Friday, January 31, 2020

Beers with Talos Ep. #71: I Have the Power(Shell)


Beers with Talos (BWT) Podcast episode No. 71 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Jan. 17, 2020

PowerShell is a frequent flyer in security headlines — a powerful and oft-wielded tool for attackers and defenders alike. This episode takes a look at PowerShell and how to help ensure its security posture as an effective management tool. We also look at the missing-the-forest-for-the-trees concept behind being concerned about the latest shiny ATP before all else.

Threat Roundup for January 24 to January 31


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 24 and Jan. 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 30, 2020

Threat Source newsletter (Jan. 30, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Be sure to pay close attention Tuesday for some changes we have coming to Snort.org. We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Friday, January 24, 2020

Threat Roundup for January 17 to January 24


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 17 and Jan. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 23, 2020

Threat Source newsletter (Jan. 23, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Despite tensions starting to fizzle between the U.S. and Iran, people are still worried about cyber conflict. What would that even look like? Is it too late to start worrying now, anyway? That’s the main topic of the latest Beers with Talos podcast.

You should probably know this already, but you should actually never count out any type of cyber threat. Despite the declining popularity of virtual currencies, we are still seeing adversaries who want to hijack victims’ computing power to farm them. Take Vivin, for example. The latest cryptominer actor we discovered has been active since 2017, and is just getting started with its malicious activities in 2020.

Over at the Snort blog, you’ll want to keep an eye out for some changes we have coming to Snort.org. We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Wednesday, January 22, 2020

Vulnerability Spotlight: Multiple vulnerabilities in some AMD graphics cards

Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Multiple vulnerabilities exist in a driver associated with the AMD Radeon line of graphics cards. An attacker can exploit these bugs by providing a specially crafted shader file to the user while using 
VMware Workstation 15. These attacks can be triggered from VMware guest usermode to cause a variety of errors, potentially allowing an attacker to cause a denial-of-service condition or gain the ability to remotely execute code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with AMD and VMware to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, January 21, 2020

Breaking down a two-year run of Vivin’s cryptominers

News Summary

  • There is another large-scale cryptomining attack from an actor we are tracking as "Vivin" that has been active since at least November 2017.
  • "Vivin" has consistently evolved over the past few years, despite having poor operational security and exposing key details of their campaign.
By Andrew Windsor.

Talos has identified a new threat actor, internally tracked as "Vivin," conducting a long-term cryptomining campaign. We first began linking different samples of malware dropping illicit coin miners to the same actor in November of 2019. However, upon further investigation, Talos established a much longer timeline of activity. Observable evidence shows that Vivin has been active since at least November 2017 and is responsible for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts.

Vivin has shown to rotate the use of multiple cryptocurrency wallet addresses, in addition to altering the delivery chain of their payloads, over different time periods of activity. An interesting aspect of the actor's delivery method is their use of modified pirated software as their initial attack vector before the samples move on to common "living-off-the-land" methods at later stages of the attack. Vivin makes a minimal effort to hide their actions, making poor operational security decisions such as posting the same Monero wallet address found in our observable samples on online forms and social media. Nor do they discriminate in their targeting, attempting to capitalize on general user behavior, rather than targeting, to generate as large a victim pool as possible.

Despite the market downturn for cryptocurrency values in 2018, cryptomining remained a popular attack method for malicious actors throughout 2019 and heading into 2020. Over the course of last year, Talos Incident Response observed a number of cryptomining attacks, some of which potentially involved higher coordinated cybercrime groups and collaboration between multiple different threat actors. While more sophisticated actors certainly pose a significant threat, organizations should remain cognizant of the additional threat posed by less advanced actors employing wide or unrestricted targeting. Talos has previously documented one such actor, "Panda," illustrating their potential for long-term exploitation of their victims' resources and their resilience from being deterred from future action. These attributes make Vivin, and other actors like them, legitimate risks to organizational resource abuse and potential data theft.

Vulnerability Spotlight: Bitdefender BOX 2 bootstrap remote code execution vulnerabilities

Claudio Bozzato, Lilith Wyatt and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The Bitdefender BOX 2 contains two remote code execution vulnerabilities in its bootstrap stage. The BOX 2 is a device that protects users’ home networks from a variety of threats, such as malware, 
phishing IOCs and other forms of cyber attacks. It also allows the user to monitor specific devices on the network and limit their internet access. These vulnerabilities could allow an attacker to gain the ability to arbitrarily execute system commands.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Bitdefender to ensure that these issues are resolved and that an update is available for affected customers.

Friday, January 17, 2020

Threat Roundup for January 10 to January 17


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 10 and Jan. 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 16, 2020

JhoneRAT: Cloud based python RAT targeting Middle Eastern countries


By Warren Mercer, Paul Rascagneres and Vitor Ventura with contributions from Eric Kuhla.

Updated January 17th: the documents do not exploit the CVE-2017-0199 vulnerability.

Executive Summary

Today, Cisco Talos is unveiling the details of a new RAT we have identified we're calling "JhoneRAT." This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim's machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase. This particular RAT attempts to target a very specific set of Arabic-speaking countries. The filtering is performed by checking the keyboard layout of the infected systems. Based on the analysed sample, JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

Threat Source newsletter (Jan. 16, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This wasn’t your average Patch Tuesday. Microsoft’s monthly security update was notable for a few reasons. For starters, it’s really time to give up Windows 7, since this is the last free update Microsoft will issue for the operating system.

There was also a vulnerability that made headlines for leaving Windows open to cryptographic spoofing, which could allow an attacker to sign a malicious file as if it came from a trusted source. The bug was so severe that Microsoft even reached out to the U.S. military ahead of time to issue them an early patch. For more on Patch Tuesday, you can check out our roundup here and our Snort rule release here.

Elsewhere in the vulnerability department, we also released new Snort rules to protect users against some notable Citrix bugs that have been used in the wild.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Beers with Talos Ep. #70: Semper Vigilantes - Strategic Defense in a Cyber Conflict

By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 70 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Jan. 6, 2020

There is a looming cyber conflict on the horizon between the U.S. and Iran. We use all our time this week to discuss the situation at hand and take a hard look at what you should have already done foundationally. The crew offers insight and analysis of what nation-state cyber conflict looks like and what you can do to elevate your security strategy to the next level in an uncertain time of increased suspicion.

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Foxit PDF Reader

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered four remote code execution vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular program for reading and editing PDFs. The software supports
JavaScript to allow for interactive elements in PDF files — all of these vulnerabilities exist in the
JavaScript capabilities of the program. An attacker could exploit any of these bugs by tricking the user into opening a malicious PDF in Foxit PDF Reader.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Foxit to ensure that these issues are resolved and that an update is available for affected customers.

Stolen emails reflect Emotet's organic growth

By Jaeson Schultz

Introduction

Emotet has a penchant for stealing a victim's email, then impersonating that victim and sending copies of itself in reply. The malicious emails are delivered through a network of stolen outbound SMTP accounts. This relatively simple email-man-in-the-middle social engineering approach has made Emotet one of the most prolific vehicles for delivering malware that we have seen in modern times.

Cisco Talos continues to monitor Emotet, constantly detonating Emotet samples inside of the ThreatGrid malware sandbox and elsewhere. We witness in real-time as email that purports to be from Emotet's victims begins to emanate through Emotet's network of outbound mail servers. Vigilant monitoring of both stolen SMTP credentials and outbound email allows Talos to extract meta-information regarding Emotet's latest victims and provides insight into networks where Emotet is actively spreading.

One of the most cunning aspects of Emotet's propagation is the way they use social engineering of personal/professional relationships to facilitate further malware infection. When receiving a message from a trusted friend or colleague, it is quite natural for recipients to think, "I can safely open this email attachment because it is in reply to a message I sent, or from someone I know." Any person or organization who has sent an email to an Emotet victim could be targeted by Emotet's propagation messages. The more interaction with the victim you have, the more likely you are to receive malicious email from Emotet. Like a meandering watering hole attack, this is how Emotet crosses organizational boundaries with the potential to affect entire industries or even countries.

Tuesday, January 14, 2020

Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Updated January 15th: Added an Advanced Custom Detection (ACD) signature for AMP that can be used to detect exploitation of CVE-2020-0601 by spoofing certificates masquerading as a Microsoft ECC Code Signing Certificate Authority.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical.

This month's security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today.

January's update is also the last that will provide free updates to Windows 7 and Windows Server 2008/2008 R2.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Monday, January 13, 2020

New Snort rules protect against recently discovered Citrix vulnerability

By Edmund Brumaghin, with contributions from Dalton Schaadt.

Executive Summary


Recently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using CVE-2019-19781. A public patch has not yet been released, however, Citrix has released recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems.

Friday, January 10, 2020

Threat Roundup for January 3 to January 10


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 3 and Jan. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, January 9, 2020

Threat Source newsletter (Jan. 9, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re back after a long break for the holidays. And 2020 is already off to a fast start as tensions continue to rise in the Middle East.

We’ve gotten a lot of questions about whether customers and users should be concerned about cyber attacks from Iran after they’ve exchanged missile strikes with the U.S. But the reality of the situation is, if you haven’t already been preparing from attacks for state-sponsored actors, it’s already too late. We run down our thoughts on the situation here.

We also have our first Beers with Talos episode of the new year out, where the guys run down the top threats of 2019 and talk about what lessons we learned.

Vulnerability Spotlight: Code execution vulnerability in E2fsprogs


Lilith [^_^] of Cisco Talos discovered this vulnerability.

E2fsprogs contains an exploitable code execution vulnerability in its directory rehashing functionality. This set of programs is often considered essential software for many Linux and Unix
machines and ships by default on most Linux systems. An attacker could exploit this vulnerability by causing an out-of-bounds write on the stack, which would then allow them to execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with E2fsprogs to ensure that these issues are resolved and that an update is available for affected customers.

Wednesday, January 8, 2020

What the continued escalation of tensions in the Middle East means for security

Cisco Talos works with many organizations around the world, monitoring and protecting against sophisticated threats every day. As such, we are watching the current state of events in the Middle East very closely for our customers and partners who may be impacted by the ongoing situation. We are continuing to evaluate potential threats and attack vectors, especially related to critical infrastructure and high-profile businesses and industries.

A challenge with protecting against state-sponsored campaigns is that the primary and ideal targets are potentially already compromised, either by a specific adversary or their allies who would be amenable to acting on their behalf. In previous research, Talos has observed footholds like this that can go undetected for extended periods, waiting to be modified remotely to exact a variety of potential malicious activities.

It may be difficult for primary target organizations to detect activity and defend themselves at the perimeter. Hopefully, they have employed a layered defense, which should include two-factor authentication, network segmentation and endpoint protection.

Of course, the potential also exists for the adversary to move away from a targeted maneuver to more broadly focused disruptions that could incorporate a much wider array of businesses and even consumers. This means that everyone should view this as a wake-up call — shore up defenses, update/patch your devices and focus on cyber hygiene. Employ authentication everywhere, beware of suspicious links, emails, etc. — phishing/credential theft continues to be popular among attackers. Every business should at least take a second look at every strange thing they see — don't ignore anomalous activities, take the time to see if there is something nefarious at the end of the tunnel.

While prior campaigns in the region have heavily relied on wiper malware, this is no guarantee that future campaigns will continue this trend. At times like this, vigilance is key.

Monday, January 6, 2020

Beers with Talos Ep. #69: 2019 Threat Recap - RATs, Turtles, and Worms, Oh My!


By Mitch Neff.

Beers with Talos (BWT) Podcast episode No. 69 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Dec. 20, 2019 

In a shorter year-end EP, we take both a look back and a look forward. It seems everyone else wants to break out the crystal ball this time of year and prognosticate the coming year’s threat landscape. We don’t have one of those, so we used a Magic 8-ball, but we’re pretty confident the results are as-good or better. Most of this EP is dedicated to going through the notable security events of the past year. We take a look at the lasting effects and lessons learned from 2019’s biggest threats.

Thursday, January 2, 2020

Vulnerability Spotlight: Two buffer overflow vulnerabilities in OpenCV


Dave McDaniel of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered two buffer overflow vulnerabilities in the OpenCV libraries. An attacker could potentially exploit these bugs to cause heap corruptions and potentially code execution. Intel Research originally developed OpenCV in 1999, but it is currently maintained by the non-profit organization OpenCV.org.
OpenCV is used for numerous applications, including facial recognition technology, robotics, motion tracking and various machine learning programs.