Threat Roundup for January 22 to January 29

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 22 and Jan. 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #39: SolarWinds' implications for IoT and OT

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

This week, we're continuing our deep dive into the SolarWinds campaign. After Nick Biasini gave us a broad overview of supply chain attacks last week, Joe Marshall joins the show today to talk about how this attack has wide-reaching consequences in the internet-of-things and operational technology spaces. For a good primer for this show, read Joe's blog post he co-authored on Cisco.com here, and Talos' coverage here.

As always, you can subscribe to Talos Takes and listen to our backlog using any of the links below on your podcatcher of choice.

 

Threat Source newsletter (Jan. 28, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Unfortunately, I don’t have any stock tips to give you to help you get rich overnight. But I do have two Vulnerability Spotlights you should read so your network can stay safer. We disclosed multiple vulnerabilities in phpGACL and Micrium uc-HTTP. There are patches available for both products and Snort rules for extra coverage. 

The biggest news in the security community this week is a recently disclosed that a state-sponsored actor is targeting security researchers across the globe. There were multiple Talos researchers targeted in this attack, but there are no security risks at this time and our researchers were not compromised in any way. 

Vulnerability Spotlight: Multiple vulnerabilities in phpGACL class

Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in the phpGACL class. One of these vulnerabilities also affects OpenEMR, a medical practice management software written in PHP. phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List. An adversary could exploit these vulnerabilities by sending the target machine a specially crafted, malicious HTTP request or URL.

In accordance with our coordinated disclosure policy, Cisco Talos worked with phpGACL and OpenEMR to ensure that these issues are resolved and that an update is available for affected customers.

Nation-state campaign targets Talos researchers

Google's Threat Analysis Group published a blog Monday evening warning of an ongoing campaign attempting to compromise security researchers. Google TAG's blog outlines the attacker's motivations and various TTPs used in these attacks.

Vulnerability Spotlight: Denial-of-service vulnerabilities in Micrium uc-HTTP’s HTTP server

Kelly Leuschner of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two vulnerabilities in Micrium uc-HTTP’s HTTP server that could cause denial-of-service conditions. An attacker could trigger these vulnerabilities by targeting the user machine with specially crafted HTTP requests. The uC-HTTP server implementation is designed to be used on embedded systems running the µC/OS II or µC/OS III RTOS kernels. This HTTP server supports many features, including persistent connections, form processing, chunked transfer encoding, HTTP header fields processing, HTTP query string processing and dynamic content.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Micrium to disclose these vulnerabilities and ensure that an update is available.

Threat Roundup for January 15 to January 22

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 15 and Jan. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #37: What's with all this talk about supply chain attacks?

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

The major SolarWinds campaign has been generating headlines for weeks now. And while its specific targets make this attack unique, this is far from the first-ever supply chain attack. So what is a supply chain attack? And should your organization be prepared for them? In this episode of Talos Takes, Nick Biasini talks about the history of supply chain attacks, and how they can even be traced back to the 1970s.

 

Threat Source newsletter (Jan. 21, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We know it’s hard to focus on anything happening outside of Washington, D.C. this week. But we would be remiss if we didn’t mention the exciting news that the Snort 3 GA is officially out now! This update has been literally years in the making and is a major upgrade to Snort’s performance and its level of customization. Here’s our announcement post from Tuesday, and for the official downloads and even more resources, check out the Snort 3 hub page. 

Talos is also hiring for multiple positions. Please bookmark our Careers page and come back every so often to see if we have any new listings up. But we have several openings now for security experts who want to join our team. 

Vulnerability Spotlight: Multiple vulnerabilities in PrusaSlicer

Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two out-of-bounds write vulnerabilities in Prusa Research’s PrusaSlicer. Prusa Slicer is an open-source 3-D printer slicing program forked off Slic3r that can convert various 3-D model file formats and can output corresponding 3-D printer-readable Gcode. Two functions in the software could be exploited with specially crafted OBJ and AMF files to cause an out-of-bounds write condition or a buffer overflow, and then execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Prusa Research to disclose these vulnerabilities and ensure that an update is available.

Beers with Talos Ep. #99: P@ssw0rds and closing out 2020

 

Beers with Talos (BWT) Podcast episode No. 99 is now available. Download this episode and subscribe to Beers with Talos:

 

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded late November 2020.

We recorded this episode toward the end of 2020 and since then, it's lived a quiet, but meaningful life in the production queue patiently waiting its turn to get released. In this episode, we dig into a discussion on passwords and some issues and how they appluy conceptually and in practice. Passwords aren’t inherently problematic, but how they are used...sometimes is. We discuss best practices to share with your friends and also touch on MFA (and SMS as an option of last resort). Craig seems to think lock analogies are key to understanding everything. The session was two hours long and this is the balance remaining after decency and standards review.

All of us want to thank you for listening and making three years and (almost)100 episodes of Beers with Talos possible. Cheers.

Threat Roundup for January 8 to January 15

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 8 and Jan. 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter (Jan. 14, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Microsoft released its monthly security update this week, disclosing 83 vulnerabilities across its suite of products to kickoff 2021. Our blog post has the most important vulnerabilities you need to know about, along with our released Snort rules to keep your network protected. 

TalosIntelligence.com users will also want to check out the list of our new Content and Threat Categories that will provide you with sufficient intelligence details to allow you to make informed decisions to protect your network without disrupting your organization’s productivity. 

Microsoft Patch Tuesday for Jan. 2021 — Snort rules and prominent vulnerabilities

By Jon Munshaw, with contributions from Asheer Malhotra. 

Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across its suite of products to kick-off 2021. 

There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder is considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.  

The security updates cover several different products and services, including the Microsoft Defender antivirus software, the Microsoft Remote Procedure Call tools and Bluetooth communication with Windows devices.

Changes to Cisco Talos’ Content and Threat Category lists

Cisco Talos is happy to announce the upcoming changes to our Content and Threat Category lists. Our goal is to provide you with sufficient intelligence details to allow you to make informed decisions to protect your network without disrupting your organization’s productivity. These changes will give you additional details needed to make more informed decisions for your network.

Threat Source newsletter (Jan. 7, 2021)

   

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers and welcome to the first Threat Source newsletter of 2021. 

We hit the ground running already this year with a new Beers with Talos episode. It was recorded back in 2020, but the lessons regarding ransomware attacks and how actors choose their targets are still very much relevant.  

On the written word front, we have a full, technical breakdown of a recent Lokibot strain we’ve seen in the wild. Check out the full post to see how this malware infects a target and what defenders can learn from this. 

Vulnerability Spotlight: Denial-of-service vulnerability in Rockwell Automation RSLinx

 

Alexander Perez-Palma of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a denial-of-service vulnerability in the Ethernet/IP server functionality of Rockwell Automation RSLinx Classic. An attacker could exploit this vulnerability by sending the target a series of malicious packets. RSLinx Classic software is a communication server for the MicroLogix 1100 Programmable Controller. It helps plant devices communicate with other Rockwell server and client applications.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Rockwell Automation to ensure that these issues are resolved and that an update is available for affected customers.

A Deep Dive into Lokibot Infection Chain

By Irshad Muhammad, with contributions from Holger Unterbrink.

News summary

• Lokibot is one of the most well-known information stealers on the malware landscape. In this post, we'll provide a technical breakdown of one of the latest Lokibot campaigns.
• Talos also has a new script to unpack the dropper's third stage.
• The actors behind Lokibot usually have the ability to steal multiple types of credentials and other sensitive information. This new campaign utilizes a complex, multi-stage, multi-layered dropper to execute Lokibot on the victim machine.
  
  

Vulnerability Spotlight: Multiple vulnerabilities in SoftMaker Office TextMaker

A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in SoftMaker's TextMaker software. A user could trigger these vulnerabilities by opening an attacker-created, malicious document. An adversary could use these documents to create a variety of malicious conditions on the victim machine.

SoftMaker Software GmbH is a German software company that develops and releases office software. Their flagship product, SoftMaker Office, allows users to carry out multiple tasks, including word processing, spreadsheet creation, presentation design, and even allows for scripting. The SoftMaker Office suite supports a variety of common document file formats, as well as a number of internal formats that the user may choose to use when performing their necessary work. These vulnerabilities specifically exist in TextMaker, which is one portion of the SoftMaker Office suite.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SoftMaker Software to disclose these vulnerabilities and ensure that an update is available.

Vulnerability Spotlight: Multiple vulnerabilities in Genivia gSOAP

A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered multiple vulnerabilities in various Genivia gSOAP toolkit plugins. These vulnerabilities could allow an attacker to carry out a variety of malicious activities, including causing a denial of service on the victim machine or gaining the ability to execute arbitrary code. 

The gSOAP toolkit is a C/C++ library for developing XML-based web services. It includes several plugins to support the implementation of SOAP and web service standards. The framework also provides multiple deployment options, including modules for IIS and Apache, standalone CGI scripts and its own standalone HTTP service.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Genivia to disclose these vulnerabilities and ensure that an update is available.

Beers with Talos Ep. #98: Why ransomware actors are (and aren’t) targeting health care

Beers with Talos (BWT) Podcast episode No. 98 is now available. Download this episode and subscribe to Beers with Talos:

 

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded early November 2020.

This is an episode we recorded in early November but got pushed back in the end of year shuffle to make production schedules work. We’re happy to put this one out now with somewhat belated takes on (somewhat recent) health care ransomware attacks. We discuss a few key questions that are rather evergreen. Why is health care targeted in this way (and other verticals for that matter)? What defines a “high value” target to a ransomware actor? How can targeted entities better defend themselves?