Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
In accordance with our coordinated disclosure policy, Cisco Talos worked with NVIDIA to ensure that these issues are resolved and that an update is available for affected customers.
Cisco Talos is tracking a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which — among other things — can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials.
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 18 and Sept. 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
By Nick Mavis. Editing by Joe Marshall and Jon Munshaw.
Cisco Talos is releasing a new research paper called “The Art and Science of Detecting Cobalt Strike.”
We recently released a more granular set of updated SNORTⓇ and ClamAVⓇ detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries.
Cobalt Strike is a “paid software platform for adversary simulations and red team operations.” It is used by professional security penetration testers and malicious actors to gain access and control infected hosts on a victim network. Cobalt Strike has been utilized in APT campaigns and most recently observed in the IndigoDrop campaign and in numerous ransomware attacks.
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 11 and Sept. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Marcin "Icewall" Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Nitro Pro to ensure that these issues are resolved and that an update is available for affected customers.
Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Google Chrome's PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. Chrome is a popular, free web browser available on all operating
In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers.
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 4 and Sept. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
By Jon Munshaw.
In our continued coverage of election security, we decided to sit down with four Talos and Cisco researchers to discuss disinformation.
As we outlined in our recent research paper, disinformation is one of the cornerstones of threat actors' efforts to disrupt the American election process. In this video, we dive even deeper to discuss things like how legitimate websites can fall victim to disinformation campaigns and what can be done to stop the spread of fake news. You can watch the full discussion above or over on our YouTube page.
For more, check out our full paper on disinformation here and our broad overview of election security in "What to expect when you're electing."
By Jon Munshaw.
Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products.
Twenty-three of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.
Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered a privilege escalation vulnerability in the Windows 10 Common Log File System. CLFS is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode. A malformed CLFS log file could cause a pool overflow, and an adversary could gain the ability to execute code on the victim machine. A regular user needs to open the log file to trigger this vulnerability, but since the bug is triggered at the kernel level, it would give the adversary elevated privileges. Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 28 and Sept. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Cisco customers with Email Security Appliances (ESA) or Cloud Email Security (CES) accounts already know the benefits of Cisco’s email filtering. Every day, millions of malicious emails are automatically sent to the trash bin. Cisco encourages customers to participate in honing those filters by submitting incorrectly classified email through the Cisco Security email plug-in or by direct email.
By David Liebenberg and Caitlin Huey.
For the fifth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. Infections involved a wide variety of malware families including Ryuk, Maze, LockBit, and Netwalker, among others. In a continuation of trends observed in last quarter’s report, these ransomware attacks have relied much less on commodity trojans such as Emotet and Trickbot. Interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans. We continued to see ransomware actors engage in data exfiltration and even observed the new cartel formed by Maze and other ransomware operations in action.
For a more complete breakdown with more information, you can check out the full report summary here.
Posts
Subscribe via Email