Thursday, April 30, 2020

Threat Source newsletter for April 30, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Our newest research post focuses on the Aggah campaign. Threat actors are pushing Aggah to victims via malicious Microsoft Word documents, eventually using the infection to install Agent Tesla, njRAT and Nanocore RAT. Here’s what to be on the lookout for, and what you can do to fend off these attacks.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Beers with Talos Ep. #79: The In-Between vol. 2 (It's a better name than Quittin' Time)

Beers with Talos (BWT) Podcast episode No. 79 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded April 22, 2020

We are renaming these episodes. “Quittin’ time” was OK and all, but “The In-between” better captures what these episodes are. Compared to our normal episodes, you can expect the same lack of actual security content presented in Vol. 1, just a shorter format. You seem to enjoy us taking your (sometimes crazy) questions from Twitter, so keep sending them! We are doing these extra episodes because we need to laugh and have some fun right now, and hopefully give you the same little break from reality. We want you to come on in and have a laugh on us.

Send us your questions for the next "Quittin' Time" episode — @TalosSecurity #BWT.

Wednesday, April 29, 2020

Upgraded Aggah malspam campaign delivers multiple RATs


By Asheer Malhotra

  • Cisco Talos has observed an upgraded version of a malspam campaign known to distribute multiple remote access trojans (RATs).
  • The infection chain utilized in the attacks is highly modularized.
  • The attackers utilize publicly available infrastructure such as Bitly and Pastebin (spread over a number of accounts) to direct and host their attack components.
  • Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

What's New?

Cisco Talos has observed a new Aggah campaign consisting of the distribution of malicious Microsoft Office documents (maldocs) via malicious spam (malspam) emails distributing a multi-stage infection to a target user's endpoint.

The final payload of the infection consists of a variety of Remote-Access-Tool (RAT) families such as:

How did it work?

Many attackers and malware operators usually utilize their own infrastructure (or hacked domains) to act as delivery mechanisms for their infection chains. Consistent with previous Aggah campaigns, this campaign also focuses on the use of pastebin[.]com for all its infrastructure needs. However, this campaign now utilizes multiple Pastebin accounts to host different stages of the attack.

The key components of the attack are:

  • Stage 1: Malspam delivering documents with malicious macros.
  • Stage 2: Malicious VBScripts used to instrument the actual attack.
  • Stage 2A: Malicious .Net based binaries for disabling security features on the endpoint.
  • Stage 3: Malicious VBScripts and .NET-based injectors and RATs (final payload).

Friday, April 24, 2020

Threat Roundup for April 17 to April 24


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 17 and April 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, April 23, 2020

Threat Source newsletter for April 23, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

There’s a new Beers with Talos podcast out now. And guess what? They actually talk about security this time! The guys are looking for listener questions to answer on the next episode. If you have something you want to ask, just @ us on Twitter. 

Everyone is using some type of video chatting software at this point as we all work from home and look for new ways to communicate with one another. Zoom is one of the most popular options right now, but it hasn’t been without its security hiccups. To that end, we released details of a vulnerability in Zoom that could allow an adversary to silently acquire the emails of everyone in an organization who uses Zoom. For example, they could pull all emails with @cisco.com in the email address.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Threat Spotlight: MedusaLocker


By Edmund Brumaghin, with contributions from Amit Raut.

Overview


MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.

While most of MedusaLocker's functionality is consistent with other modern ransomware families, there are features that set MedusaLocker apart from many of the other ransomware families commonly observed.
  • MedusaLocker can encrypt the contents of mapped network drives that may be present on infected systems.
  • It manipulates Windows functionality to force network drives to be remapped so that their contents can also be encrypted.
  • The malware uses ICMP sweeping to profile the network to identify other systems that can be used to maximize the likelihood of a ransom payment.
MedusaLocker can also perform ICMP sweeping to identify other systems on the same network. If the malware is able to locate them, MedusaLocker then attempts to leverage the SMB protocol to discover accessible network locations and if files are discovered in those locations, they are also encrypted and ransomed in the same manner as other locally stored data.

Wednesday, April 22, 2020

Talos Incident Response announces new, lower price through July 25

Today’s world looks very different than three months ago. More people work remotely than ever before. IT teams work around the clock to expand capacity and new software and services are being deployed to handle the load. Within this new remote environment, we have seen new malware families and threat actors taking advantage of our current situation by increasing spam and phishing schemes.

Tuesday, April 21, 2020

Beers with Talos Ep. #78: Fingerprints and hunting parties


Beers with Talos (BWT) Podcast episode No. 78 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded April 10, 2020

We have a couple great topics today — and only one of them is a COVID-19 related topic. So, it turns out that you can fake fingerprints. The good news is that it takes a lot of time, equipment and expertise. It is much easier for a criminal to just make you unlock it yourself. We have also seen an unprecedented level of collaboration and righteous anger across all vendors responding to COVID-based scams. Literally everyone is just watching, documenting, and hunting anyone screwing around with anything even tangentially related to the current health crisis. The challenge is that all the cooks are in the kitchen, which is really a good problem to have.

Send us your questions for the next "Quittin' Time" episode — @TalosSecurity #BWT.

Vulnerability Spotlight: Zoom Communications user enumeration

Video conferencing and calling software has spiked in popularity as individuals across the globe are forced to stay home due to the COVID-19 pandemic. There are a plethora of players in this space, with one or two getting increased attention. One service in particular — Zoom — has received an enormous amount of attention from the media and users.

Today, Cisco Talos is disclosing a user enumeration vulnerability in Zoom Communications that could allow a malicious user to obtain a complete list of Zoom users inside a specific organization. There has been a lot of discussion around what is and is not a vulnerability and what security features should exist in video conferencing software. This is not the purpose of this blog. This disclosure is made in accordance with our vulnerability disclosure policy, in the interests of ensuring the security and privacy of users at-large against this information disclosure vulnerability.

Friday, April 17, 2020

Threat Roundup for April 10 to April 17


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 10 and April 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, April 16, 2020

PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors



By Warren Mercer, Paul Rascagneres and Vitor Ventura.

News summary

  • Azerbaijan government and energy sector likely targeted by an unknown actor.
  • From the energy sector, the actor demonstrates interest in SCADA systems related to wind turbines.
  • The actor uses Word documents to drop malware that allows remote control over the victims.
  • The new remote access trojan, dubbed PoetRAT, is written in Python and is split into multiple parts.
  • The actor collects files, passwords and even images from the webcam, using other tools that it deploys as needed.

Executive summary


Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling "PoetRAT." At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data.

The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically. Besides these, there are keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers.

In addition to the malware campaigns, the attacker performed phishing a campaign on the same infrastructure. This phishing website mimics the webmail of the Azerbaijan Government webmail infrastructure.

Threat Source newsletter for April 16, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s what — week 5 of this quarantine in the U.S.? Week 6? We’ve lost count. And so did the Beers with Talos guys. But lucky for you, that led to a — shall we say — unique podcast episode.

This week was Microsoft Patch Tuesday. The company disclosed more than 100 vulnerabilities and more than a dozen that were considered critical. We have our complete rundown here, as well as in-depth information on one of the vulnerabilities our researchers discovered.

We also have our latest Incident Response quarterly recap, as we reflect on the major incidents CTIR responded to between November 2019 and January 2020.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Wednesday, April 15, 2020

Beers with Talos Ep. #77: Quittin’ Time, Vol. 1 — Tigers and tales of the in-between




Beers with Talos (BWT) Podcast episode No. 77 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded April 3, 2020

We’re kinda bored. We figured you are too. So we decided to get together between normal recordings to help save you from the bottom of the Netflix barrel. It gets weird down there. These Quittin’ Time episodes are just the crew hanging out for a bit without a security topic agenda. None of that. Honestly, if you’re not a fan of the banter in the Roundtable and Closing Thoughts segments, this probably isn’t your cup of tea. Anyway, we have fun getting together and feeling more normal for a bit, we hope you have fun listening to the heavily edited version of that. Send us your questions for the next time we do a podcast like this — @TalosSecurity #BWT.

Tuesday, April 14, 2020

Vulnerability Spotlight: Information disclosure vulnerability in Microsoft Media Foundation

Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Media Foundation contains an information disclosure vulnerability that could allow an attacker to eventually remotely execute code on the victim machine. Media Foundation is a COM-based multimedia framework on most versions of Microsoft Windows that assists with many audio and video operations. An attacker must convince the user to open a specially crafted QuickTime file to trigger this vulnerability. Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Microsoft Patch Tuesday — April 2020: Vulnerability disclosures and Snort coverage

By Jon Munshaw. 

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 115 vulnerabilities. Nineteen of the flaws Microsoft disclosed are considered critical. The remainders are scored as being “important” updates.

This month’s security update covers security issues in a variety of Microsoft services and software, including SharePoint, the Windows font library and the Windows kernel. A Cisco Talos researcher discovered CVE-2020-0939, an information disclosure vulnerability in Microsoft Media Foundation. For more, check out Talos’ full Vulnerability Spotlight here.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.

Monday, April 13, 2020

Quarterly Report: Incident Response trends in Spring 2020

By David Liebenberg.

Cisco Talos Incident Response (CTIR) engagements continue to be dominated by ransomware and commodity trojans. As alluded to in last quarter’s report, ransomware actors have begun threatening to release sensitive information from victims as a means of further compelling them to pay. Additionally, DDoS and coinminer threats reemerged in spring 2020 after absences in the previous quarter. Looking at information from November 2019 through January 2020, ransomware maintains its status as the most prevalent threat, and CTIR has observed some changes in the top ransomware offender — Ryuk.

Friday, April 10, 2020

Threat Roundup for April 3 to April 10


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 3 and April 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, April 9, 2020

Threat Source newsletter for April 9, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Nearly all devices have some sort of fingerprint scanner now, used to log users in. But these scanners prevent their own unique attack vector. Two of our researchers discovered that they could trick many devices into unlocking with a replicated fingerprint from a 3-D printer or resin model. For the average user, this may not be a big deal, but it does have consequences for more high-profile targets.

As weeks of working from home turn to months, the Beers with Talos crew is still talking about security while working remotely. And this episode, a new guest talks about what it’s like to be an extremely extroverted person during the work-from-home times.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Wednesday, April 8, 2020

Fingerprint cloning: Myth or reality?

Phone, computer fingerprint scanners can be defeated with 3-D printing


By Paul Rascagneres and Vitor Ventura.


Executive summary

Passwords are the traditional authentication methods for computers and networks. But passwords can be stolen. Biometric authentication seems the perfect solution for that problem. There are several kinds of biometric authentication, including retina scanning, facial recognition and fingerprint authentication, the most common one. Everyone's fingerprints are unique, and it is commonly accepted that they can identify a person without being reproduced.

Technological evolution expanded fingerprint authentication to all kinds of devices, from laptops to mobile phones, to padlocks and encrypted USB drives. Fingerprint authentication became commonly available on phones with the launch of Apple TouchID in the iPhone 5 in 2013. That technology was bypassed shortly after being released. Since then, the technology evolved into three main kinds of sensors: optic, capacitance and ultrasonic.

Our tests showed that — on average — we achieved an ~80 percent success rate while using the fake fingerprints, where the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties. Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking. The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.

We developed three threat models use cases to match real world scenarios. As a result the reader should compare the result to a home security system. If you want it to stop well funded actors like national security agencies from spying on your house, this may not provide enough resistance to be effective. For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer. However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication.


These results together with the recent leaks concerning a biometric company and the recent issue with the sensor used by Samsung on the Galaxy S10 smartphone, the understanding of this technology and the impact of fingerprint (or more generally biometric) data leaks raised some questions. As 3-D printing has evolved and a home resin printer has a resolution in micron. Can the average person create a fake fingerprint collected from glass using a 3-D printer? Or does it need to be a government agency? And can it be done while a user is at the border checkpoint?

We translated these questions into three main goals:
  • What are the security improvements in fingerprint scanning since it was first defeated on the iPhone 5?
  • How does 3-D printing technology impact fingerprint authentication?
  • Define a threat model to the attacks to provide a realistic context.
We tested different brands and models of devices. To determine the threat model, we imposed budgetary restrictions, with the assumption that if it can be done on a low budget, it can be done by state-sponsored actors.

The complexity of the process was also important to define the threat model. We wanted to know how hard it would be for the common user to reproduce our results.

The third component of the threat model was the collection technique. We defined three collection techniques, each one associated with a threat model that includes its own characteristics. Some of them have the added complexity of acquiring the enrolled fingerprint, as most users won't use more than one finger.

What's new? 3-D printing technologies made it possible for anyone to create fake fingerprints. But not only that it also made it possible, with the right resources, to be done at scale. Moreover, with the democratization of the usage of fingerprint authentication, the impact of biometric data copies is even bigger than in the past. We applied our threat models to mobile phones, laptops, padlocks and USB pen drives.

How did it work? We created copies using three different methods, which were defined according to the defined threat profiles. A mold was created using a 3-D printer, which was then used to recreate the fingerprint with textile glue.

So what? Fingerprint authentication is now in common usage, on all kinds of devices. However, its reliability is not the same on all devices. Organizations need to be aware that the security of fingerprint authentication is not secure, despite common assumptions. This means that depending on the threat profile of each user, it may not be advisable to use it. In reality, some companies have the same reliability as they had six years ago. This means that with the advances of technologies like 3-D printing, it's now even easier to defeat them.

A video of presentation of this research.

Tuesday, April 7, 2020

Beers with Talos Ep. #76: When security hits home (and stays)


Beers with Talos (BWT) Podcast episode No. 76 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded March 27, 2020

Our goal is always to talk to you about what's on our minds. Right now, we are pretty sure we all have the same thing on our minds. In addition to our regular show material, we want to talk through some of the things that we are dealing with professionally and personally in the hopes that it applies and is useful to you. To that end, we asked Sammi Seaman (our Education coordinator and resident mega-extrovert) to stop by and chat with us about the challenges of working from home and shifting the way we work. We aren’t breaking any massive news and threats this week, rather we are talking about what the industry is thinking about. As a heads up, we are increasing episodes from biweekly to weekly, and rotating in different topics while we’re all stuck at home. Hopefully, this is helpful for you and us both. Drop us a tweet and let us know what is on your mind. Be safe, and wash your hands, you filthy animals.

Friday, April 3, 2020

Threat Roundup for March 27 to April 3


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 27 and April 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, April 2, 2020

Threat Source newsletter (April 2, 2020)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

As long as COVID-19 is in the headlines (which is going to be a long time) actors are going to try and capitalize. We fully expect to see a rise in spam that’s now related to the economic assistance package passed by the U.S. government.

In non-virus-related news, we also have a new overview of the Trickbot banking trojan. This family has been around for a while, but we’ve recently seen a spike in distribution related to the aforementioned COVID-19 campaigns. What does Trickbot look like? And what are some best practices to defend against it? We run through all that here.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

AZORult brings friends to the party


By Vanja Svajcer.

NEWS SUMMARY


  • We are used to ransomware attacks and big game hunting making the headlines, but there is an undercurrent of other attack types that allow attackers to monetize their efforts in a less intrusive way.
  • Here, we discuss a multi-pronged cyber criminal attack using a number of techniques that should alert blue team members with appropriate monitoring capability but are not immediately obvious to end-users.
  • These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1089 (Disabling Security Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086 (PowerShell), T1202 (Indirect Command Execution), T1055 (Process Injection), T1064 (Scripting), T1053 (Scheduled Task) and T1011 (Exfiltration Over Other Network Medium)
Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign with several different executable payloads, all focused on providing financial benefits for the attacker in a slightly different way. The first payload is a Monero cryptocurrency miner based on XMRigCC, and the second is a trojan that monitors the clipboard and replaces its content. There's also a variant of the infamous AZORult information-stealing malware, a variant of Remcos remote access tool and, finally, the DarkVNC backdoor trojan.

What's new?


Embedding an executable downloader in an ISO image file is a relatively new method of delivery for AZORult. It's also unusual to see attackers using multiple methods to make money.

How did it work?


The infection chain starts with a ZIP file, which contains an ISO disk image file. When the user opens the ISO file, a disk image containing an executable loader is mounted. When the loader is launched, it deobfuscates malicious code which downloads the first obfuscated PowerShell loader stage that kickstarts the overall infection, disables security tools and Windows update service and downloads and launches the payloads.

So what?


Defenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are like water — they will attempt to find the smallest crack to achieve their goals. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.