Friday, February 21, 2020

Threat Roundup for February 14 to February 21

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 14 and Feb. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, February 20, 2020

Threat Source newsletter (Feb. 20, 2020)


Newsletter compiled by Jon Munshaw.


Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’ve got more ways than ever for you to get Talos content. We continue to grow our YouTube page with the second entry in the “Stories from the Field” series, this time with Matt Aubert discussing when to get lawyers involved in an incident.

Our podcast family also continues to grow, with new episodes this week of Talos Takes and Beers with Talos.

On the old-fashioned write-up end of things, we have the latest on our research into adversaries’ use of living-off-the-land binaries (also known as “LoLBins”). Recently, we’ve seen a wave of attacks utilizing the Microsoft Build Engine to conduct post-infection activities.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week. 

ObliqueRAT: New RAT hits victims' endpoints via malicious documents

By Asheer Malhotra.

  • Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we're calling "ObliqueRAT."
  • These maldocs use malicious macros to deliver the second stage RAT payload.
  • This campaign appears to target organizations in Southeast Asia.
  • Network based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

What's New?

Cisco Talos has recently discovered a new campaign distributing a malicious remote access trojan (RAT) family we're calling "ObliqueRAT." Cisco Talos also discovered a link between ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT sharing similar maldocs and macros. CrimsonRAT has been known to target diplomatic and government organizations in Southeast Asia.

How did it work?

This RAT is dropped to a victim's endpoint using malicious Microsoft Office Documents (maldocs). The maldocs aim to achieve persistence for the second-stage implant that contains a variety of RAT capabilities, which we're calling "ObliqueRAT." In this post, we illustrate the core technical capabilities of the maldocs and the RAT components including:

  • The maldocs based infection chain
  • A variant distributed using a dropper EXE.
  • Detailed capabilities and command codes of the RAT implant (2nd stage payload).
  • Communication mechanisms used.

So what?

This malware is an example of how a simple, yet effective RAT, is used to implement a wide variety of malicious capabilities. Key capabilities of ObliqueRAT include:

  • Ability to execute arbitrary commands on an infected endpoint.
  • Ability to exfiltrate files.
  • Ability to drop additional files.
  • Ability to terminate process on the infected endpoint etc.


Analysis of a recently discovered preliminary variant of ObliqueRAT in this post presents insights into the evolution of this threat. Analyses of the key similarities and differences between the two campaigns of ObliqueRAT and CrimsonRAT show us the changes in tactics and techniques of the attackers used to continue attacks while trying to bypass detections. This campaign also shows us that while network-based detection is important, it can be complemented with system behavior analysis and endpoint protections for additional layers of security.

Wednesday, February 19, 2020

Cisco Talos Incident Response "Stories from the Field" #2: When do lawyers get involved?



The second video in our "Stories in the Field" series from Cisco Talos Incident Response is here, with Matt Aubert talking about lawyers.

While getting a general counsel involved may seem like an arduous process for many incident response teams, Matt Aubert argues in this video that in his expereince, it's best to get lawyers involved early on in the recovery process.

Watch the full video above or over at our YouTube page here. And to learn more about Talos Incident Response, click here.

Tuesday, February 18, 2020

Vulnerability Spotlight: Memory corruption, DoS vulnerabilities in CoTURN


Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

CoTURN contains denial-of-service and memory corruption vulnerabilities in the way its web server parses POST requests. CoTURN is a TURN server implementation that can be used as a general-
purpose network traffic TURN server and gateway. The software includes a web server for administration purposes, which is where these two vulnerabilities exist.

In accordance with our coordinated disclosure policy, Cisco Talos worked with CoTURN to ensure that these issues are resolved and that an update is available for affected customers. CoTURN notified Talos that these vulnerabilities were also discovered by Quarkslab.

Building a bypass with MSBuild


By Vanja Svajcer.


NEWS SUMMARY


  • Living-off-the-land binaries (LoLBins) continue to pose a risk to security defenders.
  • We analyze the usage of the Microsoft Build Engine by attackers and red team personnel.
  • These threats demonstrate techniques T1127 (Trusted Developer Utilities) and T1500 (Compile After Delivery) of MITRE ATT&CK framework.


In one of our previous posts, we discussed the usage of default operating system functionality and other legitimate executables to execute the so-called "living-off-the-land" approach to the post-compromise phase of an attack. We called those binaries LoLBins. Since then, Cisco Talos has analyzed telemetry we received from Cisco products and attempted to measure the usage of LoLBins in real-world attacks.

Specifically, we are going to focus on MSBuild as a platform for post-exploitation activities. For that, we are collecting information from open and closed data repositories as well as the behavior of samples submitted for analysis to the Cisco Threat Grid platform.

What's new?


We collected malicious MSBuild project configuration files and documented their structure, observed infection vectors and final payloads. We also discuss potential actors behind the discovered threats.

How did it work?


MSBuild is part of the Microsoft Build Engine, a software build system that builds applications as specified in its XML input file. The input file is usually created with Microsoft Visual Studio. However, Visual Studio is not required when building applications, as some .NET framework and other compilers that are required for compilation are already present on the system.

The attackers take advantage of MSBuild characteristics that allow them to include malicious source code within the MSBuild configuration or project file.

So What?


Attackers see a few benefits when using the MSBuild engine to include malware in a source code format. This technique was discovered a few years ago and is well-documented by Casey Smith, whose proof of concept template is often used in the samples we collected.

  • First of all, this technique can be used to bypass application whitelisting technologies such as Windows Applocker.
  • Another benefit is that the code is compiled in memory so that no permanent files exist on the disk, which would otherwise raise a level of suspicion by the defenders.
  • Finally, the attackers can employ various methods to obfuscate the payload, such as randomizing variable names or encrypting the payload with a key hosted on a remote site, which makes detection using traditional methods more challenging.


Friday, February 14, 2020

Beers with Talos Ep. #72: Getting to Patch Day - Understanding Vulnerability Risks and Options


Beers with Talos (BWT) Podcast episode No. 72 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Jan. 31, 2020

When a vulnerability is released, regardless if it has a website and logo or not, we need to understand the risk to the network and what defense options are possible before the patch is ready for production. Can you defend against the vulnerability or do you go straight for known exploits? What happens if an exploit occurs? Also discussed: Talos begins releasing Threat Assessment Reports based on IR engagement data and known prevalent threats. Snort has a new series of training and lab video available for Snort 2 and Snort3.

Threat Roundup for February 7 to February 14

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 7 and Feb. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, February 13, 2020

Threat actors attempt to capitalize on coronavirus outbreak



By Nick Biasini and Edmund Brumaghin.
  • Coronavirus is dominating the news and threat actors are taking advantage.
  • Cisco Talos has found multiple malware families being distributed with Coronavirus lures and themes. This includes emotet and several RAT variants.

Executive Summary

Using the news to try and increase clicks and drive traffic is nothing new for malicious actors. We commonly see actors leveraging current news stories or events to try and increase the likelihood of infection. The biggest news currently is focused on the new virus affecting the world, with a focus on China: the coronavirus. There are countless news articles and email-based marketing campaigns going at full throttle right now, as such, we wanted to take a deeper look at how this is manifesting itself on the threat landscape.

Our investigation had several phases, first looking at the email based campaigns then pivoting into open-source intelligence sources for additional samples. These investigations uncovered a series of campaigns from the adversaries behind Emotet, along with a series of other commodity malware families using these same topics as lures, and a couple of odd documents and applications along the way. What was also striking was the amount of legitimate emails containing things like Microsoft Word documents and Excel spreadsheets related to the coronavirus. This really underscores why using these as lures is so attractive to adversaries and why organizations and individuals need to be vigilant when opening mail attachments, regardless of its origins.

What's new? Malware authors and distributors will go through any means necessary to achieve success and generate revenue and this is just the latest example. These lures tied to coronavirus are likely to only increase in volume and variety as the virus continues to spread and dominate the headlines.

How did it work? The majority of these campaigns were driven through email and malspam specifically. These actors would send coronavirus themed emails to potential victims and, in some cases, use filenames related to coronavirus as well, enticing victims to click attachments. One of the reasons this was so effective was the large amount of legitimate email related to coronavirus that also included attachments.

So What?
  • Organizations need to realize that attackers are going to use current events to try and get victims to open attachments or click links. You should be prepared and vigilant in identifying these emails and ensuring they don't make it to your users inboxes.
  • There is a wide variety of threats represented here so there isn't one single threat to be concerned with, just realize there will likely be a lot more.
  • It's not just malicious content, there are a lot of weird executables and other files floating around that are coronavirus-themed and are unwanted, albeit not inherently malicious.

Threat Source newsletter (Feb. 13, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This month’s Microsoft Patch Tuesday was particularly hefty, with the company disclosing nearly 100 vulnerabilities — three of which Talos researchers discovered. For our complete wrapup, check out the blog post here, and be sure to update your Microsoft products now if you haven’t already.

Over on our YouTube page, we have a new video series we’re debuting called “Stories from the Field” with the Cisco Talos Incident Response Team. In each video, one of our team members will discuss one incident they remember working on and what lessons they took away from it, and what other defenders can learn.

On the research side of things, we have new findings out about a variant of the Loda RAT. We recently discovered that this malware family added several anti-detection features and is targeting victims across the Americas. 

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Wednesday, February 12, 2020

Loda RAT Grows Up


By Chris Neal.

  • Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT.
  • These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document exploits CVE-2017-11882 to download and run the MSI file, which contains Loda version 1.1.1.
  • This campaign appears to be targeting countries in South America and Central America, as well as the U.S.

What's New?


Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to enumerate antivirus solutions running on the infected host.

Vulnerability Spotlight: Remote code execution vulnerability in Apple Safari


Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Apple Safari web browser contains a remote code execution vulnerability in its Fonts feature. If a user were to open a malicious web page in Safari, they could trigger a type confusion, resulting in
memory corruption and possibly arbitrary code execution. An attacker would need to trick the user into visiting the web page by some means to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, February 11, 2020

Vulnerability Spotlight: Use-after-free vulnerability in Windows 10 win32kbase


Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos is releasing the details of a use-after-free vulnerability in Windows 10. An attacker could exploit this vulnerability to gain the ability to execute arbitrary code in the kernel context. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Code execution vulnerability in Microsoft Media Foundation


Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Media Foundation’s framework contains a code execution vulnerability. This specific bug lies in Media Foundations’ MPEG4 DLL. An attacker could provide a user with a specially crafted ASF file to exploit this vulnerability. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel


Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Excel contains a code execution vulnerability. This specific bug lies in the component of Excel that handles the Microsoft Office HTML and XML file types, first introduced in Office 2000. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Microsoft Patch Tuesday — Feb. 2020: Vulnerability disclosures and Snort coverage












By Jon Munshaw.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity.

This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Procol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player.

Talos released a new set of SNORTⓇ rules today that provide coverage for some of these vulnerabilities, which you can see here.

Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader’s JavaScript function


Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an information leak vulnerability in Adobe Acrobat Reader. Acrobat supports a number of features, including the ability to process embedded JavaScript. An attacker could trigger this vulnerability by tricking a user into opening a malicious file or web page with embedded JavaScript in a PDF. The attacker could then gain access to sensitive information, which could then be used in additional attacks.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Monday, February 10, 2020

Introducing Cisco Talos Incident Response: Stories from the Field



By Jon Munshaw.

As another way of bringing our boots-on-the-ground intelligence to defenders, customers and users, we are introducing a new video series called "Cisco Talos Incident Response: Stories from the Field."

In each entry, a CTIR team member will cover one specific incident or lesson that they feel can be applicable to the everyday defender. First up is Pierre Cadieux, who recalls a recent incident at a health care company. He walks through the containment of the attack and recounts some lessons from that event he shares with other customers.

You can watch the full video above. To learn more about Talos Incident Response, click here.

Vulnerability Spotlight: Accusoft ImageGear library code execution vulnerabilities


Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered three code execution vulnerabilities in Accusoft ImageGear. The ImageGear library is a document-imaging developer toolkit to assist users with image conversion, creation, editing and more. There are vulnerabilities in certain functions of ImageGear that could allow an attacker to execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update (link will generate a download) is available for affected customers.

Friday, February 7, 2020

Threat Roundup for January 31 to February 7

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 31 and Feb. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,  Snort.org, or ClamAV.net.

Thursday, February 6, 2020

Threat Source newsletter (Feb. 6, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

There’s never been a better time to be into cyber security podcasts. Our Podcasts page on TalosIntelligence.com got a facelift this week to make room for our new show, Talos Takes. Now, Beers with Talos and Talos Takes live on the same page, where you can get caught up on your cyber news each week.

During each episode of Talos Takes, our researchers and analysts will boil down a complicated topic into a minutes-long explainer that everyone from your parents to the CEO of your company will understand. You can subscribe to Talos Takes on Apple Podcasts, Spotify, Stitcher and Pocket Casts.

As if that wasn’t enough, we also released a new Beers with Talos episode Friday, where the guys discuss why PowerShell has been so widely used in malware.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Wednesday, February 5, 2020

Quarterly Report: Incident Response trends in fall 2019


By David Liebenberg and Kendall McKay.

While many Cisco Talos Incident Response (CTIR) engagements have shown similar patterns over the past two quarters, we’re seeing a dangerous trend emerge this winter. Threat actors are increasingly combining the exfiltration of sensitive data along with data encryption as new levers to compel victims to pay.

Monday, February 3, 2020

Vulnerability Spotlight: Denial-of-service, information leak bugs in Mini-SNMPD


Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Multiple vulnerabilities exist in Mini-SNMPD, a lightweight implementation of a Simple Network Management Protocol server. An attacker can exploit these bugs by providing a specially crafted SNMPD request to the user. These vulnerabilities could lead to a variety of conditions, potentially resulting in the disclosure of sensitive information and a denial-of-service condition.

Mini-SNMPD's small code size and memory footprint make it especially suitable for small and embedded devices. It is used, for example, by several devices based on the OpenWRT project.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Mini-SNMPD to ensure that these issues are resolved and that an update is available for affected customers. Talos also provided the patch for these issues.

Talos Takes back with new episode, feed


By Jon Munshaw.

Talos Takes, our new bite-size podcast, is back with its own feed and a new show.

We first unveiled Talos Takes in early December, and took some time to develop a new Talos Podcasts page to accommodate Talos Takes and Beers with Talos. Now you have two Talos shows you can subscribe to!

We'll be adding Talos Takes to Apple Podcasts, Google Play and other services very soon. For now, you can check out our RSS feed and all episodes here.

Our newest episode focuses on password management, hosted by Nick Biasini and Earl Carter.