Wednesday, November 24, 2021

Talos Takes Ep. #78: Attackers would love to buy you a non-existent PS5 this holiday season

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

We know this episode comes around every year, but people keep falling for scams, so we have to remind people how to avoid them.

Tuesday, November 23, 2021

Attackers exploiting zero-day vulnerability in Windows Installer — Here’s what you need to know and Talos’ coverage

Cisco Talos is releasing new SNORTⓇ rules to protect against the exploitation of a zero-day elevation of privilege vulnerability in Microsoft Windows Installer. This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator. This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.

Monday, November 22, 2021

A review of Azure Sphere vulnerabilities: Unsigned code execs, kernel bugs, escalation chains and firmware downgrades



Summary of all the vulnerabilities reported by Cisco Talos in Microsoft Azure Sphere

By Claudio Bozzato and Lilith [>_>].

In May 2020, Microsoft kicked off the Azure Sphere Security Research Challenge, a three-month initiative aimed at finding bugs in Azure Sphere. In the first three months, Cisco Talos reported 16 vulnerabilities. Our analysis continued intermittently, and eventually, we discovered and reported a total of 31 published vulnerabilities, two of which were present in the Linux kernel itself.

We already released several blog posts about Azure Sphere (see blog posts 1, 2, 3, 4, 5). Today, we’re putting a bow on our research by summarizing what we’ve found and how attackers could exploit them, and what that would mean for the user. We also have another blog post coming next week that will detail how we exploited a chain of two vulnerabilities to gain arbitrary kernel code execution.

Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet

Yuri Kramarz discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the Advantech R-SeeNet monitoring software. 

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications. 

TALOS-2021-1366 (several CVEs, please refer to advisory for more information), TALOS-2021-1365 (CVE-2021-21920, CVE-2021-21921, CVE-2021-21922, CVE-2021-21923), TALOS-2021-1363 (CVE-2021-21915, CVE-2021-21916, CVE-2021-21917) and TALOS-2021-1364 (CVE-2021-21918, CVE-2021-21919) are SQL injection vulnerabilities that exist in various R-SeeNet pages.

Back from the dead: Emotet re-emerges, begins rebuilding to wrap up 2021



Executive summary


Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an environment. These email campaigns exhibit characteristics previously described here. International police announced a takedown campaign to disrupt Emotet in early 2021, effectively removing the botnet from the threat landscape. But as of last week, Emotet has re-emerged and has been observed establishing the infrastructure and distribution required to rebuild the botnets. While the current distribution campaigns are not at the same volumes as those previously observed when Emotet was at full strength, this is likely the beginning of a resurgence in Emotet activity that will continue to amplify as more systems become infected and are leveraged for spam distribution.


Vulnerability Spotlight: PHP deserialize vulnerability in CloudLinux Imunity360 could lead to arbitrary code execution



Marcin “Icewall” Noga of Cisco Talos. Blog by Jon Munshaw. 

Cisco Talos recently discovered a vulnerability in the Ai-Bolit functionality of CloudLinux Inc Imunify360 that could lead to arbitrary code execution. 

Imunify360 is a security platform for web-hosting servers that allows users to configure various settings for real-time website protection and web server security.

Friday, November 19, 2021

Threat Roundup for November 12 to November 19


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 12 and Nov. 19. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Beers with Talos, Ep. #111: We say goodbye to Craig and his killer robots

Beers with Talos (BWT) Podcast episode No. 111 is now available. Download this episode and subscribe to Beers with Talos:

      

If iTunes and Google Play aren't your thing, click here.

We apologize for holding onto this for so long, but we wanted to formally bid farewell to Craig once we were ready to move on to the next act for Beers with Talos. So the good news is, we'll have a new host come the next episode! The bad news is, we have to say goodbye to Craig for now.

We spent a good chunk of this episode reminiscing with Craig, but also touched on new internet-sharing applications that are suddenly the next hot thing in malware. 

Talos Takes Ep. #77: How to connect to (and safely use) public WiFi

 

By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Whenever we walk into a bar or restaurant, it's almost a given that we're going to ask the bartender or server: "What's the WiFi password?"

Thursday, November 18, 2021

Threat Source Newsletter (Nov. 18, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

This is our last newsletter before Thanksgiving in the U.S. next week, so now's as good of a time as any to remind you: If a deal seems too good to be true, it probably is. 

To prep online shoppers for the upcoming Cyber Monday and Black Friday sales, we have this handy guide with past Talos podcasts, blog posts and television appearances to keep you safe. Attackers are especially likely to try and capitalize on supply chain fears this year, and keep pushing phony deals around the XBOX Series X and PlayStation 5. 

Bookmark that page, too, because we'll update it as new content becomes available. 

Wednesday, November 17, 2021

Vulnerability Spotlight: Multiple code execution vulnerabilities in LibreCAD



Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered three vulnerabilities in LibreCAD’s libdfxfw open-source library. 

This library reads and writes .dxf and .dwg files — the primary file format for vector graphics in CAD software. LibreCAD, a free computer-aided design software for 2-D models, uses this libdfxfw.  

TALOS-2021-1349 (CVE-2021-21898) and TALOS-2021-1350 (CVE-2021-21899) can trigger buffer overflows if an attacker tricks the user into opening a specially crafted DWG file, eventually allowing the attacker to execute code on the victim machine. TALOS-2021-1351 (CVE-2021-21900) works in a similar manner, but with a DXF file instead.

Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome could lead to code execution

 

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. 

Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.  

Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that other software developers use to build their browsers, as well.

Talos’ tips for staying safe while shopping online this holiday season



By Jon Munshaw. 

Attackers will resort to all tactics to trick users into downloading malware, handing over credit card data or completing compromising their machine. 

No topic is off-limits, and threat actors have resorted to using everything from PlayStation 5 sales, to COVID-19 cures and news on nuclear weapons as part of their lures over the past year. And these spam attacks will only ramp up over the next month as consumers across the globe shop online for the holidays. 

Adobe Insight’s recent “Holiday Shopping Forecast” predicts that spending for e-commerce will top $200 billion during the holiday season for the first time ever. The report also specifically warned that there will be supply chain shortages this year due to the pandemic, which is likely to force online shoppers into long virtual queues or push them to shop even earlier than usual.

Tuesday, November 16, 2021

Attackers use domain fronting technique to target Myanmar with Cobalt Strike

By Chetan Raghuprasad, Vanja Svajcer and Asheer Malhotra.

News Summary

  • Cisco Talos discovered a new malicious campaign using a leaked version of Cobalt Strike in September 2021.
  • This shows that Cobalt Strike, although it was originally created as a legitimate tool, continues to be something defenders need to monitor, as attackers are using it to set up attacks.
  • The threat actor in this case uses domain fronting with the Cloudflare Content Delivery Network, redirecting a Myanmar government owned-domain to an attacker-controlled server.
  • The threat actor employed the tactic of re-registering reputed domains in their attack chains to evade detections.
  • This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably T1202 - Indirect Command Execution , T1027 - Obfuscated Files or Information, T1105 - Ingress Tool Transfer, T1071.001 - Application Layer Protocols:Web Protocols.

What's New?

Cisco Talos discovered a malicious campaign using an obfuscated Meterpreter stager to deploy Cobalt Strike beacons in September 2021. The actor used a domain owned and operated by the Myanmar government, the Myanmar Digital News network, as a domain front for their beacons.

The evolution of this threat indicates that the attackers have been active since at least August 2021 using a combination of Meterpreter stagers and Cobalt Strike beacons to establish presence on victim's endpoints.

Monday, November 15, 2021

Vulnerability Spotlight: Vulnerabilities in Lantronix PremierWave 2050 could lead to code execution, file deletion



Matt Wiseman discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in Lantronix’s PremierWave 2050, an embedded Wi-Fi module. 

There are several vulnerabilities in PremierWave 2050’s Web Manager, a web-accessible application that allows users to configure settings for the 2050 gateway. An attacker could exploit some of these vulnerabilities to carry out a range of malicious actions, including executing arbitrary code and deleting or replacing files on the targeted device. 

Friday, November 12, 2021

Threat Roundup for November 5 to November 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 5 and Nov. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Talos Takes Ep. #76: What is Kimsuky phishing around for?



By Jon Munshaw.

The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.

Blog posts aren't just for sharing your darkest secrets from high school anymore. They're also used by attackers to spread malware and steal international secrets.

Thursday, November 11, 2021

Threat Source newsletter (Nov. 11, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

It's important to be proactive, and not reactive, with your security. It's always better to see the worst coming and block it than have to scramble to deal with the worst-case scenario in the moment.

That's why it's so important to have a polished Incident Response Plan that's tested and proven. A solid IR plan will ensure your team has the appropriate protections in place, and if you are the target of a cyber attack, you'll be ready to act at a moment's notice to snuff out the threat before it becomes a full-on cybersecurity incident.

Whether you want to create an IR plan from scratch or just refine yours, you'll want to watch our live stream from last week with Martin Lee from Talos research and Paul Lee from Talos Incident Response. Watch the full recording above or check out the Talos Takes audio version here

Wednesday, November 10, 2021

North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets

 


By Jung soo An and Asheer Malhotra, with contributions from Kendall McKay.

  • Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021.
  • Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat (APT) group active since 2012.
  • This campaign utilizes malicious blogs hosted on Blogspot to deliver three types of preliminary malicious content: beacons, file exfiltrators and implant deployment scripts.
  • The implant deployment scripts, in turn, can infect the endpoint with additional implants such as system information-stealers, keyloggers and credential stealers.
  • These implants are derivatives of the Gold Dragon/Brave Prince family of malware operated by Kimsuky since at least 2017 — now forked into three separate modules.
  • This campaign targets South Korea-based think tanks whose research focuses on political, diplomatic and military topics pertaining to North Korea, China, Russia and the U.S.


What's new?


Cisco Talos recently discovered a campaign operated by the North Korean Kimsuky APT group delivering malware to high-value South Korean targets — namely geopolitical and aerospace research agencies. This campaign has been active since at least June 2021 deploying a constantly evolving set of implants derived from the Gold Dragon/Brave Prince family of implants.

The attackers used Blogspot in this campaign to host their malicious artifacts. Talos coordinated with Google to alert them of these blog posts. Google removed these posts and related IOCs prior to publication of this blog post. We also shared this information with appropriate national security partners as well as our our industry partners, including the Cyber Threat Alliance (CTA).


Tuesday, November 9, 2021

Microsoft Patch Tuesday for Nov. 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw and Tiago Pereira. 

Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild.  

November’s security update features six critical vulnerabilities, up from last month’s two, which was far lower than average for Microsoft. The other 50 vulnerabilities fixed today are considered “important.” 

CVE-2021-42292 is one of those vulnerabilities considered “important” and not critical, though it is the only one included in this security update that Microsoft reports has been spotted being exploited in the wild. An attacker could exploit this vulnerability in Microsoft Excel to bypass certain security settings on targeted machines. 

In a time when email attachments are the major vector of system compromise, this vulnerability can be used to increase the efficiency of these attacks by avoiding a security prompt and consequently reducing the social engineering necessary to infect the victim.

Cisco Talos finds 10 vulnerabilities in Azure Sphere’s Linux kernel, Security Monitor and Pluton



By Claudio Bozzato and Lilith [-_-];.

Following our previous engagements (see blog posts 1, 2, 3 and 4) with Microsoft's Azure Sphere IoT platform, we decided to take another look at the device, without all the rush and commotion that normally entails a hacking challenge. 

Today, we’re disclosing another 10 vulnerabilities in Azure Sphere — two of which are on the Linux side, seven that exist in Security Monitor and one in the Pluton security subsystem.

Friday, November 5, 2021

Threat Roundup for October 29 to November 5


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 29 and Nov. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Thursday, November 4, 2021

Threat Source newsletter (Nov. 4, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

A series of vulnerabilities in Microsoft Exchange Server made waves earlier this year for coming under attack. And while they've come and gone from the headlines since then, attackers are still very much paying attention.

Attackers spreading the Babuk ransomware are targeting these vulnerabilities to infect victims. Find out how, exactly, these Babuk attacks work, and if you haven't already, patch.

To prepare for a ransomware attack like this, it's always important to have an incident response plan at the ready. Whether you are looking to create an IR plan from scratch, or just looking to polish your current one, we have a new guide to get you started

The features all Incident Response Plans need to have



Adversaries are always growing their capabilities and changing their tactics, leading to a greater number of incidents and data breaches. This is supported by organizations such as ITRC who reports that the number of data breaches in 2021 is already greater than that of 2020. This is why defenders must become proactive, not reactive. Many forms of traditional protection are reactive, like host-based antivirus, firewalls and secure web gateways. An overlooked aspect of cybersecurity is the proactive planning and policy that goes into defense.

Wednesday, November 3, 2021

Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk

By Chetan Raghuprasad and Vanja Svajcer, with contributions from Caitlin Huey.

  • Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with smaller number of infections in U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand.
  • The actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign. This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines.
  • We assess with moderate confidence that the initial infection vector is exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

What's new?

Cisco Talos discovered a malicious campaign using Cisco Secure product telemetry on Oct. 12, 2021 targeting vulnerable Microsoft Exchange servers and attempting to exploit the ProxyShell vulnerability to deploy the Babuk ransomware in the victim's environment. The actor is using a somewhat unusual infection chain technique where an intermediate unpacking module is hosted on a pastebin.com clone pastebin.pl. The intermediate unpacking stage is downloaded and decoded in memory before the final payload embedded within the original sample is decrypted and executed.