Monday, August 31, 2020

Vulnerability Spotlight: Multiple SQL, code injection vulnerabilities in OpenSIS



Yuri Kramarz and Yves Younan discovered these vulnerabilities. Blog by Jon Munshaw

Cisco Talos researchers recently discovered multiple vulnerabilities in the OpenSIS software family. OpenSIS is a student information management system for K-12 students. It is available in commercial

and open-source versions and allows schools to create schedules and track attendance, grades and transcripts. An adversary could take advantage of these bugs to carry out a range of malicious activities, including SQL injection and remote code execution.

In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenSIS to ensure that these issues are resolved and that an update is available for affected customers.

Thursday, August 27, 2020

Threat Roundup for August 21 to August 27


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 21 and Aug. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter for Aug. 27, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

As part of our continued look at election security ahead of the November election, we have another research paper out this week. This time, we’re taking a closer look at disinformation campaigns, popularly known as “fake news.”

This paper builds on the first “What to expect when you’re electing” report by focusing on the infrastructure supporting these complex campaigns. 

On the vulnerability side of things, we also have another blog out detailing some vulnerabilities in Microsoft Azure Sphere. This builds off the ones we disclosed last month our researchers conducted as part of the Azure Sphere Security Research Challenge. 

Wednesday, August 26, 2020

What to expect when you're electing: The building blocks of disinformation campaigns












By Nick Biasini, Kendall McKay and Matt Valites.

Editor's note: Related reading on Talos election security research: 

As Cisco Talos discovered during our four-year investigation into election security, securing elections is an extremely difficult, complex task. In the first paper in our election series, “What to expect when you’re electing,” Talos outlined how the key geopolitical objective of our adversaries is to weaken the faith the world has in Western-style democracy. One component of these objectives is disinformation. 

While disinformation operations have existed throughout history, they have become a global problem in recent years, affecting various levels of government and society in many countries around the world. Threats actors are increasingly using such campaigns to influence elections, which can result in significant consequences with lasting effects. In today’s digital age, the internet has made it easy for people to create, manipulate, and post content with few restrictions on the material’s veracity, creating an environment in which it is increasingly difficult to tell fact from fiction. When used in combination with modern technology, deceptive messaging can be distributed to curated audiences anywhere in the world in real-time.

Monday, August 24, 2020

Vulnerability Spotlight: Remote code execution, privilege escalation bugs in Microsoft Azure Sphere

Claudio Bozzato, Lilith >_> and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Update (Sept. 17, 2020): This post has been updated to reflect the status of Microsoft assigning CVEs to these issues.

Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access.

Talos discovered four vulnerabilities in Azure Sphere, two of which could lead to unsigned code execution, and the two others for privilege escalation. The discovery of these vulnerabilities continues our research into Azure Sphere — conducted as part of the Azure Sphere Security Research Challenge — and follows the multiple vulnerabilities we disclosed in July

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. Microsoft plans to assigns CVEs for these issues on Oct. 13. We will update this blog when these have been assigned.

Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome WebGL could lead to code execution

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Google Chrome web browser contains a use-after-free vulnerability in its WebGL component that could allow a user to execute arbitrary code in the context of the browser process. This vulnerability
specifically exists in ANGLE, a compatibility layer between OpenGL and Direct3D that Chrome uses on Windows systems. An adversary could manipulate the memory layout of the browser in a way that they could gain control of the use-after-free exploit, which could ultimately lead to arbitrary code execution. 

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers.

Friday, August 21, 2020

Threat Roundup for August 14 to August 21


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 14 and Aug. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 20, 2020

Vulnerability Spotlight: Internet Systems Consortium BIND server DoS


Emanuel Almeida of Cisco Systems discovered this vulnerability. Blog by Jon Munshaw.

The Internet Systems Consortium’s BIND server contains a denial-of-service vulnerability that exists when processing TCP traffic through the libuv library. An attacker can exploit this vulnerability by flooding the TCP port and forcing the service to terminate.

The BIND nameserver is considered the reference implementation of the Domain Name System of the internet. It is capable of being an authoritative name server as well as a recursive cache for domain name queries on a network. This vulnerability only applies to this specific code and does not affect any other DNS software.

In accordance with our coordinated disclosure policy, Cisco Talos worked with ISC to ensure that these issues are resolved and that an update is available for affected customers.

Threat Source newsletter for Aug. 20, 2020

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

Hactivism always seems to cool and noble in the movies. Video games and TV shows have no shortage of their “hacker heroes,” too. But what are the real-world consequences of users who release sensitive information or carry out data breaches in the name of their idea of good? 

That's what the newest Beers with Talos episode is all about. The crew also digs deeper into the ethical considerations of hacktivism, pseudo-anonymity and the intended effect of civil disobedience on society. 

Monday, August 17, 2020

Beers with Talos Ep. #90: Hacktivism – Understanding the real-world consequences

Beers with Talos (BWT) Podcast episode No. 90 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded July 31, 2020


This week in BWT land, we’re discussing hacktivism — from the unintended consequences to the tropes perpetuated by Hollywood. Regardless of the reason or cause, hacktivism often wields DDoS and web defacement as easily deployed tools. We discuss some instances where using code as a weapon without deeper understanding can have disastrous consequences. The crew also digs deeper into the ethical considerations of hacktivism, pseudo-anonymity and the intended effect of civil disobedience on society.

Friday, August 14, 2020

Threat Roundup for August 7 to August 14


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 7 and Aug. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 13, 2020

Attribution: A Puzzle


By Martin Lee, Paul Rascagneres and Vitor Ventura.

Introduction


The attribution of cyber attacks is hard. It requires collecting diverse intelligence, analyzing it and deciding who is responsible. Rarely does the evidence available to researchers reach a level of proof that would be acceptable in a court of law.

Nevertheless, the private sector rises to the challenge to attempt to associate cyber attacks to threat actors using the intelligence available to them. This intelligence takes the form of open-source intelligence (OSINT), or analysis of the technical intelligence (TECHINT), possibly derived from proprietary data. Indicators in these sources tend to point toward a threat actor if they have used the same methods in the past, or reused infrastructure from previous attacks.

Threat Source newsletter for Aug. 13, 2020

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

It’s really tough to attribute cyber attacks. We know it. You know it. But why is that, exactly? And why do we want to attribute attacks so badly anyway? In our latest blog post, we look at why attribution is challenging, and what pitfalls private researchers and government agencies alike face.  

If you haven’t already, you need to update your Microsoft products. Patch Tuesday was this week, and with it came more than 100 vulnerabilities that you should know about. Here’s a rundown of the most notable bugs and what Snort rules can help. 

Tuesday, August 11, 2020

Microsoft Patch Tuesday for Aug. 2020 — Snort rules and prominent vulnerabilities


By Jon Munshaw. 

UPDATE:  Additional rules to cover CVE-2020-1472 were published in our recent rule release.  Please enable rules 55703 and 55704 for additional coverage.

Microsoft released its monthly security update Tuesday, disclosing 120 vulnerabilities across its array of products. 

Sixteen of the vulnerabilities are considered “critical,” including one that Microsoft says is currently being exploited in the wild. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.

Monday, August 10, 2020

Barbervisor: Journey developing a snapshot fuzzer with Intel VT-x


By Cory Duplantis.

One of the ways vulnerability researchers find bugs is with fuzzing. At a high level, fuzzing is the process of generating and mutating random inputs for a given target to crash it. In 2017, I started developing a bare metal hypervisor for the purposes of snapshot fuzzing: fuzzing small subsets of programs from a known, static starting state. This involved working on a custom kernel that could be booted on bare metal. Having not done any operating system development before, I thought this would be a great way to learn new techniques while gaining a new tool for the tool bag. This is the story of the project in the hopes that others could learn from this experience.

The source code for barbervisor can be found here.

Friday, August 7, 2020

Threat Roundup for July 31 to August 7


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 31 and Aug. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, August 6, 2020

Threat Source newsletter for Aug. 6, 2020



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We spend a lot of time talking about what you should do to keep your data safe, and how other organizations should be prepared for the worst. But what happens if the worst happens to you? 

In the latest Beers with Talos episode, we walk you through what to do if you’re the one who gets owned — even if it’s not your fault at all. 

We also have the details out on several vulnerabilities in Microsoft Azure Sphere. Our researchers will even receive an award later this year for their work on these. We also have a new Threat Roundup to give you insight into the IOCs you should be on the lookout for.   

Tuesday, August 4, 2020

Vulnerability Spotlight: Two vulnerabilities in SoftPerfect RAM Disk


A Cisco Talos researcher discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered that a specific driver in the SoftPerfect RAM disk could allow an adversary to delete files on an arbitrary basis and disclose sensitive information. SoftPerfect
RAM Disk is a high-performance RAM disk application that allows the user to store a disk from their computer on the device’s space. An attacker could exploit TALOS-2020-1121 to point to a specific filepath and then delete that file. The other vulnerability could lead to the disclosure of sensitive information.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SoftPerfect to ensure that these issues are resolved and that an update is available for affected customers.

Beers with Talos Ep. #89: What to do when you're the pwnd one



Beers with Talos (BWT) Podcast episode No. 89 is now available. Download this episode and
subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded July 17, 2020


The gang's all back this week, and we take on what happens when you get pwnd, hacked, or your data is leaked. It happens to all of us eventually, one quick moment connecting to public WiFi, clicking on a bad link when you just aren’t paying enough attention, or your account data is leaked through no real fault of your own. So, what do you do first when it happens to you? Sure, this is a fundamental review for some, but you can thank us the next time your brother’s co-worker’s uncle calls you because “these hackers” — and you can just send a link to this episode. (If your niece or nephew sent you this link, I’m sorry you had to find out this way, but no worries, we got you).