Tuesday, March 31, 2020

Trickbot: A primer



By Chris Neal

Executive Summary


  • Trickbot remains one of the most sophisticated banking trojans in the landscape while constantly evolving.
  • Highly modular, Trickbot can adapt to different environments with the help of its various modules.
  • The group behind Trickbot has expanded their activities beyond credential theft into leasing malware to APT groups.

Overview

In recent years, the modular banking trojan known as Trickbot has evolved to become one of the most advanced trojans in the threat landscape. It has gone through a diverse set of changes since it was first discovered in 2016, including adding features that focus on Windows 10 and modules that target point of sale (POS) systems. Not only does it function as a standalone trojan, Trickbot is also commonly used as a dropper for other malware such as the Ryuk ransomware. The wide range of functionality allows this malware to adapt to different environments and maximize effectiveness in a compromised network.

Monday, March 30, 2020

COVID-19 relief package provides another platform for bad actors

The ongoing COVID-19 pandemic continues to yield new subject matter that bad actors can turn into fodder for enticing victims into clicking on malicious links and attachments. On March 27, the CARES Act was signed into law by the President, enacting a wide range of stimulus packages designed to aid Americans and businesses during the crisis. One such measure will authorize a supplemental stimulus check to American citizens.

Along with the general increase in coronavirus and COVID-19-themed attacks, this stimulus package will also be leveraged as a lure to deliver additional attacks to harm the unsuspecting victim into divulging personal information or be subject to financially based exploitation.

Talos has already detected an increase in suspicious stimulus-based domains being registered and we anticipate they will be leveraged to launch malicious campaigns against users.

As noted earlier by Talos, we anticipate existing malicious campaigns to leverage this new material into their attacks. In our previous blog post about COVID-19, we emphasized that enterprises should take precautions to avoid being victimized by these attacks.

Everyone should be aware and expect to see campaigns focused around stimulus checks or other benefits. Stay alert and vigilant.

Friday, March 27, 2020

Threat Roundup for March 20 to March 27

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 20 and March 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, March 26, 2020

Threat Source newsletter (March 26, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Just because we’re all still working from home doesn’t mean you can stop patching. We’ve been busy this week with a new wave of vulnerabilities we disclosed, including in Intel Web Raid Console, Videolabs and GStreamer.

If you’re looking to fill some silence at home or just want to hear a friendly voice, we’re still uploading new podcasts every week, so subscribe to Beers with Talos and Talos Takes on your favorite podcatcher.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Threat Update: COVID-19

Executive Summary 

The COVID-19 pandemic is changing everyday life for workers across the globe. Cisco Talos continues to see attackers take advantage of the coronavirus situation to lure unsuspecting users into various pitfalls such as phishing, fraud, and disinformation campaigns. Talos has not yet observed any new techniques during this event. Rather, we have seen malicious actors shift the subject matter of their attacks to focus on COVID themes. We continue to monitor the situation and are sharing intel with the security community, customers, law enforcement, and governments.

Protecting your organization from threats that leverage COVID themes relies on the same strong security infrastructure foundation that your organization hopefully already has. However, security organizations must ensure existing protections and capabilities function in a newly remote environment, that users are aware of the threats and how to identify them and that organizations have implemented security best practices for remote work.

Tuesday, March 24, 2020

Vulnerability Spotlight: Intel Raid Web Console 3 denial-of-service bugs


Geoff Serrao of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered two denial-of-service vulnerabilities in the web API functionality of Intel RAID Web Console 3. The Raid Web Console is a web-based application that provides several
configuration functions for the Intel RAID line of products, which includes controllers and storage expanders. The console monitors, maintains and troubleshoots these products. An attacker could exploit both of these bugs by sending a malicious POST request to the API.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Intel to ensure that these issues are resolved and that an update is available for affected customers.

Monday, March 23, 2020

Vulnerability Spotlight: Multiple vulnerabilities in Videolabs libmicrodns


Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

A specific library in the Videolabs family of software contains multiple vulnerabilities that could lead to denial of service and code execution. Videolabs is a company founded by VideoLAN members and is the current editor of the VLC mobile applications and one of the largest contributors to VLC. They
also develop libmicrodns, a library which is used by VLC media player for mDNS services discovery. The libmicrodns library contains multiple vulnerabilities that could allow attackers to carry out a variety of malicious actions, including causing a denial of service and gaining the ability to execute arbitrary code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Videolabs to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Denial-of-service vulnerability in GStreamer


Peter Wang of Cisco ASIG discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in GStreamer, a pipeline-based
multimedia framework. GStreamer contains gst-rtsp-server, an open-source library that allows the user to build RTSP servers. This function contains an exploit that an attacker could use to cause a null pointer deference, resulting in a denial of service.

In accordance with our coordinated disclosure policy, Cisco Talos worked with GStreamer to ensure that these issues are resolved and that an update is available for affected customers.

Friday, March 20, 2020

Threat Roundup for March 13 to March 20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 13 and March 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos Ep. #75: Now That Coronavirus Made a Global WFH Policy...


Beers with Talos (BWT) Podcast episode No. 74 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded March 13, 2020

Of course, we have to talk about the implications of coronavirus. It's affecting the way business and security are getting done. While everything about the COVID-19 pandemic seems to be a fluid situation, a rare constant has been the same rehashed disaster scams. But that could quickly change with the mass shift toward remote work. This episode takes a look at both securing that shift as well as practical advice for those of us finding ourselves newly remote employees.

Thursday, March 19, 2020

Threat Source newsletter (March 19, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope everyone is staying home (if possible) and staying safe. Unfortunately, the bad guys aren’t going anywhere, so we’re still plugging away remotely. Hasn’t anyone told them we need a break?

COVID-19 is obviously on the top of everyone’s mind. We are working on some new content around working from home and COVID-related malware. In the meantime, go back and read our post from February about attackers trying to take advantage of coronavirus panic.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Friday, March 13, 2020

Threat Roundup for March 6 to March 13

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 6 and March 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos Ep. #74: Impacting civil society


Beers with Talos (BWT) Podcast episode No. 74 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded March 2, 2020

We open up the show with a sugary sweet poem before talking about RSA and our annual trip through the startup hall. Matt expertly segues the crew into talking about the impact the security industry can have on public-interest technologies and civil society - both in the industry sense as well as in the interpersonal sense. Finally, we take a look at opposing mindsets and approaches, discussing how partnering with an adversarial approach is not near the oxymoron it seems.

Thursday, March 12, 2020

Threat Source newsletter (March 12, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Obviously, COVID-19 is dominating headlines everywhere, and for good reason. We hope everyone out there is staying safe and healthy and making the appropriate decisions when it comes to traveling and working.

In certainly less serious news, we have our monthly Microsoft Patch Tuesday post and the accompanying Snort rules out. There is also a large Vulnerability Spotlight out on several vulnerabilities we discovered in WAGO products, a popular producer of automation software.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Tuesday, March 10, 2020

Microsoft Patch Tuesday — March 2020: Vulnerability disclosures and Snort coverage



















By Jon Munshaw and Vitor Ventura.

Update (March 12, 2020): Microsoft released an out-of-band patch for CVE-2020-0796, a code execution vulnerability SMB client and server for Windows. An unauthenticated attacker could exploit this vulnerability to execute remote code. Snort rules 53425 - 53428 protect against exploitation of CVE-2020-0796.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 117 vulnerabilities, 25 of which are considered critical. There is also one moderate vulnerability and 91 that are considered important.

This month's patches include updates to Microsoft Media Foundation, the GDI+ API and Windows Defender, among others.

Talos released a new set of SNORTⓇ rules today that provide coverage for some of these vulnerabilities, which you can see here.

Vulnerability Spotlight: Information disclosure in Windows 10 Kernel


Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an information disclosure vulnerability in the Windows 10 kernel. An attacker could exploit this vulnerability by tricking the victim into opening a specially crafted executable, causing an out-of-bounds read, which leads to the disclosure of sensitive information.
Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Monday, March 9, 2020

Vulnerability Spotlight: WAGO products contain remote code execution, other vulnerabilities


Patrick DeSantis, Carl Hurd, Kelly Leuschner and Lilith [-_-]; of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered several vulnerabilities in multiple products from the company WAGO. WAGO produces a line of automation software called “e!COCKPIT,” an integrated development environment that aims to speed up automation tasks and machine and system startup.
The e!COCKPIT software interfaces with different automation controllers, including the PFC100 and PFC200. The vulnerabilities described here exist within the e!COCKPIT software or the two associated automation controllers. A remote attacker could exploit these vulnerabilities to carry out a variety of malicious activities, including command injection, information disclosure and remote code execution.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WAGO to ensure that these issues are resolved and that updates are available for affected customers.

Friday, March 6, 2020

Threat Roundup for February 28 to March 6

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 28 and March 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, March 5, 2020

Threat Source newsletter (March 5, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Sure, all anyone wants to talk about is coronavirus. But what about cyber security? We’ve still got cool stuff, like this huge write-up on the Bisonal malware and how it’s changed over the past 10 years. While its victimology has always stayed the same, we walk through how its creators have added on new features over time to avoid detection.

There’s also another entry in our Incident Response “Stories from the Field” video series. This time, Matt Aubert discusses ransomware infections he’s seen in the wild and passes on some lessons to you.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Bisonal: 10 years of play


By Warren Mercer, Paul Rascagneres and Vitor Ventura.

Update 06/03/20: added samples from 2020.


Executive summary


  • Security researchers detected and exposed the Bisonal malware over the past 10 years. But the Tonto team, the threat actor behind it, didn't stop.
  • The victimology didn't change over time, either. Japanese, South Korean and Russian organizations were the prime targets for this threat actor.
  • The malware evolved to lower its detection ratio and improve the initial vector success rate.

What's new?

Bisonal is a remote access trojan (RAT) that's part of the Tonto Team arsenal. The peculiarity of the RAT is that it's been in use for more than 10 years — this is an uncommon and long period for malware. Over the years, it has evolved and adapted mechanisms to avoid detection while keeping the core of its RAT the same. We identified specific functions here for more than six years.

How did it work?

Bisonal used multiple lure documents to entice their victims to open and then be infected with Bisonal malware. This group has continued its operations for over a decade and they continue to evolve their malware to avoid detection. Bisonal primarily used spear phishing to obtain a foothold within their victims' networks. Their campaigns had very specific targets which would suggest their end game was more around operational intelligence gathering and espionage.

So what?

This is an extremely experienced group likely to keep their activities even after exposure, even if we identified mistakes and bad copy/paste, they are doing this job for more than 10 years. We think that exposing this malware, explaining the behavior and the campaigns where Bisonal was used is important to protect the potential future targets. The targets to this point are located in the public and private sectors with a focus on Russia, Japan and South Korea. We recommend the entities located in this area to prepare for this malware and actor and implement detections based on the technical details provided in this article.

Tuesday, March 3, 2020

Video: What defenders can learn from past ransomware attacks


The Cisco Talos Incident Response "Stories from the Field" video series returns with another entry from Matt Aubert.

This time, Matt discusses ransomware infections he's seen in real-time, and shares what defenders can learn from others' mistakes and recovery.

Is it ever smart to pay attackers' request extortion payment? Which ransomware families should organizations be most worried about? Matt covers all of this in just six minutes.

You can watch the full video above or over on our YouTube page here. You can get all of the Stories from the Field videos in one place on our playlist, too.