Threat Roundup for September 18 to September 25

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 18 and Sept. 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter for Sept. 24, 2020

    

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

After months (years?) in beta, an official release candidate is out now for Snort 3. Stay tuned for an officially official release in about a month. 

In other Snort rules, we also have a deep dive into our detection and prevention of Cobalt Strike. One of our researchers, Nicholas Mavis, did an amazing job breaking down what goes into writing Snort rules and ClamAV signatures, for those of you who really want to nerd out.

We also have new research out on fraudulent sites that claim to complete students' homework for them. This is easier for students to carry out now that many of them are learning from home. But these sites also sometimes come with malware.

The Internet did my homework

By Jaeson Schultz and Matt Valites.

As students return to school for in-person and virtual learning, Cisco Talos discovered an increase in DNS requests coming into Umbrella resolving domains we classify as "academic fraud." Data from Pew Research on back-to-school dates aligns with the growth we observed in queries to these malicious domains. The figure below shows that queries to academic fraud domains nearly quadrupled starting the week of Aug. 12, the most popular week to start schools in the US. When we compared these numbers with data from the same time last year, we noted an approximately 4x increase in requests for domains classified as "academic fraud." These sites have risen dramatically in popularity in 2020 as more and more students have moved to virtual learning.

A graph of DNS requests for "Academic Fraud"-related domain names.

New Snort, ClamAV coverage strikes back against Cobalt Strike

By Nick Mavis. Editing by Joe Marshall and Jon Munshaw.

Cisco Talos is releasing a new research paper called “The Art and Science of Detecting Cobalt Strike.”

We recently released a more granular set of updated SNORTⓇ and ClamAVⓇ detection signatures to detect attempted obfuscation and exfiltration of data via Cobalt Strike, a common toolkit often used by adversaries.

Cobalt Strike is a “paid software platform for adversary simulations and red team operations.” It is used by professional security penetration testers and malicious actors to gain access and control infected hosts on a victim network. Cobalt Strike has been utilized in APT campaigns and most recently observed in the IndigoDrop campaign and in numerous ransomware attacks.

Threat Roundup for September 11 to September 18

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 11 and Sept. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos ep. #92: Trending in Your Network — Disinformation

Beers with Talos (BWT) Podcast episode No. 92 is now available. Download this episode and
subscribe to Beers with Talos:

 

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Aug. 26, 2020

Disinformation is front and center right now. As disinformation efforts constantly increase, platforms struggle to contain the problem without giving the appearance of censuring or controlling all information present. A Talos research team recently published some findings on the building blocks of disinformation campaigns. Special guest Kendall McKay joins us to discuss the research she co-authored with her team in Talos. We go over exactly what defines disinformation and the most pervasive sources. We also look at who these actors are and how they operate at scale while remaining hidden. 

Threat Source newsletter for Sept. 17, 2020

   

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We’ve got a couple of vulnerabilities you should know about. Monday, we disclosed a bug in Google Chrome’s PDFium feature that opens the door for an adversary to execute remote code. 

Our researchers also discovered several vulnerabilities in the Nitro Pro PDF Reader. The software contains vulnerabilities that could allow adversaries to exploit a victim machine in multiple ways that would eventually allow them to execute code. 

Vulnerability Spotlight: Remote code execution vulnerability Apple Safari

Marcin "Icewall" Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Apple Safari web browser contains a remote code execution vulnerability in its Webkit feature. Specifically, an attacker could trigger a use-after-free condition in WebCore, the DOM-rendering system for Webkit used in Safari. This could give the attacker the ability to execute remote code on the victim machine. A user needs to open a specially crafted, malicious web page in Safari to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Multiple vulnerabilities in Nitro Pro PDF reader

Cisco Talos researchers discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple code execution vulnerabilities in the Nitro Pro PDF reader. Nitro PDF allows users to save, read, sign and edit PDFs on their computers. The software contains vulnerabilities that could allow adversaries to exploit a victim machine in multiple ways that would eventually allow them to execute code.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Nitro Pro to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Spotlight: Memory corruption in Google PDFium

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Google Chrome's PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. Chrome is a popular, free web browser available on all operating

systems. PDFium allows users to open PDFs inside Chrome. We recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and that an update is available for affected customers.

Threat Roundup for September 4 to September 11

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 4 and Sept. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter for Sept. 10, 2020

  

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

In our continued research on election security, we have a new video roundtable discussion up on our YouTube page. In this Q&A-style format, I ask our researchers questions about the work they’ve done researching disinformation (aka “fake news”) and how to combat the spread of it. 

Microsoft Patch Tuesday was also this week. For our recap of all 120-something vulnerabilities Microsoft discovered, click here. You can also take a deep dive into one of the bugs our researchers specifically discovered in the Windows 10 Common Log File System. 

Roundtable video: Disinformation and election security

By Jon Munshaw.

In our continued coverage of election security, we decided to sit down with four Talos and Cisco researchers to discuss disinformation.

As we outlined in our recent research paper, disinformation is one of the cornerstones of threat actors' efforts to disrupt the American election process. In this video, we dive even deeper to discuss things like how legitimate websites can fall victim to disinformation campaigns and what can be done to stop the spread of fake news. You can watch the full discussion above or over on our YouTube page.

For more, check out our full paper on disinformation here and our broad overview of election security in "What to expect when you're electing."

Microsoft Patch Tuesday for Sept. 2020 — Snort rules and prominent vulnerabilities

By Jon Munshaw. 

Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. 

Twenty-three of the vulnerabilities are considered “critical" while the vast remainder are ranked as “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.

Vulnerability Spotlight: Privilege escalation in Windows 10 CLFS driver

Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a privilege escalation vulnerability in the Windows 10 Common Log File System. CLFS is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode. A malformed CLFS log file could cause a pool overflow, and an adversary could gain the ability to execute code on the victim machine. A regular user needs to open the log file to trigger this vulnerability, but since the bug is triggered at the kernel level, it would give the adversary elevated privileges. Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Threat Roundup for August 28 to September 4

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 28 and Sept. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter for Sept. 3, 2020

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers. 

We recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others. Check out our complete details of the threat and our protections here. 

We are also excited to show off our fancy new Talos Email Status Portal. Here, you can see any ham or spam you’ve submitted to us for review. 

And, lastly, there’s a new Beers with Talos episode that’s all about FUD. 

Salfram: Robbing the place without removing your name tag

By Holger Unterbrink and Edmund Brumaghin.

 

Threat summary

• Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware.
• The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others.
• Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value "Salfram" makes it easy to track over time.
• Obfuscated binaries are completely different, from both a binary and execution flow graph perspective.
• The techniques used by this crypter can confuse weak API behavior-based systems and static analysis tools.
• This crypter appears to be undergoing active development and improvement over time.

 

Better email classification, courtesy of you

Cisco customers with Email Security Appliances (ESA) or Cloud Email Security (CES) accounts already know the benefits of Cisco’s email filtering. Every day, millions of malicious emails are automatically sent to the trash bin. Cisco encourages customers to participate in honing those filters by submitting incorrectly classified email through the Cisco Security email plug-in or by direct email. 

Introducing the Email Status Portal for TalosIntelligence.com 

The new Cisco Talos Email Status Portal allows customers to: 

• View mail samples submitted and their statuses
• See graphical displays of submission metrics
• Administer domains and user access
• Generate reports of this data

Beers with Talos ep. #91: Get the FUD out

Beers with Talos (BWT) Podcast episode No. 91 is now available. Download this episode and
subscribe to Beers with Talos:

 

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Aug. 14, 2020

Let’s talk about FUD. It’s not enough to just say FUD sucks. Let’s talk about exactly how and why producers of FUD are garbage nightmare monster people. We also cover how they are actually damaging themselves, not just the people and organizations that buy their hype. We have rather strong opinions on this, so we invited Meredith Corley, an actual professional on the topic, to break it down for us all. Meredith is our security communications and PR director (previously of Cisco Duo and BlackHat fame) and takes us through spotting, defusing and refuting FUD in the security community. And for more on FUD, you can also listen to the Talos Takes episode covering this topic.

Vulnerability Spotlight: Code execution, memory corruption vulnerabilities in Accusoft ImageGear

 

Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two vulnerabilities in Accusoft ImageGear. The ImageGear library is a document-imaging developer toolkit to assist users with image conversion, 

creation, editing and more. There are vulnerabilities in certain functions of ImageGear that could allow an attacker to execute code on the victim machine or corrupt the memory of the application.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update is available for affected customers.

Quarterly Report: Incident Response trends in Summer 2020

By David Liebenberg and Caitlin Huey.

For the fifth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. Infections involved a wide variety of malware families including Ryuk, Maze, LockBit, and Netwalker, among others.  In a continuation of trends observed in last quarter’s report, these ransomware attacks have relied much less on commodity trojans such as Emotet and Trickbot. Interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans. We continued to see ransomware actors engage in data exfiltration and even observed the new cartel formed by Maze and other ransomware operations in action.  

For a more complete breakdown with more information, you can check out the full report summary here.