Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 05 and May 12. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
Talos is constantly monitoring the email threat landscape and tracking both new threats as well as changes to existing threats. We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed “Jaff”. Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware. While Cisco customers were already automatically protected against this threat, we decided to take a deeper look at this threat and its possible implications across the threat landscape. We have outlined the infection process and additional relevant information regarding this threat in detail below.
Talos is disclosing the presence of a vulnerability in Hangul Word Processor. Published by Hancom inc. the Hangul Office Suite, of which Hangul Word Processor is part, is the leading word processing and office productivity suite in South Korea. This vulnerability allows attackers to craft a malicious document that when opened, allows the attacker to cause arbitrary code to be executed on the victim’s system.
Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month’s release addresses 56 vulnerabilities with 15 of them rated critical and 41 rated important. Impacted products include .NET, DirectX, Edge, Internet Explorer, Office, Sharepoint, and Windows.
In addition to the coverage Talos is providing for the normal monthly Microsoft security advisories, Talos is also providing coverage for CVE-2017-0290, the MsMpEng Malware Protection service vulnerability in Windows reported by Natalie Silvanovich and Tavis Ormandy of Google Project Zero. Snort rule SIDs for this specific vulnerability are 42820-42821.
Discovered by Aleksandar Nikolic of Cisco Talos
Talos is disclosing TALOS-2017-0293 / CVE 2017-2800, a code execution vulnerability in WolfSSL. WolfSSL is a lightweight SSL/TLS library targeted specifically for embedded and RTOS (Real-Time Operating System) environments, due largely to its small size and performance. WolfSSL is used in a wide range of products including ICS and IoT devices.
This particular vulnerability is related to the use of x.509 certificates and the code that deals with string fields in DER certificates. Specifically the code responsible for parsing ‘commonName’, ‘countryName’, ‘localityName’, ‘stateName’, ‘orgName’, and ‘orgUnit’. A specially crafted x.509 certificate can cause a single out-of-bounds overwrite that could result in certificate validation issues, denial of service, or remote code execution. To trigger this vulnerability, the adversary needs to supply a malicious x.509 certificate to either the server or client application that is making use of this library. The full details surrounding the vulnerability are available here.
These vulnerabilities were discovered by Piotr Bania of Cisco Talos.
Today, Talos is releasing details of a new vulnerability discovered within the Power Software PowerISO disk imaging software. TALOS-2017-0318 and TALOS-2017-0324 may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted ISO image is opened and parsed by the PowerISO software.
The vulnerabilities are present in the Power Software PowerISO disk imaging utility, used by Windows users to create, edit, mount and convert various popular disk image file formats. The software is commonly used by home users to mount ISO disk images since this capability is not included by default in Windows versions prior to version 8.
ISO (9660) disk image format is a file system within a single file. Essentially, it is a binary copy of the file system used by the standard software CD-ROM installation disks. Today, most of the installation disks for popular software and operating systems are distributed using the ISO file format.