Cisco Blogs


Cisco Blog > Threat Research

Bedep Lurking in Angler’s Shadows

This post is authored by Nick Biasini.

In October 2015, Talos released our detailed investigation of the Angler Exploit Kit which outlined the infrastructure and monetary impact of an exploit kit campaign delivering ransomware. During the investigation we found that two thirds of Angler’s payloads were some variation of ransomware and noted one of the other major payloads was Bedep. Bedep is a malware downloader that is exclusive to Angler. This post will discuss the Bedep side of Angler and draw some pretty clear connections between Angler and Bedep.

Adversaries continue to evolve and have become increasingly good at hiding the connections to the nefarious activities in which they are involved. As security researchers we are always looking for the bread crumbs that can link these threats together to try and identify the connections and groups that operate. This is one of those instances were a couple of crumbs came together and formed some unexpected connections. By tying together a couple of registrant accounts, email addresses, and domain activity Talos was able to track down a group that has connections to threats on multiple fronts including: exploit kits, trojans, email worms, and click fraud. These activities all have monetary value, but are difficult to quantify unlike a ransomware payload with a specific cost to decrypt.

 

Read More >>

Tags: , , , , , ,

The Internet of Things Is Not Always So Comforting

Over the past few years, the Internet of Things (IoT) has emerged as reality with the advent of smart refrigerators, smart HVAC systems, smart TVs, and more. Embedding internet-enabled devices into everything presents new opportunities in connecting these systems to each other, making them “smarter,” and making our lives more convenient than ever before.

Despite the new possibilities, there are major concerns about the IoT which inspire a legitimate question: “What happens if it’s not ‘done right’ and there are major vulnerabilities with the product?

The unfortunate truth is that securing internet-enabled devices is not always a high priority among vendors and manufacturers. Some manufactures do not have the necessary infrastructure to inform the public about security updates or to deliver them to devices. Other manufacturers are unaccustomed to supporting products past a certain time, even if a product’s lifespan may well exceed the support lifecycle. In other cases, the lack of a secure development lifecycle or a secure public portal to report security defects makes it near impossible for researchers to work with a vendor or manufacturer. These problems expose users and organizations to greater security risks and ultimately highlight a major problem with the Internet of Things.

What does this mean for the average user? For starters, a smart device on their home or office network could contain unpatched vulnerabilities. Adversaries attacking the weakest link could exploit a vulnerable IoT device, then move laterally within an organization’s network to conduct further attacks. Additionally, patching vulnerable devices can be complicated, if not impossible, for the average user or for those who are not technically savvy. For organizations that maintain large amounts of IoT devices on their network, there may not be a way to update a device that scales, creating a nightmare scenario.

 

Read More >>

Tags: , , , , , ,

Microsoft Patch Tuesday – December 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated “Critical” this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated “Important” and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.

Bulletins Rated Critical

MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.

MS15-124 and MS15-125 are this month’s Edge and Internet Explorer security bulletin respectively. In total, 34 vulnerabilities were addressed this month between the two browsers with 11 vulnerabilities affecting both Edge and IE. The vast majority of the vulnerabilities addressed this month are memory corruption vulnerabilities along with a couple ASLR and XSS filter bypasses. One special note with this bulletin is that CVE-2015-6135 and CVE-2015-6136 are VBScript engine flaws that affect all supported versions of Internet Explorer. However, this bulletin only addresses these vulnerabilities for IE 8 through 11. Users and organizations who use IE 7, or that do not have IE installed will need to install MS15-126 to address these two vulnerabilities.

Read More >>

Tags: , , ,

Vulnerability Spotlight: MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos. Post authored by Earl Carter and William Largent

Talos is disclosing the discovery of an exploitable buffer overflow vulnerability in the the MiniUPnP library TALOS-2015-0035 (CVE-2015-6031). The buffer overflow is present in client-side XML parser functionality in miniupnpc. A specially crafted XML response can lead to a buffer overflow, on the stack, resulting in remote code execution.

This miniupnpc buffer overflow is present in client-side part of the library. The vulnerable code is triggered by an oversized XML element name when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network.

MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.

When parsing the UPNP replies, the XML parser is initialized and `parsexml()` function is called:

1miniupnp

Read More »

Tags: , , , ,

Vulnerability Spotlight: Microsoft Windows CDD Font Parsing Kernel Memory Corruption

Discovered by Andrea Allievi and Piotr Bania of Cisco Talos.

 

Talos, in conjunction with Microsoft’s security advisory issued on September 8th, is disclosing the discovery of a memory corruption vulnerability within the Microsoft Windows CDD Font Parsing Kernel Driver. This vulnerability was initially discovered by the Talos and reported in accordance with responsible disclosure policies to Microsoft. Please see Talos’s Microsoft Tuesday Blog for coverage information for this vulnerability. Read the full Talos Vulnerability Report via the talosintel.com portal here: TALOS-2015-0007

Details

A specially crafted font file can cause the Microsoft Windows CDD Font Parsing Kernel driver to corrupt internal memory structures. The DrvTextOut routine acquires and locks the associated device and behaves differently based on the surface type. If the type is a bitmap and the Windows DWM is on, the driver will read and write directly to the video frame buffer and calls EngTextOut, then exits. However, the driver behaves in an unexpected manner where a new background rect is generated mixing the “OpaqueRect” rectangle located in the sixth parameter and the rectangle located in the “pStringTextObj” object.

 

If the ClipObject describes a NON-Trivial clip, even the “rclBounds” of the clip object is merged to the background rectangle. The Font Object is parsed, and finally the routine decides if it should clip the background rect or not.

 

The final decision is based on the following check:

VulBlog1

Read More »

Tags: , , ,