar OpenUSD affects some versions of macOS



Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Aleksandar Nikolic and Jon Munshaw.

Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions. 

OpenUSD stands for “Open Universal Scene Descriptor.” Pixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. This stands at odds with security considerations. 

The USD file format itself is used as an interchange file format inside Apple’s ARKit (Augmented Reality), SceneKit (3-D scene composition) and ModelIO (3-D modeling and animation) frameworks. Apple’s decision to use USD as the basis of its augmented reality platform makes it a potentially interesting attack surface. With the expansion of AR applications on both macOS and iOS platforms, this becomes more important for researchers to look at. 

Threat Source newsletter (Nov. 12, 2020)


Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We’re back after a few-week hiatus! And to celebrate, we just dropped some new research on the CRAT trojan that’s bringing some ransomware friends along with it. This blog post has all the details of this threat along with what you can do to stay protected. 

We also had Microsoft Patch Tuesday this week. The company disclosed about 120 vulnerabilities this month that all users should patch now. Our blog post has a rundown of the most prominent bugs and you can check out the Snort rule update for all defenses against the exploitation of these vulnerabilities.  

And if you missed it last week, we recently put out an advisory alerting health care organizations of a recent spike in ransomware. If you have a customer that has been impacted by an attack, ransomware or otherwise, the first course of action is to engage Cisco Talos Incident Response Services (CTIR).  Please head to this page and follow the instructions for contacting IR at the top right of the page. 

CRAT wants to plunder your endpoints



By Asheer Malhotra.

  • Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT.
  • Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint.
  • One of the plugins is a ransomware known as "Hansom."
  • CRAT has been attributed to the Lazarus APT Group in the past.
  • The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions, along with static detection evasion.
  • The attack also employs a multitude of anti-infection checks to evade sandbox based detection systems.

What's new?

Cisco Talos has recently discovered a new version of the CRAT malware family. This version consists of multiple RAT capabilities, additional plugins and a variety of detection-evasion techniques. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector.

Indicators and tactics, techniques and procedures (TTPs) discovered by this investigation resemble those of the Lazarus Group.

How did it work?

The attack consists of a highly modular malware that can function as a standalone RAT and download and activate additional malicious plugins from its C2 servers. Cisco Talos has discovered multiple plugins so far, consisting of ransomware, screen-capture, clipboard monitoring and keylogger components.

So what?

This attack demonstrates how the adversary operates an attack that:
  • Uses obfuscation and extensive evasion techniques to hide its malicious indicators.
  • Has evolved across versions to achieve effectiveness of their attack.
  • Employs a highly modular plugin framework to selectively infect targeted endpoints.
  • Most importantly, it deploys RAT malware to ransack the endpoint, followed by deployment of ransomware to either extort money or burn infrastructure of targeted entities.

Tuesday, November 10, 2020

Microsoft Patch Tuesday for Nov. 2020 — Snort rules and prominent vulnerabilities

 

By Jon Munshaw, with contributions from Joe Marshall.

Microsoft released its monthly security update Tuesday, disclosing just over 110 vulnerabilities across its products. This is a slight jump from last month when Microsoft disclosed one of their lowest vulnerability totals in months.  

Eighteen of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important,” with two also considered of “low” importance. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.  

The security updates cover several different products and services, including the HEVC video file extension, the Azure Sphere platform and Microsoft Exchange servers.