Monday, September 21, 2020

New Snort, ClamAV coverage strikes back against Cobalt Strike



By Nick Mavis. Editing by Joe Marshall and Jon Munshaw.

Cisco Talos is releasing a new research paper called “The Art and Science of Detecting Cobalt Strike.”

We recently released a more granular set of updated SNORTⓇ and ClamAVⓇ detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries.

Cobalt Strike is a “paid software platform for adversary simulations and red team operations.” It is used by professional security penetration testers and malicious actors to gain access and control infected hosts on a victim network. Cobalt Strike has been utilized in APT campaigns and most recently observed in the IndigoDrop campaign and in numerous ransomware attacks.

Friday, September 18, 2020

Threat Roundup for September 11 to September 18


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 11 and Sept. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos ep. #92: Trending in Your Network — Disinformation


Beers with Talos (BWT) Podcast episode No. 92 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Aug. 26, 2020


Disinformation is front and center right now. As disinformation efforts constantly increase, platforms struggle to contain the problem without giving the appearance of censuring or controlling all information present. A Talos research team recently published some findings on the building blocks of disinformation campaigns. Special guest Kendall McKay joins us to discuss the research she co-authored with her team in Talos. We go over exactly what defines disinformation and the most pervasive sources. We also look at who these actors are and how they operate at scale while remaining hidden. 

Thursday, September 17, 2020

Threat Source newsletter for Sept. 17, 2020

   

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We’ve got a couple of vulnerabilities you should know about. Monday, we disclosed a bug in Google Chrome’s PDFium feature that opens the door for an adversary to execute remote code

Our researchers also discovered several vulnerabilities in the Nitro Pro PDF Reader. The software contains vulnerabilities that could allow adversaries to exploit a victim machine in multiple ways that would eventually allow them to execute code. 

Vulnerability Spotlight: Remote code execution vulnerability Apple Safari



Marcin "Icewall" Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Apple Safari web browser contains a remote code execution vulnerability in its Webkit feature. Specifically, an attacker could trigger a use-after-free condition in WebCore, the DOM-rendering system for Webkit used in Safari. This could give the attacker the ability to execute remote code on the victim machine. A user needs to open a specially crafted, malicious web page in Safari to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, September 15, 2020

Vulnerability Spotlight: Multiple vulnerabilities in Nitro Pro PDF reader

Cisco Talos researchers discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple code execution vulnerabilities in the Nitro Pro PDF reader. Nitro PDF allows users to save, read, sign and edit PDFs on their computers. The software contains vulnerabilities that could allow adversaries to exploit a victim machine in multiple ways that would eventually allow them to execute code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Nitro Pro to ensure that these issues are resolved and that an update is available for affected customers.

Monday, September 14, 2020

Vulnerability Spotlight: Memory corruption in Google PDFium

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Google Chrome's PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. Chrome is a popular, free web browser available on all operating

systems. PDFium allows users to open PDFs inside Chrome. We recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers.

Friday, September 11, 2020

Threat Roundup for September 4 to September 11


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 4 and Sept. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 10, 2020

Threat Source newsletter for Sept. 10, 2020

  

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In our continued research on election security, we have a new video roundtable discussion up on our YouTube page. In this Q&A-style format, I ask our researchers questions about the work they’ve done researching disinformation (aka “fake news”) and how to combat the spread of it. 

Microsoft Patch Tuesday was also this week. For our recap of all 120-something vulnerabilities Microsoft discovered, click here. You can also take a deep dive into one of the bugs our researchers specifically discovered in the Windows 10 Common Log File System

Wednesday, September 9, 2020

Roundtable video: Disinformation and election security

By Jon Munshaw.

In our continued coverage of election security, we decided to sit down with four Talos and Cisco researchers to discuss disinformation.

As we outlined in our recent research paper, disinformation is one of the cornerstones of threat actors' efforts to disrupt the American election process. In this video, we dive even deeper to discuss things like how legitimate websites can fall victim to disinformation campaigns and what can be done to stop the spread of fake news. You can watch the full discussion above or over on our YouTube page.

For more, check out our full paper on disinformation here and our broad overview of election security in "What to expect when you're electing."

Tuesday, September 8, 2020

Microsoft Patch Tuesday for Sept. 2020 — Snort rules and prominent vulnerabilities



By Jon Munshaw. 

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. 

Twenty-three of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.

Vulnerability Spotlight: Privilege escalation in Windows 10 CLFS driver



Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a privilege escalation vulnerability in the Windows 10 Common Log File System. CLFS is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode. A malformed CLFS log file could cause a pool overflow, and an adversary could gain the ability to execute code on the victim machine. A regular user needs to open the log file to trigger this vulnerability, but since the bug is triggered at the kernel level, it would give the adversary elevated privileges. Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Friday, September 4, 2020

Threat Roundup for August 28 to September 4


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 28 and Sept. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, September 3, 2020

Threat Source newsletter for Sept. 3, 2020

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Check out our complete details of the threat and our protections here

We are also excited to show off our fancy new Talos Email Status Portal. Here, you can see any ham or spam you’ve submitted to us for review. 

And, lastly, there’s a new Beers with Talos episode that’s all about FUD. 

Salfram: Robbing the place without removing your name tag




 

Threat summary


  • Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware.
  • The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others.
  • Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value "Salfram" makes it easy to track over time.
  • Obfuscated binaries are completely different, from both a binary and execution flow graph perspective.
  • The techniques used by this crypter can confuse weak API behavior-based systems and static analysis tools.
  • This crypter appears to be undergoing active development and improvement over time.

 

Wednesday, September 2, 2020

Better email classification, courtesy of you

Cisco customers with Email Security Appliances (ESA) or Cloud Email Security (CES) accounts already know the benefits of Cisco’s email filtering. Every day, millions of malicious emails are automatically sent to the trash bin. Cisco encourages customers to participate in honing those filters by submitting incorrectly classified email through the Cisco Security email plug-in or by direct email. 

Introducing the Email Status Portal for TalosIntelligence.com 

The new Cisco Talos Email Status Portal allows customers to: 
  • View mail samples submitted and their statuses
  • See graphical displays of submission metrics
  • Administer domains and user access
  • Generate reports of this data

Tuesday, September 1, 2020

Beers with Talos ep. #91: Get the FUD out



Beers with Talos (BWT) Podcast episode No. 91 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Aug. 14, 2020


Let’s talk about FUD. It’s not enough to just say FUD sucks. Let’s talk about exactly how and why producers of FUD are garbage nightmare monster people. We also cover how they are actually damaging themselves, not just the people and organizations that buy their hype. We have rather strong opinions on this, so we invited Meredith Corley, an actual professional on the topic, to break it down for us all. Meredith is our security communications and PR director (previously of Cisco Duo and BlackHat fame) and takes us through spotting, defusing and refuting FUD in the security community. And for more on FUD, you can also listen to the Talos Takes episode covering this topic.

Vulnerability Spotlight: Code execution, memory corruption vulnerabilities in Accusoft ImageGear

 

Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two vulnerabilities in Accusoft ImageGear. The ImageGear library is a document-imaging developer toolkit to assist users with image conversion, 
creation, editing and more. There are vulnerabilities in certain functions of ImageGear that could allow an attacker to execute code on the victim machine or corrupt the memory of the application.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update is available for affected customers.

Quarterly Report: Incident Response trends in Summer 2020



By David Liebenberg and Caitlin Huey.

For the fifth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. Infections involved a wide variety of malware families including Ryuk, Maze, LockBit, and Netwalker, among others.  In a continuation of trends observed in last quarter’s report, these ransomware attacks have relied much less on commodity trojans such as Emotet and Trickbot. Interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans. We continued to see ransomware actors engage in data exfiltration and even observed the new cartel formed by Maze and other ransomware operations in action.  

For a more complete breakdown with more information, you can check out the full report summary here

Monday, August 31, 2020

Vulnerability Spotlight: Multiple SQL, code injection vulnerabilities in OpenSIS



Yuri Kramarz and Yves Younan discovered these vulnerabilities. Blog by Jon Munshaw

Cisco Talos researchers recently discovered multiple vulnerabilities in the OpenSIS software family. OpenSIS is a student information management system for K-12 students. It is available in commercial

and open-source versions and allows schools to create schedules and track attendance, grades and transcripts. An adversary could take advantage of these bugs to carry out a range of malicious activities, including SQL injection and remote code execution.

In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenSIS to ensure that these issues are resolved and that an update is available for affected customers.

Thursday, August 27, 2020

Threat Roundup for August 21 to August 27


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 21 and Aug. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter for Aug. 27, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

As part of our continued look at election security ahead of the November election, we have another research paper out this week. This time, we’re taking a closer look at disinformation campaigns, popularly known as “fake news.”

This paper builds on the first “What to expect when you’re electing” report by focusing on the infrastructure supporting these complex campaigns. 

On the vulnerability side of things, we also have another blog out detailing some vulnerabilities in Microsoft Azure Sphere. This builds off the ones we disclosed last month our researchers conducted as part of the Azure Sphere Security Research Challenge. 

Wednesday, August 26, 2020

What to expect when you're electing: The building blocks of disinformation campaigns












By Nick Biasini, Kendall McKay and Matt Valites.

Editor's note: Related reading on Talos election security research: 

As Cisco Talos discovered during our four-year investigation into election security, securing elections is an extremely difficult, complex task. In the first paper in our election series, “What to expect when you’re electing,” Talos outlined how the key geopolitical objective of our adversaries is to weaken the faith the world has in Western-style democracy. One component of these objectives is disinformation. 

While disinformation operations have existed throughout history, they have become a global problem in recent years, affecting various levels of government and society in many countries around the world. Threats actors are increasingly using such campaigns to influence elections, which can result in significant consequences with lasting effects. In today’s digital age, the internet has made it easy for people to create, manipulate, and post content with few restrictions on the material’s veracity, creating an environment in which it is increasingly difficult to tell fact from fiction. When used in combination with modern technology, deceptive messaging can be distributed to curated audiences anywhere in the world in real-time.

Monday, August 24, 2020

Vulnerability Spotlight: Remote code execution, privilege escalation bugs in Microsoft Azure Sphere

Claudio Bozzato, Lilith >_> and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Update (Sept. 17, 2020): This post has been updated to reflect the status of Microsoft assigning CVEs to these issues.

Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access.

Talos discovered four vulnerabilities in Azure Sphere, two of which could lead to unsigned code execution, and the two others for privilege escalation. The discovery of these vulnerabilities continues our research into Azure Sphere — conducted as part of the Azure Sphere Security Research Challenge — and follows the multiple vulnerabilities we disclosed in July

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. Microsoft plans to assigns CVEs for these issues on Oct. 13. We will update this blog when these have been assigned.

Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome WebGL could lead to code execution

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Google Chrome web browser contains a use-after-free vulnerability in its WebGL component that could allow a user to execute arbitrary code in the context of the browser process. This vulnerability
specifically exists in ANGLE, a compatibility layer between OpenGL and Direct3D that Chrome uses on Windows systems. An adversary could manipulate the memory layout of the browser in a way that they could gain control of the use-after-free exploit, which could ultimately lead to arbitrary code execution. 

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers.

Friday, August 21, 2020

Threat Roundup for August 14 to August 21


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 14 and Aug. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 20, 2020

Vulnerability Spotlight: Internet Systems Consortium BIND server DoS


Emanuel Almeida of Cisco Systems discovered this vulnerability. Blog by Jon Munshaw.

The Internet Systems Consortium’s BIND server contains a denial-of-service vulnerability that exists when processing TCP traffic through the libuv library. An attacker can exploit this vulnerability by flooding the TCP port and forcing the service to terminate.

The BIND nameserver is considered the reference implementation of the Domain Name System of the internet. It is capable of being an authoritative name server as well as a recursive cache for domain name queries on a network. This vulnerability only applies to this specific code and does not affect any other DNS software.

In accordance with our coordinated disclosure policy, Cisco Talos worked with ISC to ensure that these issues are resolved and that an update is available for affected customers.

Threat Source newsletter for Aug. 20, 2020

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

Hactivism always seems to cool and noble in the movies. Video games and TV shows have no shortage of their “hacker heroes,” too. But what are the real-world consequences of users who release sensitive information or carry out data breaches in the name of their idea of good? 

That's what the newest Beers with Talos episode is all about. The crew also digs deeper into the ethical considerations of hacktivism, pseudo-anonymity and the intended effect of civil disobedience on society. 

Monday, August 17, 2020

Beers with Talos Ep. #90: Hacktivism – Understanding the real-world consequences

Beers with Talos (BWT) Podcast episode No. 90 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded July 31, 2020


This week in BWT land, we’re discussing hacktivism — from the unintended consequences to the tropes perpetuated by Hollywood. Regardless of the reason or cause, hacktivism often wields DDoS and web defacement as easily deployed tools. We discuss some instances where using code as a weapon without deeper understanding can have disastrous consequences. The crew also digs deeper into the ethical considerations of hacktivism, pseudo-anonymity and the intended effect of civil disobedience on society.

Friday, August 14, 2020

Threat Roundup for August 7 to August 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 7 and Aug. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 13, 2020

Attribution: A Puzzle


By Martin Lee, Paul Rascagneres and Vitor Ventura.

Introduction


The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is responsible. Rarely does the evidence available to researchers reach a level of proof that would be acceptable in a court of law.

Nevertheless, the private sector rises to the challenge to attempt to associate cyber attacks to threat actors using the intelligence available to them. This intelligence takes the form of open-source intelligence (OSINT), or analysis of the technical intelligence (TECHINT), possibly derived from proprietary data. Indicators in these sources tend to point toward a threat actor if they have used the same methods in the past, or reused infrastructure from previous attacks.