This post was authored by Edmund Brumaghin and Yves Younan
Ransomware has become increasingly prevalent in the industry, and in many cases, unless there is a publicly released decryptor available, there is often not an easy means of retrieving encrypted files once a system has been infected. In addition to the creation and maintenance of regular system backups, it is increasingly important to focus on a multi-tiered defense-in-depth network architecture in an effort to prevent initial endpoint infection. This is often difficult in an evolving threat landscape where new ransomware families are being developed and deployed seemingly every day by threat actors of varying levels of sophistication.
While many ransomware families focus on the encryption of all or portions of a target system’s files others, such as Petya, rely on overwriting the contents of the Master Boot Record (MBR) to force a system reboot then only encrypt the Master File Table (MFT) of the hard drive on infected systems as a way to coerce users into paying the threat actors to retrieve the encryption keys required to decrypt their files.
To help combat ransomware that attempts to modify the MBR, Talos has released a new tool to the open source community, MBRFilter, a driver that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device.
Vulnerability Discovered by Tyler Bohan and Cory Duplantis of Cisco Talos
Talos has identified an exploitable out-of-bounds write vulnerability in the ELF Section Header parsing functionality of Hopper (TALOS-2016-0222/CVE-2016-8390). Hopper is a reverse engineering tool for macOS and Linux allowing the user to disassemble and decompile 32/64bit Intel-based Mac, Linux, Windows and iOS executables. During the parsing of ELF section headers, there is a user controlled size that is not validated, a malicious threat actor could craft an ELF file with specific section headers to trigger this vulnerability, potentially leading to remote code execution. A malicious threat actor could use a zip file containing the crafted executable to target threat researchers, sent via phishing or file sharing sites. This type of exploit can also be used as an anti-analysis measure in an attempt to defeat sandboxes and automated disassembly.
Hopper has been updated the changelog can be read at this URL: https://www.hopperapp.com/rss/html_changelog_v3.php
Vulnerability discovered by Aleksandar Nikolic of Talos.
Talos has identified an information disclosure vulnerability in Foxit PDF Reader (TALOS-2016-0201/CVE-2016-8334). A wrongly bounded call to `memcpy`, while parsing jbig2 segments within a PDF file, can be triggered in Foxit PDF Reader causing an out-of-bounds heap memory to be read into a buffer. The `memcpy` call is properly sized, but the source is smaller than the size argument, causing the adjacent memory to be copied into a buffer, where heap metadata, addresses and pointers can be copied and later reused, disclosing memory layout. Combined with another vulnerability, this information disclosure can be used to leak heap memory layout and bypass ASLR. Phishing campaigns commonly use PDF files, as malicious attachments or linked downloads, to deliver malware.
Locky has continued to evolve since its inception in February 2016. This has made it difficult to track at times due to changes in the way in which it’s distributed as well as various characteristics of the malware itself. The actors responsible for Locky have continuously attempted to improve operational security (OpSec) in regards to the tracking of affiliates making use of the ransomware.. This post will discuss a new Locky configuration extractor that Talos is releasing, which we are naming ‘LockyDump’. This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky ie; .locky, .zepto & .odin based ransomware.
Using LockyDump you can run a known Locky sample within a virtualized environment and it will extract and provide all of the configuration information for the sample, including the AffilID associated with the sample. The latest variant of Locky made this extraction process increasingly difficult. Once this config extraction changed Talos looked to reverse further Locky samples in an attempt to gain the all important AffilID information. Obtaining the affiliate information for individual samples allows the historical tracking of Locky affiliates to identify trends and other characteristics on an individual affiliate basis such as their primary distribution method of choice ie; through the use of Exploit Kits (EKs) or spam/phishing email.
Patch Tuesday has once again arrived! Microsoft’s monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today’s release sees a total of 10 bulletins with five of the bulletins rated critical, addressing vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.
Bulletins Rated Critical
The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127
MS16-118 and MS16-119 are this month’s bulletins for Internet Explorer and Edge respectively. The Internet Explorer bulletin fixes 11 vulnerabilities while the Edge bulletin fixes 13 vulnerabilities. Seven vulnerabilities were found to affect both Edge and IE. The majority of the vulnerabilities fixed are memory corruption flaws that could lead to arbitrary code execution. Several privilege escalation and information disclosure flaws were also fixed in this month’s release.
Effectively protecting your assets increasingly involves effective threat intelligence to better understand the types of attackers targeting your sector, and what your vulnerabilities are. Lack of any threat intelligence at all, or even the foresight to use Google and Twitter to spot fake scams trending in top results can result in a company being one of the unfortunate victims paying out to one of the copycat DDoS threats making the rounds early in 2016, or to the even more recent Ranscam encrypting malware found to not release a victim’s files after a ransom is paid.
Recent studies have shown a significant uptrend in the percent of phishing campaigns being used to deliver ransomware. The combination of being used as an entry point for credential-stealing malware, Internet links designed to steal credentials, DDoS threat messages, and ever-increasing amounts of ransomware threat, clearly makes email one of the largest attack surfaces of an enterprise.
Protecting our assets from these threats begins with our Email Security Appliance, (ESA) designed to filter based on email volume, and other heuristics associated with spam and phishing campaigns. ESA is known to be effective in blocking over 99% of spam and phish emails. That leaves enterprise defenders with less than 1% of threats to deal with, but that remaining fraction is getting increasingly effective with more well-crafted spear phishing messages. These spear fishing campaigns target users with accurate branding logos, victim names, and messages that appear to be legitimate.
Instead being content that your spam/phish appliances are blocking 99%+ of phishing threats, and continuing to blindly deal with what may slip past controls, you could be using the data from your spam/phish quarantine to help bolster your defenses. The data in the phishing messages for recipients, subjects, and message bodies could be used to learn more about what type of threats are targeting your company, how to more effectively tune controls, and maybe most importantly, to serve as a method of early warning system for potential breaches of third parties your company is doing business with.
Targeted spear phishing campaigns stay under the radar of the spam controls, often by using smaller lists of valid email addresses purchased for a target organization in a campaign. These lists can be from a variety of sources including data from previous data breaches. Protecting your organization from the remaining 1% of targeted phishing campaigns not caught by blocking appliances requires a defense-in-depth strategy such as the one outlined in this Cisco whitepaper.
Part of a defense-in-depth strategy for your entire organization can be enriched by better understanding the threats facing you. By knowing more about the attackers’ tactics, you can better inform and prepare users, and by knowing more about who is being targeted in your firm, you can wrap further protections around them. Using spam data sets to generate metrics on the subject line and message body allowed the Cisco Midyear Security Report to show how successful emails with “invoice” themes were so far this year.
If your organization conducts phishing awareness to help employees become more secure, how much value could be added by producing metrics like these to tailor the training to stay ahead of current threats? October is National Cyber Security Awareness Month. If your organization does not have any phishing awareness training in place, you can get started in the right direction using the free online phishing awareness test by Cisco’s OpenDNS to learn about commonly identifiable tactics used by scammers.
What could your organization learn by extracting the recipient data for each phishing campaign noted by subject and message body, or payload similarity? How about if those recipients were bucketed by work group, types of access, or at an even deeper level, by what third parties they have been working with for activities such as closing sales, merger talks, and services?
If the same buckets of employees are ending up in targeted phishing campaigns fairly frequently it might be time to wrap more monitoring around those situations, examine the possibility of a third party they are working with being part of a breach where those employee email addresses could have been learned, or just as a warning that the deals they are working in are the subject of scrutiny by someone willing and able to employ phishing/malware to gain an edge.