Monday, June 29, 2020

PROMETHIUM extends global reach with StrongPity3 APT


By Warren Mercer, Paul Rascagneres and Vitor Ventura.

News summary

  • The threat actor behind StrongPity is not deterred despite being exposed multiple times over the past four years.
  • They continue to expand their victimology and attack seemingly non related countries.
  • This kind of continuous improvement suggests there is a possibility that this is an exported solution for other actors to use.

Executive summary

The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, Cisco Talos identified around 30 new C2 domains. We assess that PROMETHIUM activity corresponds to five peaks of activity when clustered by the creation date month and year.

What's new?

Talos telemetry shows that PROMETHIUM is expanding its reach and attempts to infect new targets across several countries. The samples related to StrongPity3 targeted victims in Colombia, India, Canada and Vietnam. The group has at least four new trojanized setup files we observed: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player).

How did it work?

Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. This leads us to believe that just like in the past, the initial vector may be either a watering hole attack or in-path request interception like mentioned in a CitizenLab report from 2018.
The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. In some cases, it will reconfigure Windows Defender before dropping the malware to prevent detection.

So what?

This group mainly focuses on espionage, and these latest campaigns continue down the same path. The malware will exfiltrate any Microsoft Office file it encounters on the system. Previous research even linked PROMETHIUM to state-sponsored threats. The fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission.
PROMETHIUM has been resilient over the years. Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop.

Beers with Talos Ep. #85: The In-Between, Vol. 5


Beers with Talos (BWT) Podcast episode No. 85 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded May 29, 2020


Prod. Note: Things are a hot mess right now and the team thinks that there are voices you have needed to hear more than ours, so we held back on releasing a few episodes. We are releasing those now, please pardon any weeks-old info. Be safe, be kind, and listen to each other. Black lives matter.

This is the last of the In-Between episodes. Thanks for having fun with this non-security miniseries across a span of weeks that I am not even going to try and neatly sum up in snarky podcast notes. The questions you’ve sent us on Twitter have been amazing, you can expect to see that become a recurring thing. We started this miniseries as a fun way for us to stay connected and put some extra podcasts in your playlist as we all got used to new routines and staying at home. We can’t keep that pace forever, so here is where the In-Between wraps. I hope that you’ve enjoyed these episodes as much as we enjoyed making them. From all of us, thank you for listening and stay safe — Cheers.

Friday, June 26, 2020

Threat Roundup for June 19 to June 26


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 19 and June 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. 

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 25, 2020

Threat Source newsletter for June 25, 2020



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We recently decided to replace our use of the terms "blacklist" and "whitelist" with "block list" and "allow list.” Even though these terms are commonly in use in the security industry, we will not go along with casually assigning positive connotations to "white" while assigning negative connotations to "black.”

Elsewhere, we have new episodes of Beers with Talos and Talos Takes up. Check them out on our podcasts page or download them on your favorite podcast app.

Wednesday, June 24, 2020

Vulnerability Spotlight: Denial-of-service vulnerability in NVIDIA driver

Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Executive summary

The NVWGF2UMX_CFG.DLL driver contains a denial-of-service vulnerability that an attacker could use to disrupt processes over a virtual machine. An adversary could exploit this bug by

providing a specially crafted pixel shader over VMware guests and VMware hosts, leading to VMware to process crash on the host machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NVIDIA and VMware to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, June 23, 2020

Cisco Talos replacing all mentions of 'blacklist,' 'whitelist'

There are many ways to respond to injustice, both large and small, but each response is important. While we acknowledge it is a small change, Cisco Talos is moving to replace our use of the terms "blacklist" and "whitelist" with "block list" and "allow list.” Even though these terms are commonly in use in the security industry, we will not go along with casually assigning positive connotations to "white" while assigning negative connotations to "black.”

Monday, June 22, 2020

IndigoDrop spreads via military-themed lures to deliver Cobalt Strike


By Asheer Malhotra.
  • Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities.
  • These maldocs use malicious macros to deliver a multistage and highly modular infection.
  • This campaign appears to target military and government organizations in South Asia.
  • Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

What's new?

Cisco Talos has recently discovered a new campaign distributing a multistage attack used to infect target endpoints with customized Cobalt Strike beacons. Due to the theme of the malicious documents (maldocs) employed, it is highly likely that military and government organizations in South Asia were targeted by this attack.

How did it work?

The attack consists of a highly modular dropper executable we're calling "IndigoDrop" dropped to a victim's endpoint using maldocs. IndigoDrop is responsible for obtaining the final payload from a download URL for deployment. The final payloads currently observed by Talos are Cobalt Strike beacons.

In this post, we illustrate the core technical capabilities of the maldocs, IndigoDrop and the Cobalt strike beacons components including:
  • The maldocs-based infection chain.
  • IndigoDrop's functionality.
  • Communication mechanisms and infrastructure used to download infection artifacts.
  • Detailed configurations of the Cobalt Strike beacons.

So what?

This attack demonstrates how the adversary operates a targeted attack that:
  • Uses legitimate-looking lures to trick the target into infecting themselves.
  • Employs a highly modular infection chain (implemented in the IndigoDrop) to instrument the final payload.
  • Uses an existing offensive framework (Cobalt Strike) to establish control and persist in the target's network without having to develop a bespoke remote access trojan (RAT).
Analysis of recently discovered attack-chain variations provides insights into the evolution of this threat. These evolutions indicate the changes in tactics and techniques of the attackers used to continue attacks while trying to bypass detections. This campaign also shows us that while network-based detection is important, it should be complemented with system behavior analysis and endpoint protections for additional layers of security.

Thursday, June 18, 2020

Threat Source newsletter for June 18, 2020


Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Now that Cisco Live is over, you can access both of Talos’ talks on-demand here if you registered for the online event. 

The latest Beers with Talos episode covers how to push your career in cyber security forward when you feel like you’re stuck in a rut. Surprisingly, the hosts actually had some helpful insights to offer.

We also have our latest quarterly insights from Cisco Talos Incident Response, which recaps the most prevalent malware our responders have seen in the field so far this summer.

Beers with Talos Ep. #84: Mid-career advancement in cyber security




Beers with Talos (BWT) Podcast episode No. 84 is now available. Download this episode and
subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded May 26, 2020


Prod. Note: Things are a hot mess right now and the team thinks that there are voices you have needed to hear more than ours, so we held back on releasing a few episodes. We are releasing those now, please pardon any weeks-old info. Be safe, be kind, and listen to each other. Black lives matter.

You, our audience, have asked this question a lot — in person, on Twitter, in DMs, and one of you even sent me InMail. So we spend a whole episode talking about advancing your career in the middle stages, whether you are interested in jumping on the management track or rising to the top of the engineering/technical hill, there are certain skills, relationships, and habits that will make your quest more effective. Quest? Wow, I have really been playing too many games lately.

Monday, June 15, 2020

Quarterly report: Incident Response trends in Summer 2020

By David Liebenberg and Caitlin Huey.

For the fourth quarter in a row, Ryuk dominated the threat landscape in incident response. As we mentioned in last quarter’s report, Ryuk has shifted from relying on commodity trojans to using living-off-the-land tools. This has led to a decrease in observations of attacks leveraging commodity trojans. Email remained the top infection vector, though we observe increased compromises of remote desktop services (RDS) as well as Citrix devices and Pulse VPN. One of the more interesting trends this quarter was the role of the COVID-19 pandemic. Interestingly, we did not observe any engagements in which COVID-19 was used in an attack. However, CTIR has observed the pandemic impacting organizations, affecting their ability to respond and contain cybersecurity incidents.

For additional information, you can also check out our full summary here.

Friday, June 12, 2020

Threat Roundup for June 5 to June 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 5 and June 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos Ep. #83: The In-between, Vol. 4







Beers with Talos (BWT) Podcast episode No. 83 is now available. Download this episode and
subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded May 15, 2020

Prod. Note: Things are a hot mess right now and the team thinks that there are voices you have needed to hear more than ours, so we held back on releasing a few episodes. We are releasing those now, please pardon any weeks-old info. Be safe, be kind, and listen to each other. Black lives matter.

Sammi (inexplicably) continues tolerating out with the rest of the crew on The In-Between. As usual, we avoid discussing security at all costs. These EPs are all about keeping in touch and catching up to chat. We talk about cool stuff we are watching to occupy our time and JOEL DID HIS ONE JOB! So, we are taking your (amazing) questions from Twitter. Keep sending your questions for our regular episodes as well — @TalosSecurity #BWT.

Thursday, June 11, 2020

Tor2Mine is up to their old tricks — and adds a few new ones



By Kendall McKay and Joe Marshall.

Threat summary

  • Cisco Talos has identified a resurgence of activity by Tor2Mine, a cryptocurrency mining group that was likely last active in 2018. Tor2Mine is deploying additional malware to harvest credentials and steal more money, including AZORult, an information-stealing malware; the remote access tool Remcos; the DarkVNC backdoor trojan; and a clipboard cryptocurrency stealer.
  • The actors are also using a new IP address and two new domains to carry out their operations.
  • The addition of new tactics, techniques, and procedures (TTPs) suggest Tor2Mine is seeking ways to diversify their revenue in a volatile cryptocurrency market.

Threat Source newsletter for June 11, 2020


Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

We are back this week with new content, mainly around Microsoft Patch Tuesday. We have our complete breakdown of all the vulns here, as well as in-depth information on two remote code execution vulnerabilities one of our researchers discovered in Excel. 

We also have new dates for Cisco Live, which will take place on June 15 - 17. You can see the full signup details below, and after the 17th, you can access Talos’ two talks on-demand. 

Wednesday, June 10, 2020

Vulnerability Spotlight: Two code execution vulnerabilities in Microsoft Excel


Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered two code execution vulnerabilities in Microsoft Excel. Microsoft released updates for these two bugs as part of their Patch Tuesday security update this week. Both vulnerabilities specifically relate to the component in Excel that handles the Microsoft Office
HTML and XML file types. An adversary could exploit these vulnerabilities in such a way that would allow them to execute code on the victim machine after tricking the victim into opening a specially crafted Excel file.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Remote code execution vulnerability in Firefox’s SharedWorkerService function

Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Mozilla Firefox web browser contains a vulnerability in its SharedWorkerService function that could allow an attacker to gain the ability to remotely execute code on a target’s machine. This
vulnerability can be triggered if the user visits a malicious web page. The attacker can design this page in a way that it would cause a race condition, eventually leading to a use-after-free vulnerability and remote code execution.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Mozilla to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, June 9, 2020

Microsoft Patch Tuesday for June 2020 — Snort rules and prominent vulnerabilities

By Jon Munshaw. 

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products.

While none of the vulnerabilities disclosed have been exploited in the wild, users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation. 

The security updates cover several different products including the VBScript engine, SharePoint file-sharing service and GDI+.

Vulnerability Spotlight: Multiple vulnerabilities in Siemens LOGO! PLC

Alexander Perez-Palma of Cisco Talos and Emanuel Almeida of Cisco Systems discovered these vulnerabilities. Blog by Jon Munshaw.

Update (July 15, 2020): Siemens patched another vulnerability that affects the LOGO! PLC's web server. CVE-2020-7593 could allow an adversary to execute remote code on the victim machine and was assigned a severity score of 10 out of 10.

Cisco researchers recently discovered several vulnerabilities in the Siemens LOGO! PLC. The LOGO! allows users to control various automation projects, such as industrial control systems and other commercial and home settings. The product contains several vulnerabilities that an adversary could use to carry out a variety of malicious activities.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Siemens to ensure that these issues are resolved and that an update is available for affected customers.

Friday, June 5, 2020

Threat Roundup for May 29 to June 5


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 29 and June 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 4, 2020

Threat Source newsletter for June 4, 2020


Newsletter compiled by Jon Munshaw.

Our social media content and promotion are on pause this week as there are more important issues being discussed and other voices that need to be heard. However, we still wanted to provide users with the latest IOCs and threats we’re seeing. 

Wednesday, June 3, 2020

Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to code execution

A member of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered two vulnerabilities in the popular Zoom video chatting application that could allow a malicious user to execute arbitrary code on victims’ machines. Video conferencing
software has skyrocketed in popularity during the COVID-19 pandemic as individuals across the globe are encouraged to work from home and avoid close face-to-face contact with friends and family.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Zoom to ensure that
these issues are resolved. TALOS-2020-1056 was fixed in May. Zoom fixed TALOS-2020-1055 server-side in a separate update, though Cisco Talos believes it still requires a fix on the client-side to completely resolve the security risk.

Monday, June 1, 2020

Vulnerability Spotlight: VMware Workstation 15 denial-of-service vulnerability

Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in VMware Workstation 15. VMware
allows users to set up virtual machines and operate various operating systems outside of the ones designed for their machines. This vulnerability exists in VMware guest mode, and could allow an attacker to cause a panic condition in VMware host, leading to a crash.

In accordance with our coordinated disclosure policy, Cisco Talos worked with VMware to ensure that these issues are resolved and that an update is available for affected customers.