Cisco Blogs

Threat Research

  • Talos Threat Round Up for April 20-27

    - April 27, 2018 - 1 Comment

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 06 and April 13. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read more here

  • GravityRAT – The Two-Year Evolution Of An APT Targeting India

    - April 26, 2018 - 0 Comments

    This blog post is authored by Warren Mercer and Paul Rascagneres.

    Summary

    Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years while it continues to be developed. Several weeks ago, we identified the use of the latest version of this RAT (Remote Access Tool). In this article, we will discuss the technical capabilities, the evolution, development and potential attribution of what we are calling GravityRAT.

    GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We’ve seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.

    Throughout our investigation, we observed several malicious documents used to attack victims, which we will discuss. These malicious documents were used by the developer to run several tests on the popular analysis platform VirusTotal. Using VirusTotal allowed the developer to make changes in an attempt to decrease antivirus detection.

    Although GravityRAT has not been previously published or discussed, there was some information from the National Computer Emergency Response Team (CERT) of India describing GravityRAT as being used in targeted attacks against India. Finally, we will discuss specific attribution elements discovered during our research into GravityRAT as we identify specific information, which we believe to be leaked by the developer, such as location, and potentially their first name.

    Read More >>

     

  • Vulnerability Spotlight: Hyland Perceptive Document Filters Multiple Vulnerabilites

    - April 26, 2018 - 0 Comments

    Vulnerabilities discovered by Marcin ‘Icewall’ Noga from Talos

    Overview

    Talos has discovered multiple vulnerabilities in Hyland Perceptive Document Filters software. This software is a toolkit that allows developers to read and extract metadata from a file. It supports a large set of common file formats. In addition to this the software is also capable of converting file formats.

    We identified 4 vulnerabilities that allows an attacker to execute arbitrary code on the vulnerable systems. These vulnerabilities concerns the file conversion features.

    The vulnerabilities can be exploited to locally execute code as well as remotely if the framework is used in batch mode by the owners. In this context, the malicious crafted document could be automatically handled by the toolkit and a successful exploitation could result full control of the vulnerable system. The vulnerable features can be used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. It can convert common formats such as Microsoft’s document formats into other format (for example easier to be parsed).

    Read More >>

     

  • Cryptomining Campaign Returns Coal and Not Diamond

    - April 23, 2018 - 0 Comments

    Soon after a launch of a new cryptocurrency, Bitvote, in January, Talos discovered a new mining campaign affecting systems in India, Indonesia, Vietnam and several other countries that was tied to Bitvote.

    Apart from the fact that the attackers have chosen to target the new bitcoin fork in order to gain the early adoption advantage, this campaign is notable for its usage of a kernel-mode driver to manage command and control (C2) infrastructure, configuration management, download and execute functionality, as well as payload protection. It is quite uncommon to implement this functionality in kernel, apart from the payload protection, and points to a moderate to high level of technical knowledge behind the attack.

    The payloads and the configuration were embedded in specially modified animated GIF files and published as parts of web pages hosted on free blogging platforms.

    The campaign was active in February and March, and so far, it has brought limited returns for attackers.

    Read More>>

  • Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader

    - April 19, 2018 - 0 Comments

    Overview

    Talos is disclosing five vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.

    Details

    Read More >>

  • Updates for BASS

    - April 19, 2018 - 0 Comments

    This blog post was authored by Jonas Zaddach and Mariano Graziano.

    Cisco Talos has rolled out a series of improvements to the BASS open-source framework aimed at speeding up its ability to provide coverage for new malware families. Talos released BASS, (pronounced “bæs”) an open-source framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters, last June. It is meant to reduce the amount of resources required to run ClamAV by producing more pattern-based signatures, as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable, thanks to Docker, an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud.

    Read More

  • Vulnerability Spotlight: Foscam IP Video Camera Firmware Recovery Unsigned Image Vulnerability

    - April 17, 2018 - 0 Comments

    This vulnerability was discovered by Claudio Bozzato of Cisco Talos.

    Executive Summary

    The Foscam C1 Indoor HD Camera is a network-based camera that is marketed for a variety of uses, including as a home security monitoring device. Talos recently identified 32 vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details of in two blog posts here and here. In continuing our security assessment of these devices, Talos has discovered an additional vulnerability. In accordance with our coordinated disclosure policy, Talos has worked with Foscam to ensure that this issue has been resolved and that a firmware update is made available for affected customers. This vulnerability could be leveraged by an attacker to gain the ability to completely take control of affected devices.

    Read More>>

  • Talos Threat Round Up for April 06-13

    - April 13, 2018 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 06 and April 13. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read more here

  • Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

    - April 13, 2018 - 0 Comments

    These vulnerabilities were discovered by Carlos Pacho of Cisco Talos

    Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.

    Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.

    Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.

    Read_more>>

  • Malware monitor – leveraging PyREBox for malware analysis

    - April 13, 2018 - 0 Comments

    This post was authored by Xabier Ugarte Pedrero

    In July 2017 we released PyREBox, a Python Scriptable Reverse Engineering Sandbox as an open source tool. This project is part of our continuous effort to create new tools to improve our workflows. PyREBox is a versatile instrumentation framework based on QEMU.

    It allows us to run a whole operating system in a virtual environment (emulator), and to inspect and modify its memory and registers at run-time. A small set of QEMU modifications allows users to instrument certain events such as instruction execution or memory read/writes.

    On top of this, PyREBox leverages Virtual Machine Introspection techniques to bridge the semantic gap, that is, understanding OS abstractions such as processes, threads, or libraries. You can find the more detailed description of the framework as well as its capabilities in the original blogpost.

    In the past few months we have received positive feedback from the community, fixed bugs and added features suggested by the users. We also added support for GNU/Linux guests, and implemented an agent (program run inside the emulated guest) that allows file transfer between a host and a guest, as well as execution of samples in the guest on demand.

    As part of this ongoing effort, today we are releasing a set of PyREBox scripts that are designed to aid malware analysis: Malware monitor. These scripts automate different tasks, such as code coverage analysis, API tracing, memory monitoring, and process memory dumping.

    Read_more>>