Friday, April 16, 2021

Threat Roundup for April 9 to April 16


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 9 and April 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #49: LodaRAT keeps growing....and growing

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Chris Neal from Talos Outreach has followed LodaRAT for years now. It’s gone from a fairly small threat to a full-on malware with several features that target all sorts of Android devices. Chris joins the show this week to discuss his history of researching LodaRAT and updates us on its latest TTPs. Find out how this trojan tries to trick users into downloading it on their phones and how it hunts for your banking information.

Thursday, April 15, 2021

Threat Source Newsletter (April 15, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

If you missed our webinar last week, we've got you covered. We've uploaded an extended version to our YouTube page that includes the scripts used in the presentation. This video will show you how to reverse-engineer and detect Android malware.

We also had Patch Tuesday this week, which featured some more vulnerabilities in Microsoft Exchange Server. Here is a full breakdown of the issues you should know about and Snort rules to keep users protected from exploitation. Cisco Talos researchers specifically discovered multiple vulnerabilities in Azure Sphere that were patched this month. For more on those specifically, check out the full Vulnerability Spotlight.

Threat Advisory: NSA SVR Advisory Coverage

The U.S. National Security Agency released an advisory outlining several vulnerabilities that the Russian Foreign Intelligence Services (SVR) is exploiting in the wild. The U.S. formally attributed the recent SolarWinds supply chain attack to the SVR group in this advisory and detailed more of the group's tactics, techniques and procedures.

The exploits included a series of five CVEs that affect VPN solutions, collaboration suite software and virtualization technologies. All five of the CVEs have been patched — Cisco Talos encourages everyone with the affected software update immediately. Some of these vulnerabilities also have working metasploit modules and are currently being widely exploited. Please note that some of these vulnerabilities exploit applications leveraging SSL. This means that users should enable SSL decryption in Cisco Secure Firewall and Snort to detect exploitation of these vulnerabilities. For an example of this, see how it can be done to protect against exploits used by the Hafnium threat actor here.

Below, we'll outline the vulnerabilities the NSA highlighted, along with Snort rules that will keep users protected from exploitation. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Wednesday, April 14, 2021

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere



Claudio Bozzato and Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access.

Talos discovered four vulnerabilities in Azure Sphere that could lead to unsigned code execution and kernel privilege escalation. The discovery of these vulnerabilities continues our research into Azure Sphere and follows the multiple vulnerabilities we disclosed in 2020. Microsoft patched these vulnerabilities as part of their Patch Tuesday releases in March and April. For more on the rest of the issues disclosed as part of April’s update, check out our post here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Tuesday, April 13, 2021

Microsoft Patch Tuesday for April 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Vanja Svajcer. 

Microsoft released its monthly security update Tuesday, disclosing 108 vulnerabilities across its suite of products, the most in any month so far this year.

Four new remote code execution vulnerabilities in Microsoft Exchange Server are included in today's security update. Microsoft disclosed multiple zero-day vulnerabilities in Exchange Server earlier this year that attackers were exploiting in the wild. Talos encourages everyone with an affected product to update as soon as possible if they have not already and put other mitigation strategies into place in the meantime. Users can also detect the exploitation of the previously disclosed vulnerabilities with Cisco Secure IPS.

The new vulnerabilities Microsoft disclosed today are identified as CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483 — all of which are critical, and the highest of which has a CVSS severity score of 9.8 out of 10.

In all, there are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. The remainder is all “important.” 

Twelve of the critical vulnerabilities exist in the remote procedure call runtime — all of which require no user interaction and could allow an attacker to execute remote code on the victim machine. For a full rundown of these CVEs, head to Microsoft’s security update page.

Vulnerability Spotlight: Multiple vulnerabilities in OpenClinic’s GA web portal



Yuri Kramarz of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in OpenClinic’s GA web portal. OpenClinic GA
is an open-source, fully integrated hospital management solution. The web portal allows users to manage administrative, financial, clinical, lab, x-ray and pharmacy data for health care facilities. The software contains extensive statistical and reporting capabilities. OpenClinic GA contains several vulnerabilities that could allow an adversary to carrot out a wide range of malicious actions, including injecting SQL code into the targeted server or elevating their privileges.

In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenClinic to disclose these vulnerabilities and ensure that updates are available.

Monday, April 12, 2021

Recording: Analyzing Android Malware — From triage to reverse-engineering

It's easy to get wrapped up worry about large-scale ransomware attacks on the threat landscape. These are the types of attacks that make headlines and strike fear into the hearts of CISOs everywhere. But if you want to defend the truly prolific and widespread threats that target some of the devices closest to us, you need to be on the lookout for mobile malware.

Many actors are deploying malware that targets Android devices — most of which can even fit in our pockets. Attackers are always targeting Android devices, given that it's the most popular mobile operating system in the world. 

If you want to stay up to date on the latest Android malware, you don't want to miss our latest webinar. You can watch the full recording of "Analyzing Android Malware — From triage to reverse-engineering" above or over on our YouTube page.

Friday, April 9, 2021

Threat Roundup for April 2 to April 9


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 2 and April 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #48: The complete history of ObliqueRAT

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

After researching and writing about ObliqueRAT for several months now, Asheer Malhotra joins Talos Takes for the first time to discuss this trojan. We’ve seen this malware evolve over the past year or so to add new evasion techniques and find ways to avoid email filters and usual antivirus protections. Asheer talks about his history researching this malware and provides some advice on how to avoid email spam and the other maldocs these actors try to spread.

Thursday, April 8, 2021

Threat Source Newsletter (April 8, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We've all heard about spam coming through your email or those robocalls we all hate. But during the COVID-19 pandemic, attackers are now turning to chat rooms and gaming servers to spread spam. Talos researchers this week unveiled multiple malware campaigns spreading through sites like Discord and Slack, which have becoming increasingly popular while more and more people work from home.

Beers with Talos is also back this week after going quiet for a few weeks. The show's back with a mailbag episode, where the guys answer your Twitter questions. And they don't waste any time getting to Craig's robot problems.

Wednesday, April 7, 2021

Beers with Talos Ep. #102: Twitter has questions for us


Beers with Talos (BWT) Podcast episode No. 102 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded Feb. 23, 2021

We’ve been quiet for a minute, but we have a few new episodes in the bank now, starting with some of your questions from Twitter. And yes, one of the first questions concerns Craig and the robots. Do you have a question you’d like to ask us for the next listener questions episode? Send us a tweet (links below). Ask us anything security-related or something else entirely. It’s your question, I’m not going to tell you what to ask.

Sowing Discord: Reaping the benefits of collaboration app abuse

By Nick Biasini, Edmund Brumaghin, and Chris Neal with contributions from Paul Eubanks.

  • As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows.
  • Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses.
  • Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments.
  • RATs, information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.

Executive summary


Abuse of collaboration applications is not a new phenomenon and dates back to the early days of the internet. As new platforms and applications gain in popularity, attackers often develop ways to use them to achieve their mission objectives. Communications platforms like Telegram, Signal, WhatsApp and others have been abused over the past several years to spread malware, used for command and control communications, and otherwise leveraged for nefarious purposes.

As the COVID-19 pandemic spread across the globe in 2020, organizations made significant changes to their work routines across virtually every industry. One major shift was the move to remote working arrangements which coincided with increased reliance on new interactive communications platforms like Discord and Slack. While both of these platforms have existed for some time, recent changes to employee workflows have led to an increased reliance upon them for conducting business. In many cases, these platforms provide rich environments that can be used for communication and collaboration professionally and personally. As the pandemic continued, we observed several threat actors changing their tactics, techniques and procedures to compensate for these new enterprise workflows. We previously described how many threat actors began taking advantage of public interest in COVID-19 related information here and here. Over the past year, we have also observed a significant increase in the abuse of many of these collaboration platforms to facilitate malware attacks against various organizations. Attackers are looking to spread ransomware via these rooms and use the platforms to spread traditional malspam lures used to infect victims.

Friday, April 2, 2021

Threat Roundup for March 26 to April 2


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 26 and April 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for theinyban following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #47: Looking back at the Masslogger trojan

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We return to our usual formatting this week to discuss the Masslogger trojan. We covered this threat earlier this year in a full blog post, where we outlined how these adversaries were looking to steal users' login credentials to Microsoft Outlook and Google Chrome. Nick Biasini comes on to discuss the ins and outs of Masslogger, and why you shouldn't look past this threat despite it not making massive headlines.

Thursday, April 1, 2021

Threat Source Newsletter (April 1, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We hope you’re enjoying Cisco Live this week and only reading this after you’ve caught up on your sessions for the day. 

No April Fool’s jokes here (thankfully) — we are just excited to tell you that applications are now open for the Snort scholarship. Find out how to apply here and complete rules here

And speaking of things that aren’t funny, who likes to be tricked into downloading malware when they’re just trying to turn on some Thomas the Train mods in “Skyrim?” We are tracking a malware campaign that hides inside video game cheat engine and other “mods.” Our blog post has a complete reverse-engineering of the cryptor used in this case that’s going to be useful for all defenders. 

Wednesday, March 31, 2021

Vulnerability Spotlight: Out-of-bounds write vulnerabilities in Accusoft ImageGear



Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple out-of-bounds write vulnerabilities in Accusoft ImageGear that an adversary could exploit to corrupt memory on the targeted machine. The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF and Microsoft Office. A user could trigger these vulnerabilities by opening an attacker-created, malicious file.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and an update is available for affected customers.

Cheating the cheater: How adversaries are using backdoored video game cheat engines and modding tools


By Nick Lister and Holger Unterbrink, with contributions from Vanja Svajcer.

News summary

  • Cisco Talos recently discovered a new campaign targeting video game players and other PC modders.
  • Talos detected a new cryptor used in several different malware campaigns hidden in seemingly legitimate files that users would usually download to install cheat codes into video games or other visual and game modifications (aka "mods").
  • The cryptor uses Visual Basic 6 along with shellcode and process injection techniques.
  • We have a full analysis of the VB6 header of one of the samples used in these campaigns and provide a detailed walkthrough for security analysts.

What's new?

The cryptor in this campaign uses several obfuscation techniques that makes it difficult to dissect, and could pose a challenge for security analysts not familiar with Visual Basic 6. Our analysis provides insight into the adversaries' tactics and how the crypter works in detail. These types of attacks are a return to form for classic virus campaigns — video game players are no strangers to trying to avoid malicious downloads while trying to change the game they're playing.

How did it work?

Video game players may opt to download certain cheats or modifications (aka "mods") to change the way some games are presented. The adversaries use these gaming and OS modding tools to attach hidden malware to infect their victims. We have seen several small tools looking like game patches, tweaks or modding tools, but backdoored with malware obfuscated with this cryptor.

So what?

Defenders need to be constantly vigilant and monitor the behavior of systems within their network. As workers continue to operate remotely during the COVID-19 pandemic and mix work with their private computer usage, enterprises are even more likely to be attacked by compromised personal PC equipment belonging to their employees. Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job. This is a serious threat to enterprise networks.

Friday, March 26, 2021

Threat Roundup for March 19 to March 26


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 19 and March 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #46: Everything you could ever hope to know about Snort 3

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We've got another special XL episode this week, this time about Snort 3. This roundtable covers everything you could know about Snort 3's life, going back as far as its inception in the early 2010s. We even went out of our way to get Marty Roesch, the creator of Snort.

Marty, along with our other panelists, discusses the origins of Snort 3, what benefits you can gain by upgrading and what other features you can expect to see in the future.

With Snort 3, rules are faster and more efficient, users have more control over their Snort experience, and it runs on multiple environments and operating systems. We encourage everyone to shift over to Snort 3 from any versions of Snort 2.  You can download the source from snort.org or pull it from GitHub

Thursday, March 25, 2021

Threat Source Newsletter (March 25, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

The Cisco Talos Incident Response team has several new, valuable insights into the threat landscape in the latest Quarterly Trends report. This post highlights the malware families our researchers are seeing most often in the field, and what tactics adversaries are using to infect victims. 

We also have a new walkthrough available on the Talos blog of how to use Cisco Secure IPS to detect and protect against the Hafnium zero-day vulnerabilities in Microsoft Exchange Server.  

On the Snort end of things, we have a new roundtable video up on our YouTube page talking about the history of Snort 3. We even managed to get Marty Roesch, the creator of Snort, on. Watch the full discussion below to find out how Snort 3 even came to be in the first place and why you should upgrade today. 

Wednesday, March 24, 2021

Quarterly Report: Incident Response trends from Winter 2020-21

By David Liebenberg and Caitlin Huey

For the seventh quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. The top variants were Ryuk and Vatet, which is notable given the absence of Ryuk last quarter. We also observed variants of Egregor and WastedLocker continuing to target organizations across the globe.  

Unlike last quarter, however, these ransomware attacks overwhelmingly relied on phishes delivering commodity trojan maldocs, such as Zloader, BazarLoader and IcedID. Nearly 70 percent of ransomware attacks relied on commodity trojans this quarter. Adversaries also employ commercially available tools such as Cobalt Strike, open-source post-exploitation tools like Bloodhound, and native tools on the victim’s system, such as PowerShell. For a broader breakdown of these trends, check out our summary here.

Tuesday, March 23, 2021

Defending Microsoft Exchange from encrypted attacks with Cisco Secure IPS


This blog was authored by Brandon Stultz

Microsoft released fixes for several critical vulnerabilities in Exchange Server earlier this month. One of these vulnerabilities (CVE-2021-26855) — aka "ProxyLogon" — is especially dangerous. ProxyLogon is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to bypass authentication with just a valid email address. After bypassing authentication, the attacker often exploits an arbitrary file write vulnerability (CVE-2021-27065) to write a JScript web shell on the Exchange server. Once the web shell has been deployed, the attacker has full control over the server.

Cisco Talos has released coverage for the vulnerabilities mentioned above, as well as coverage for web shells observed on compromised Exchange servers in the wild. Like BlueKeep, DejaBlue, and so many other server vulnerabilities, defending against ProxyLogon attacks requires SSL decryption. So, we've created a guide on how to set up SSL decryption on Cisco Secure IPS (NGIPS) to defend against encrypted ProxyLogon attacks.

For more information on the vulnerabilities mentioned above and how to apply the fixes Microsoft has released, please visit the links below:


Friday, March 19, 2021

Threat Roundup for March 12 to March 19


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 12 and March 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #45: SMS authentication is still around, but that doesn't mean it's a good option

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

While there are many ways to add an extra layer of security to your logins nowadays, SMS is one that should probably be phased out. Yet major companies, organizations and government agencies still rely on it to verify users' identities. To break down why this is still the case, Wendy Nather from Cisco Secure Duo joins Talos Takes this week.

We discuss alternatives to SMS messages when it comes to multi-factor authentication and the dangers of SIM-jacking attacks. 

Registration now open for Talos webinar on Android malware



Major ransomware attacks like those against hospital systems and government agencies are always going to make headlines. But some of the most prolific and widespread threats on the landscape today are more about smaller devices and networks — the ones that fit in your pocket. 

Attackers are always targeting Android devices given that it’s the most popular mobile operating system in the world. More devices mean more targets and more opportunities for infections. 

In Talos’ upcoming webinar “Analyzing Android malware: From triage to reverse-engineering" we will dive deep into the malware currently targeted Android devices and discuss how to dissect these threats and guard against them. Anyone can sign up for the free Webex webinar here.

Thursday, March 18, 2021

Threat Source newsletter (March 18, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.

Start spreading the word now, the Snort scholarship is back for 2021! This year, we’re giving away two $10,000 awards to two college students who are studying cybersecurity or another IT-related field. Applications open on April 1, but we want everyone to start getting their applications together now.  

Friday, March 12, 2021

Threat Roundup for March 5 to March 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 5 and March 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #44: A roundtable discussion on SolarWinds

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Welcome to the first-ever XL edition of Talos Takes. This one is a little longer than usual, but we promise you it’s worth it. We recently brought together researchers from all corners of Talos to talk about what we know about SolarWinds so far, and what’s still to be discovered. 

Our various teams have spent the past several months diving deep into the SolarWinds supply chain attack, and this is a collection of Talos’ knowledge on the current situation. Talking points include whether it’s fair to refer to this campaign as “SolarWinds,” what other initial infection vectors there may be, the breadth of the attack and more boots-on-the-ground intelligence. If you want to watch the video version, head to our YouTube page.