Cisco Blogs

Threat Research

  • Threat Spotlight: Follow the Bad Rabbit

    - October 24, 2017 - 4 Comments

    Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

    On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape.

    There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.

    Read More >>

  • “Cyber Conflict” Decoy Document Used In Real Cyber Conflict

    - October 22, 2017 - 0 Comments

    This post was authored by Warren MercerPaul Rascagneres and Vitor Ventura

    INTRODUCTION

    Cisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear…). Ironically the decoy document is a flyer concerning the Cyber Conflict U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence on 7-8 November 2017 at Washington, D.C. Due to the nature of this document, we assume that this campaign targets people with an interest in cyber security. Unlike previous campaigns from this actor, the flyer does not contain an Office exploit or a 0-day, it simply contains a malicious Visual Basic for Applications (VBA) macro.

    The VBA drops and executes a new variant of Seduploader. This reconnaissance malware has been used by Group 74 for years and it is composed of 2 files: a dropper and a payload. The dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name, obfuscation keys… We assume that these modifications were performed to avoid detection based on public IOCs.

    The article describes the malicious document and the Seduploader reconnaissance malware, especially the difference with the previous versions.

    Read_More>>

  • Vulnerability Spotlight: Google PDFium Tiff Code Execution

    - October 19, 2017 - 0 Comments

    Overview

    Talos is disclosing a single off-by-one read/write vulnerability found in the TIFF image decoder functionality of PDFium as used in Google Chrome up to and including version 60.0.3112.101. Google Chrome is the most widely used web browser today and a specially crafted PDF could trigger the vulnerability resulting in memory corruption, possible information leak, and potential code execution. This issue has been fixed in Google Chrome version 62.0.3202.62.

    Read_More>>

  • Threat Round Up for Oct 6 – Oct 13

    - October 13, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 6 and October 13. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read more »

  • Disassembler and Runtime Analysis

    - October 12, 2017 - 0 Comments

    This post was authored by Paul Rascagneres.

    Introduction

    In the CCleaner 64bit stage 2 previously described in our blog, we explained that the attacker modified a legitimate executable that is part of “Symantec Endpoint”. This file is named EFACli64.dll. The modification is performed in the runtime code included by the compiler, more precisely in the __security_init_cookie() function. The attacker modified the last instruction to jump to the malicious code. The well-known IDA Pro disassembler has trouble displaying the modification as we will show later in this post. Finally, we will present a way to identify this kind of modification and the limitation in this approach.

    Read More >>

  • Spoofed SEC Emails Distribute Evolved DNSMessenger

    - October 11, 2017 - 0 Comments

    This post was authored by Edmund Brumaghin, Colin Grady, with contributions from Dave Maynor and @Simpo13.

    Executive Summary

    Cisco Talos previously published research into a targeted attack that leveraged an interesting infection process using DNS TXT records to create a bidirectional command and control (C2) channel. Using this channel, the attackers were able to directly interact with the Windows Command Processor using the contents of DNS TXT record queries and the associated responses generated on the attacker-controlled DNS server.

    We have since observed additional attacks leveraging this type of malware attempting to infect several target organizations. These attacks began with a targeted spear phishing email to initiate the malware infections and also leveraged compromised U.S. state government servers to host malicious code used in later stages of the malware infection chain. The spear phishing emails were spoofed to make them appear as if they were sent by the Securities and Exchange Commission (SEC) in an attempt to add a level of legitimacy and convince users to open them. The organizations targeted in this latest malware campaign were similar to those targeted during previous DNSMessenger campaigns. These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate.

    Read More >>

  • Microsoft Patch Tuesday – October 2017

    - October 10, 2017 - 0 Comments

    Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.

    Read more »

  • Vulnerability Spotlight: Arbitrary Code Execution Bugs in Simple DirectMedia Layer Fixed

    - October 10, 2017 - 0 Comments

    Today, Talos is disclosing two vulnerabilities that have been identified in the Simple DirectMedia Layer library. Simple DirectMedia Layer (SDL) is a cross-platform development library designed for use in video playback software, emulators, and games by providing low level access to audio, keyboard, mouse, joystick, and graphics hardware. SDL, via its SDL_image library, also has the capability to handle various image formats such as XCF, the default layered image format for GIMP.

    An attacker could compromise a user by exploiting one of these vulnerabilities via a specifically crafted file that SDL would handle, such as a XCF file.

    Given that numerous applications make use of SDL, Talos has coordinated with the SDL community to disclose these vulnerabilities and ensure that an updated version of the library is available to use.

    Read more »

  • Vulnerability Spotlight: Multiple vulnerabilities in Computerinsel Photoline

    - October 4, 2017 - 0 Comments

    These vulnerabilities are discovered by Piotr Bania of Cisco Talos.

    Today, Talos is releasing details of multiple vulnerabilities discovered within the Computerinsel GmbH PhotoLine image processing software. PhotoLine, developed by Computerinsel GmbH, is a well established raster and vector graphics editor for Windows and Mac OS X that can also be used for desktop publishing.

    TALOS-2017-0387 (CVE-2017-2880). TALOS-2017-0427 (CVE-2017-2920), TALOS-2017-0458 (CVE-2017-12106) and TALOS-2017-0459 (CVE-2017-12107) may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted image file is opened by the PhotoLine image processing software.

    Read More >>

  • Threat Round Up for Sept 22 – Sept 29

    - September 29, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 22 and September 29. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read more »