Monday, June 28, 2021

Vulnerability Spotlight: Memory corruption vulnerability in PowerISO’s DMG handler



Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered a memory corruption vulnerability in PowerISO’s handler that deals with DMG files. 

PowerISO is a CD/DVD/BD image file processing tool, which allows users to open, extract, burn, create, edit, compress, encrypt, split and convert ISO files, and mount ISO files with an internal virtual drive. Recent versions provide support for Apple Disk Image file format, also known as DMG files. 

Friday, June 25, 2021

Threat Roundup for June 18 to June 25


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 18 and June 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #58: How to approach the partnerships it will take to defend critical infrastructure

By Jon Munshaw.

With major cyber attacks in recent years against major U.S. critical infrastructure suppliers like Norsk Hydro and Colonial Pipeline, we’re in a new world of CI cybersecurity. New threats require new approaches to defense. And in the U.S., this is likely going to include partnerships between those who manage critical infrastructure, government and the private cybersecurity sector.

Talos recently outlined what this may look like in America. One of the authors of that post, Joe Marshall joins the show this week to talk about public-private partnerships to defend critical infrastructure.

Thursday, June 24, 2021

Beers with Talos, Ep. #106: Is more than executive action in order?

Beers with Talos (BWT) Podcast episode No. 106 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

By Mitch Neff.

Recorded May 20, 2021.

Craig wins MVP of the podcast for his attempts to avoid discussing… something. Anyway, we went a little long on this podcast, but stick with us as we wind through the recent executive order on cybersecurity, and then discuss another… interesting take on how we should combat these new threats. I feel almost obligated to let you know before you listen, it’s a letter of marque take, and oddly, we all agreed on something.

Threat Source newsletter (June 24, 2021)

 

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Even though spam emails asking for gift cards may seem like the oldest trick in the book, they're still effective in 2021. The FBI estimates that business email compromise cost victims around $1.8 billion in 2020, and we've seen recent campaigns that are showing the damage can only get worse.

Attackers are taking over businesses' emails and then sending employees and customers messages themed around everything from COVID-19 to PlayStation 5 sales. So while BEC may not seem like the most exciting threat out there, it's still one that can't be ignored.

Tuesday, June 22, 2021

Attackers in Executive Clothing - BEC continues to separate orgs from their money


By Nick Biasini.

In today's world of threat research, the focus tends to be on the overtly malicious practice of distributing and installing malware on end systems. But this is far from the complete picture of what threats organizations face. One of the most, if not the most, costly is something far less sophisticated: Business Email Compromise (BEC). BEC can take a wide array of different forms, but its goal is relatively simple — trick an unsuspecting user into giving them something. Lately, we've seen a recent rise in these types of attacks, with adversaries still using COVID-19 as a major topic of lures to draw unsuspecting victims into turning over important personal and financial information.

Looking at conservative estimates, business email compromise losses are in the billions, with the FBI stating in 2020 alone the loses approached $1.8 Billion. This is an extremely lucrative enterprise with a low barrier to entry. Other forms of cybercrime are tougher to enter because the actor needs to source the malware they are going to distribute and have enough knowledge to set up and run the associated infrastructure — or at the very least, pay someone who does. At the very least, this takes a significant amount of time and effort, where BEC removes the majority of those barriers.

Business Email Compromise starts as a lot of cybercrime does, with an email. These emails can vary widely in content or in design, but they are almost always spoofed to look like they are coming from someone important. The other common thing is they will almost always ask for some type of assistance. The type of request varies widely, as we'll demonstrate throughout this blog, but the resulting ask is always financial in nature and will require the recipient to purchase something or wire funds somewhere. So let's walk through some examples of what we've seen over the past year.

Friday, June 18, 2021

Talos Takes Ep. #57: A ransomware-as-a-service explainer

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

How much is ransomware-as-a-service like a McDonald’s franchise? More similar than you’d think! The RaaS model has entered the mainstream over the past few months with groups such as DarkSide attacking the Colonial Pipeline.

In these transactions, what’s in it for the original ransomware creator? And what do the operators themselves get out of it? Nick Biasini joins the show this week to talk about this business model, what it means for the rise in ransomware attacks, and how you can stay protected.

Thursday, June 17, 2021

Threat Roundup for June 11 to June 17


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 11 and June 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Threat Source newsletter (June 17, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

Although the Colonial Pipeline attack is largely behind us now, its potential repercussions are not. This was just the latest in a string of attacks against American critical infrastructure over the past few years, and we don't expect them to slow down any time soon.

Talos researchers have outlined a series of steps critical infrastructure organizations can take to secure their networks, and what the government needs to do to protect physical property and prevent potential life-threatening attacks. If you are experiencing an emergency or in need of an incident response retainer, Cisco Talos Incident Response is available for proactive and emergency response. 

Wednesday, June 16, 2021

Vulnerability Spotlight: EIP Stack Group OpENer information disclosure vulnerability



Martin Zeiser of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable information disclosure vulnerability in EIP Stack Group OpENer’s Ethernet/IP UDP handler.  

OpENer is an Ethernet/IP stack for I/O adapter devices that includes objects and services for making Ethernet/IP-compliant products, as defined in the ODVA specification.

Tuesday, June 15, 2021

What’s past is prologue – A new world of critical infrastructure security



By Caitlin Huey, Joe Marshall and Thomas Pope.

Attackers have targeted American critical infrastructure several times over the past few years, putting at risk U.S. electrical grids, oil pipelines and water supply systems. However, we collectively have not responded in a meaningful way to these attacks. This inaction has now led to a failure to protect our oil and natural gas (ONG) infrastructure, resulting in some fuel shortages in wide swaths of the U.S. earlier this year. This, in turn, has prompted federal executive action emphasizing protecting critical ONG infrastructure and responding to ransomware attacks in this space. ONG companies must take heed – proactive and wholistic security can protect their enterprises and critical infrastructure.

Friday, June 11, 2021

Threat Roundup for June 4 to June 11


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 4 and June 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #56: The first security steps you should take when you return to the office

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We started out the COVID-19 pandemic by thinking we'd be away from the office for a month — maybe two. More than 12 months later, we're still here, working from home (at least part-time).

But some businesses are starting to reopen now and welcoming workers back into the office. After so much time working out of the office, what should security professionals do once they get back? In this week's episode, Beers with Talos' own Craig Williams joins the show to talk about triple-checking for patches, changing passwords and more. Plus, how should you handle the new hybrid worker?

Thursday, June 10, 2021

Threat Source newsletter (June 10, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We seriously can't escape from ransomware. It's in the headlines constantly and has now drawn the full attention of the federal government. But we at Talos recognize that is going to take far more than just words to address this global threat. In this opinion piece we published this week along with the Cyber Threat Alliance, we outlined some steps we feel the government and private sector need to take to ensure physical life and property, critical infrastructure and the economy are all protected from ransomware. 

While you're on our blog, you should also head over to the new Cisco Talos Incident Response web page. We have updated CTIR's list of offerings and gave it a few visual overhauls that we think you'll love.

Back in the security space, we also had Microsoft Patch Tuesday this week. The company disclosed several vulnerabilities that they've seen actively exploited in the wild, so you should patch all of your Microsoft products if you haven't already.

Quarterly Report: Incident Response trends from Spring 2021



By David Liebenberg and Caitlin Huey

While the security community made a great effort to warn users of the exploitation of several Microsoft Exchange Server zero-day vulnerabilities, it was still the biggest threat Cisco Talos Incident Response (CTIR) saw this past quarter. These vulnerabilities, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, comprised around 35 percent of all incidents investigated.   

This shows that when a vulnerability is recently disclosed, severe, and widespread, CTIR will often see a corresponding rise in engagements in which the vulnerabilities in question are involved. Thankfully, the majority of these incidents involved scanning and not post-compromise behavior, such as file encryption or evidence of exfiltration.  

While CTIR’s focus was largely on the Microsoft Exchange Server vulnerabilities this quarter, ransomware continued to be a persistent and growing problem. This quarter featured several ransomware families that we have not previously encountered in CTIR engagements, including MountLocker, Zeppelin and Avaddon. These families fit the ransomware-as-a-service (RaaS) model and are typically deployed with Cobalt Strike and are delivered by an initial commodity trojan loader. These ransomware families also engage in double extortion, threatening to publish victim data if the ransom demand is not met. 

Tuesday, June 8, 2021

Vulnerability Spotlight: Code execution vulnerability in Google Web Audio API



Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered two use-after-free vulnerabilities in Google’s Web Audio API that an adversary could exploit to execute remote code on the victim machine. Web Audio API is a high-level JavaScript API for processing and synthesizing audio in web applications. These vulnerabilities specifically exist in the Google Chrome web browser’s instance of this API.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Google to ensure that these issues are resolved and an update is available for affected customers.

Microsoft Patch Tuesday for June 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Edmund Brumaghin. 

Microsoft released its monthly security update Tuesday, disclosing 51 vulnerabilities across its suite of products, breaking last month’s 16-month record of the fewest vulnerabilities disclosed in a month by the company. 

There are only four critical vulnerabilities patched in this month, while all the other ones are considered “important.” However, there are several vulnerabilities that Microsoft states are being actively exploited in the wild. 

This month’s security update provides updates for several pieces of software and Windows functions, including SharePoint Server, the Windows kernel and Outlook. For a full rundown of these CVEs, head to Microsoft’s security update page.

Monday, June 7, 2021

Intelligence-driven disruption of ransomware campaigns

By Neil Jenkins and Matthew Olney.

Note: Our guest co-author, Neil Jenkins, is the Chief Analytic Officer at the Cyber Threat Alliance. He leads the CTA's analytic efforts, focusing on the development of threat profiles, adversary playbooks and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy and operational planning for both the public and private sectors.

As the headlines show, ransomware has become a threat to national security, life safety and critical infrastructure. As a result, the U.S. Department of Justice recently announced it would be giving ransomware attacks priority similar to that as terrorism. None of this is a surprise to the more than 60 experts who came together this year under the umbrella of the Ransomware Task Force (RTF), an effort to produce a comprehensive set of recommendations to international governments and private-sector partners on how to address this threat. In fact, the report — issued just days before the Colonial Pipeline attack — begins by saying, "Ransomware attacks present an urgent national security risk around the world."

As contributors to the report, we'd like to drill into the second priority recommendation issued by the group, calling for "...a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign…" To a large extent, we have left the private sector to deal with the ransomware threat by themselves, and when an incident has occurred, we have treated it as a law enforcement matter. Both of these approaches have failed. When the actor only needs to find any flaw in any company or organization's defenses, then they will continue to be successful. When the primary threat society puts forth to deter these activities is "you'll go to jail" and the actors are hiding in countries that have shown no interest in cooperating with law enforcement activities for these behaviors, there is no deterrence.

Friday, June 4, 2021

Threat Roundup for May 28 to June 4


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 28 and June 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, June 3, 2021

Threat Source newsletter (June 3, 2021)



Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

If you didn't catch us live yesterday, we've uploaded the full version of our stream on Discord and Slack malware to our YouTube page. Chris Neal from Talos Outreach walked through his recent research into these campaigns targeting collaboration apps. Find out what Chris and his team discovered on these apps that have become crucial to work and communication in 2021.

Necro Python bot adds new exploits and Tezos mining to its bag of tricks


By Vanja Svajcer, with contributions from Caitlin Huey and Kendall McKay.

News summary

  • Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of infecting vulnerable systems. The bot contains exploits for more than 10 different web applications and the SMB protocol.
  • Cisco Talos recently discovered the increased activity of the bot discovered in January 2021 in Cisco Secure Endpoint product telemetry, although the bot has been in development since 2015, according to its author.
  • This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably Exploit Public-Facing Application T1190, Scripting - T1064, PowerShell - T1059.001, Process Injection - T1055, Non-Standard Port - T1571, Remote Access Software - T1219, Input Capture - T1056, Obfuscated Files or Information - T1027 and Registry Run Keys/Startup Folder - T1547.001.


What's new?

Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code.


How did it work?

The infection starts with successful exploitation of a vulnerability in one of the targeted applications or the operating systems. The bot targets Linux-based and Windows operating systems. A Java-based downloader is also used for the initial infection stage. The malware uses a combination of a standalone Python interpreter and a malicious script, as well as ELF executables created with pyinstaller.

The bot can connect to a C2 server using IRC and accepts commands related to exploitation, launching distributed denial-of-service attacks, configuration changes and RAT functionality to download and execute additional code or sniff network traffic to exfiltrate the captured data.

The bot hides its presence on the system by installing a user-mode rootkit designed to hide the malicious process and malicious registry entries created to ensure that the bot runs every time a user logs into the infected system.

A significant part of the code is dedicated to downloading and running a Monero miner XMRig program. The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems. If the user opens the infected application, a JavaScript-based Monero miner will run within their browser's process space.

So what?

Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.

Here, we are dealing with a self-replicating, polymorphic bot that attempts to exploit server-side software for spreading. The bot is similar to others, like Mirai, in that it targets small and home office (SOHO) routers. However, this bot uses Python to support multiple platforms, rather than downloading a binary specifically compiled for the targeted system.

Wednesday, June 2, 2021

Vulnerability Spotlight: Use-after-free vulnerability in WebKit

Marcin Towalski of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The WebKit browser engine contains a use-after-free vulnerability in its GraphicsContext function. A malicious web page code could trigger a use-after-free error, which could lead to a potential information leak and memory corruption. An attacker could exploit this vulnerability by tricking the user into visiting a specially crafted, malicious web page to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with WebKit to ensure that this issue is resolved and that an update is available for affected customers.

Vulnerability Spotlight: A deep dive into macOS SMB server



By Aleksandar Nikolich.

Executive summary

Cisco Talos recently discovered multiple vulnerabilities in macOS’s implementation of SMB server. An adversary could exploit these vulnerabilities to carry out a variety of malicious actions, including revealing sensitive information on the server, bypassing certain cryptographic checks, causing a denial of service or execute remote code on the targeted server. Cisco Talos worked with Apple to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy. Users are encouraged to update to the latest macOS version as soon as possible to patch these vulnerabilities.

Tuesday, June 1, 2021

Vulnerability Spotlight: Multiple vulnerabilities in Accusoft ImageGear



Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in Accusoft ImageGear.

The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF, Microsoft Office. These vulnerabilities Talos discovered could allow an attacker to carry out various malicious actions, including corrupting memory on the victim machine and executing remote code.