Wednesday, February 19, 2020

Cisco Talos Incident Response "Stories from the Field" #2: When do lawyers get involved?



The second video in our "Stories in the Field" series from Cisco Talos Incident Response is here, with Matt Aubert talking about lawyers.

While getting a general counsel involved may seem like an arduous process for many incident response teams, Matt Aubert argues in this video that in his expereince, it's best to get lawyers involved early on in the recovery process.

Watch the full video above or over at our YouTube page here. And to learn more about Talos Incident Response, click here.

Tuesday, February 18, 2020

Vulnerability Spotlight: Memory corruption, DoS vulnerabilities in CoTURN


Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

CoTURN contains denial-of-service and memory corruption vulnerabilities in the way its web server parses POST requests. CoTURN is a TURN server implementation that can be used as a general-
purpose network traffic TURN server and gateway. The software includes a web server for administration purposes, which is where these two vulnerabilities exist.

In accordance with our coordinated disclosure policy, Cisco Talos worked with CoTURN to ensure that these issues are resolved and that an update is available for affected customers. CoTURN notified Talos that these vulnerabilities were also discovered by Quarkslab.

Building a bypass with MSBuild


By Vanja Svajcer.


NEWS SUMMARY


  • Living-off-the-land binaries (LoLBins) continue to pose a risk to security defenders.
  • We analyze the usage of the Microsoft Build Engine by attackers and red team personnel.
  • These threats demonstrate techniques T1127 (Trusted Developer Utilities) and T1500 (Compile After Delivery) of MITRE ATT&CK framework.


In one of our previous posts, we discussed the usage of default operating system functionality and other legitimate executables to execute the so-called "living-off-the-land" approach to the post-compromise phase of an attack. We called those binaries LoLBins. Since then, Cisco Talos has analyzed telemetry we received from Cisco products and attempted to measure the usage of LoLBins in real-world attacks.

Specifically, we are going to focus on MSBuild as a platform for post-exploitation activities. For that, we are collecting information from open and closed data repositories as well as the behavior of samples submitted for analysis to the Cisco Threat Grid platform.

What's new?


We collected malicious MSBuild project configuration files and documented their structure, observed infection vectors and final payloads. We also discuss potential actors behind the discovered threats.

How did it work?


MSBuild is part of the Microsoft Build Engine, a software build system that builds applications as specified in its XML input file. The input file is usually created with Microsoft Visual Studio. However, Visual Studio is not required when building applications, as some .NET framework and other compilers that are required for compilation are already present on the system.

The attackers take advantage of MSBuild characteristics that allow them to include malicious source code within the MSBuild configuration or project file.

So What?


Attackers see a few benefits when using the MSBuild engine to include malware in a source code format. This technique was discovered a few years ago and is well-documented by Casey Smith, whose proof of concept template is often used in the samples we collected.

  • First of all, this technique can be used to bypass application whitelisting technologies such as Windows Applocker.
  • Another benefit is that the code is compiled in memory so that no permanent files exist on the disk, which would otherwise raise a level of suspicion by the defenders.
  • Finally, the attackers can employ various methods to obfuscate the payload, such as randomizing variable names or encrypting the payload with a key hosted on a remote site, which makes detection using traditional methods more challenging.


Friday, February 14, 2020

Beers with Talos Ep. #72: Getting to Patch Day - Understanding Vulnerability Risks and Options


Beers with Talos (BWT) Podcast episode No. 72 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Jan. 31, 2020

When a vulnerability is released, regardless if it has a website and logo or not, we need to understand the risk to the network and what defense options are possible before the patch is ready for production. Can you defend against the vulnerability or do you go straight for known exploits? What happens if an exploit occurs? Also discussed: Talos begins releasing Threat Assessment Reports based on IR engagement data and known prevalent threats. Snort has a new series of training and lab video available for Snort 2 and Snort3.

Threat Roundup for February 7 to February 14

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 7 and Feb. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, February 13, 2020

Threat actors attempt to capitalize on coronavirus outbreak



By Nick Biasini and Edmund Brumaghin.
  • Coronavirus is dominating the news and threat actors are taking advantage.
  • Cisco Talos has found multiple malware families being distributed with Coronavirus lures and themes. This includes emotet and several RAT variants.

Executive Summary

Using the news to try and increase clicks and drive traffic is nothing new for malicious actors. We commonly see actors leveraging current news stories or events to try and increase the likelihood of infection. The biggest news currently is focused on the new virus affecting the world, with a focus on China: the coronavirus. There are countless news articles and email-based marketing campaigns going at full throttle right now, as such, we wanted to take a deeper look at how this is manifesting itself on the threat landscape.

Our investigation had several phases, first looking at the email based campaigns then pivoting into open-source intelligence sources for additional samples. These investigations uncovered a series of campaigns from the adversaries behind Emotet, along with a series of other commodity malware families using these same topics as lures, and a couple of odd documents and applications along the way. What was also striking was the amount of legitimate emails containing things like Microsoft Word documents and Excel spreadsheets related to the coronavirus. This really underscores why using these as lures is so attractive to adversaries and why organizations and individuals need to be vigilant when opening mail attachments, regardless of its origins.

What's new? Malware authors and distributors will go through any means necessary to achieve success and generate revenue and this is just the latest example. These lures tied to coronavirus are likely to only increase in volume and variety as the virus continues to spread and dominate the headlines.

How did it work? The majority of these campaigns were driven through email and malspam specifically. These actors would send coronavirus themed emails to potential victims and, in some cases, use filenames related to coronavirus as well, enticing victims to click attachments. One of the reasons this was so effective was the large amount of legitimate email related to coronavirus that also included attachments.

So What?
  • Organizations need to realize that attackers are going to use current events to try and get victims to open attachments or click links. You should be prepared and vigilant in identifying these emails and ensuring they don't make it to your users inboxes.
  • There is a wide variety of threats represented here so there isn't one single threat to be concerned with, just realize there will likely be a lot more.
  • It's not just malicious content, there are a lot of weird executables and other files floating around that are coronavirus-themed and are unwanted, albeit not inherently malicious.

Threat Source newsletter (Feb. 13, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This month’s Microsoft Patch Tuesday was particularly hefty, with the company disclosing nearly 100 vulnerabilities — three of which Talos researchers discovered. For our complete wrapup, check out the blog post here, and be sure to update your Microsoft products now if you haven’t already.

Over on our YouTube page, we have a new video series we’re debuting called “Stories from the Field” with the Cisco Talos Incident Response Team. In each video, one of our team members will discuss one incident they remember working on and what lessons they took away from it, and what other defenders can learn.

On the research side of things, we have new findings out about a variant of the Loda RAT. We recently discovered that this malware family added several anti-detection features and is targeting victims across the Americas. 

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Wednesday, February 12, 2020

Loda RAT Grows Up


By Chris Neal.

  • Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT.
  • These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document exploits CVE-2017-11882 to download and run the MSI file, which contains Loda version 1.1.1.
  • This campaign appears to be targeting countries in South America and Central America, as well as the U.S.

What's New?


Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to enumerate antivirus solutions running on the infected host.

Vulnerability Spotlight: Remote code execution vulnerability in Apple Safari


Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Apple Safari web browser contains a remote code execution vulnerability in its Fonts feature. If a user were to open a malicious web page in Safari, they could trigger a type confusion, resulting in
memory corruption and possibly arbitrary code execution. An attacker would need to trick the user into visiting the web page by some means to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, February 11, 2020

Vulnerability Spotlight: Use-after-free vulnerability in Windows 10 win32kbase


Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos is releasing the details of a use-after-free vulnerability in Windows 10. An attacker could exploit this vulnerability to gain the ability to execute arbitrary code in the kernel context. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Code execution vulnerability in Microsoft Media Foundation


Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Media Foundation’s framework contains a code execution vulnerability. This specific bug lies in Media Foundations’ MPEG4 DLL. An attacker could provide a user with a specially crafted ASF file to exploit this vulnerability. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel


Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Excel contains a code execution vulnerability. This specific bug lies in the component of Excel that handles the Microsoft Office HTML and XML file types, first introduced in Office 2000. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Microsoft Patch Tuesday — Feb. 2020: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity.

This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Procol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player.

Talos released a new set of SNORTⓇ rules today that provide coverage for some of these vulnerabilities, which you can see here.

Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader’s JavaScript function


Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an information leak vulnerability in Adobe Acrobat Reader. Acrobat supports a number of features, including the ability to process embedded JavaScript. An attacker could trigger this vulnerability by tricking a user into opening a malicious file or web page with embedded JavaScript in a PDF. The attacker could then gain access to sensitive information, which could then be used in additional attacks.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Monday, February 10, 2020

Introducing Cisco Talos Incident Response: Stories from the Field



By Jon Munshaw.

As another way of bringing our boots-on-the-ground intelligence to defenders, customers and users, we are introducing a new video series called "Cisco Talos Incident Response: Stories from the Field."

In each entry, a CTIR team member will cover one specific incident or lesson that they feel can be applicable to the everyday defender. First up is Pierre Cadieux, who recalls a recent incident at a health care company. He walks through the containment of the attack and recounts some lessons from that event he shares with other customers.

You can watch the full video above. To learn more about Talos Incident Response, click here.

Vulnerability Spotlight: Accusoft ImageGear library code execution vulnerabilities


Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered three code execution vulnerabilities in Accusoft ImageGear. The ImageGear library is a document-imaging developer toolkit to assist users with image conversion, creation, editing and more. There are vulnerabilities in certain functions of ImageGear that could allow an attacker to execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update (link will generate a download) is available for affected customers.

Friday, February 7, 2020

Threat Roundup for January 31 to February 7

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 31 and Feb. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,  Snort.org, or ClamAV.net.

Thursday, February 6, 2020

Threat Source newsletter (Feb. 6, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

There’s never been a better time to be into cyber security podcasts. Our Podcasts page on TalosIntelligence.com got a facelift this week to make room for our new show, Talos Takes. Now, Beers with Talos and Talos Takes live on the same page, where you can get caught up on your cyber news each week.

During each episode of Talos Takes, our researchers and analysts will boil down a complicated topic into a minutes-long explainer that everyone from your parents to the CEO of your company will understand. You can subscribe to Talos Takes on Apple Podcasts, Spotify, Stitcher and Pocket Casts.

As if that wasn’t enough, we also released a new Beers with Talos episode Friday, where the guys discuss why PowerShell has been so widely used in malware.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Wednesday, February 5, 2020

Quarterly Report: Incident Response trends in fall 2019


By David Liebenberg and Kendall McKay.

While many Cisco Talos Incident Response (CTIR) engagements have shown similar patterns over the past two quarters, we’re seeing a dangerous trend emerge this winter. Threat actors are increasingly combining the exfiltration of sensitive data along with data encryption as new levers to compel victims to pay.

Monday, February 3, 2020

Vulnerability Spotlight: Denial-of-service, information leak bugs in Mini-SNMPD


Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Multiple vulnerabilities exist in Mini-SNMPD, a lightweight implementation of a Simple Network Management Protocol server. An attacker can exploit these bugs by providing a specially crafted SNMPD request to the user. These vulnerabilities could lead to a variety of conditions, potentially resulting in the disclosure of sensitive information and a denial-of-service condition.

Mini-SNMPD's small code size and memory footprint make it especially suitable for small and embedded devices. It is used, for example, by several devices based on the OpenWRT project.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Mini-SNMPD to ensure that these issues are resolved and that an update is available for affected customers. Talos also provided the patch for these issues.

Talos Takes back with new episode, feed


By Jon Munshaw.

Talos Takes, our new bite-size podcast, is back with its own feed and a new show.

We first unveiled Talos Takes in early December, and took some time to develop a new Talos Podcasts page to accommodate Talos Takes and Beers with Talos. Now you have two Talos shows you can subscribe to!

We'll be adding Talos Takes to Apple Podcasts, Google Play and other services very soon. For now, you can check out our RSS feed and all episodes here.

Our newest episode focuses on password management, hosted by Nick Biasini and Earl Carter.

Friday, January 31, 2020

Beers with Talos Ep. #71: I Have the Power(Shell)


Beers with Talos (BWT) Podcast episode No. 71 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Jan. 17, 2020

PowerShell is a frequent flyer in security headlines — a powerful and oft-wielded tool for attackers and defenders alike. This episode takes a look at PowerShell and how to help ensure its security posture as an effective management tool. We also look at the missing-the-forest-for-the-trees concept behind being concerned about the latest shiny ATP before all else.

Threat Roundup for January 24 to January 31

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 24 and Jan. 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 30, 2020

Threat Source newsletter (Jan. 30, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Be sure to pay close attention Tuesday for some changes we have coming to Snort.org. We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Friday, January 24, 2020

Threat Roundup for January 17 to January 24

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 17 and Jan. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 23, 2020

Threat Source newsletter (Jan. 23, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Despite tensions starting to fizzle between the U.S. and Iran, people are still worried about cyber conflict. What would that even look like? Is it too late to start worrying now, anyway? That’s the main topic of the latest Beers with Talos podcast.

You should probably know this already, but you should actually never count out any type of cyber threat. Despite the declining popularity of virtual currencies, we are still seeing adversaries who want to hijack victims’ computing power to farm them. Take Vivin, for example. The latest cryptominer actor we discovered has been active since 2017, and is just getting started with its malicious activities in 2020.

Over at the Snort blog, you’ll want to keep an eye out for some changes we have coming to Snort.org. We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Wednesday, January 22, 2020

Vulnerability Spotlight: Multiple vulnerabilities in some AMD graphics cards


Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Multiple vulnerabilities exist in a driver associated with the AMD Radeon line of graphics cards. An attacker can exploit these bugs by providing a specially crafted shader file to the user while using
VMware Workstation 15. These attacks can be triggered from VMware guest usermode to cause a variety of errors, potentially allowing an attacker to cause a denial-of-service condition or gain the ability to remotely execute code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD and VMware to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, January 21, 2020

Breaking down a two-year run of Vivin’s cryptominers

News Summary

  • There is another large-scale cryptomining attack from an actor we are tracking as "Vivin" that has been active since at least November 2017.
  • "Vivin" has consistently evolved over the past few years, despite having poor operational security and exposing key details of their campaign.
By Andrew Windsor.

Talos has identified a new threat actor, internally tracked as "Vivin," conducting a long-term cryptomining campaign. We first began linking different samples of malware dropping illicit coin miners to the same actor in November of 2019. However, upon further investigation, Talos established a much longer timeline of activity. Observable evidence shows that Vivin has been active since at least November 2017 and is responsible for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts.

Vivin has shown to rotate the use of multiple cryptocurrency wallet addresses, in addition to altering the delivery chain of their payloads, over different time periods of activity. An interesting aspect of the actor's delivery method is their use of modified pirated software as their initial attack vector before the samples move on to common "living-off-the-land" methods at later stages of the attack. Vivin makes a minimal effort to hide their actions, making poor operational security decisions such as posting the same Monero wallet address found in our observable samples on online forms and social media. Nor do they discriminate in their targeting, attempting to capitalize on general user behavior, rather than targeting, to generate as large a victim pool as possible.

Despite the market downturn for cryptocurrency values in 2018, cryptomining remained a popular attack method for malicious actors throughout 2019 and heading into 2020. Over the course of last year, Talos Incident Response observed a number of cryptomining attacks, some of which potentially involved higher coordinated cybercrime groups and collaboration between multiple different threat actors. While more sophisticated actors certainly pose a significant threat, organizations should remain cognizant of the additional threat posed by less advanced actors employing wide or unrestricted targeting. Talos has previously documented one such actor, "Panda," illustrating their potential for long-term exploitation of their victims' resources and their resilience from being deterred from future action. These attributes make Vivin, and other actors like them, legitimate risks to organizational resource abuse and potential data theft.

Vulnerability Spotlight: Bitdefender BOX 2 bootstrap remote code execution vulnerabilities


Claudio Bozzato, Lilith Wyatt and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The Bitdefender BOX 2 contains two remote code execution vulnerabilities in its bootstrap stage. The BOX 2 is a device that protects users’ home networks from a variety of threats, such as malware,
phishing IOCs and other forms of cyber attacks. It also allows the user to monitor specific devices on the network and limit their internet access. These vulnerabilities could allow an attacker to gain the ability to arbitrarily execute system commands.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Bitdefender to ensure that these issues are resolved and that an update is available for affected customers.

Friday, January 17, 2020

Threat Roundup for January 10 to January 17

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 10 and Jan. 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 16, 2020

JhoneRAT: Cloud based python RAT targeting Middle Eastern countries


By Warren Mercer, Paul Rascagneres and Vitor Ventura with contributions from Eric Kuhla.


Updated January 17th: the documents do not exploit the CVE-2017-0199 vulnerability.
 

Executive Summary

Today, Cisco Talos is unveiling the details of a new RAT we have identified we're calling "JhoneRAT." This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim's machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase. This particular RAT attempts to target a very specific set of Arabic-speaking countries. The filtering is performed by checking the keyboard layout of the infected systems. Based on the analysed sample, JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

Threat Source newsletter (Jan. 16, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This wasn’t your average Patch Tuesday. Microsoft’s monthly security update was notable for a few reasons. For starters, it’s really time to give up Windows 7, since this is the last free update Microsoft will issue for the operating system.

There was also a vulnerability that made headlines for leaving Windows open to cryptographic spoofing, which could allow an attacker to sign a malicious file as if it came from a trusted source. The bug was so severe that Microsoft even reached out to the U.S. military ahead of time to issue them an early patch. For more on Patch Tuesday, you can check out our roundup here and our Snort rule release here.

Elsewhere in the vulnerability department, we also released new Snort rules to protect users against some notable Citrix bugs that have been used in the wild.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Beers with Talos Ep. #70: Semper Vigilantes - Strategic Defense in a Cyber Conflict

By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 70 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Jan. 6, 2020

There is a looming cyber conflict on the horizon between the U.S. and Iran. We use all our time this week to discuss the situation at hand and take a hard look at what you should have already done foundationally. The crew offers insight and analysis of what nation-state cyber conflict looks like and what you can do to elevate your security strategy to the next level in an uncertain time of increased suspicion.

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Foxit PDF Reader


Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered four remote code execution vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular program for reading and editing PDFs. The software supports
JavaScript to allow for interactive elements in PDF files — all of these vulnerabilities exist in the JavaScript capabilities of the program. An attacker could exploit any of these bugs by tricking the user into opening a malicious PDF in Foxit PDF Reader.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Foxit to ensure that these issues are resolved and that an update is available for affected customers.