Cisco Blogs

Threat Research

  • Threat Round Up for Oct 6 – Oct 13

    - October 13, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 6 and October 13. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read more »

  • Disassembler and Runtime Analysis

    - October 12, 2017 - 0 Comments

    This post was authored by Paul Rascagneres.

    Introduction

    In the CCleaner 64bit stage 2 previously described in our blog, we explained that the attacker modified a legitimate executable that is part of “Symantec Endpoint”. This file is named EFACli64.dll. The modification is performed in the runtime code included by the compiler, more precisely in the __security_init_cookie() function. The attacker modified the last instruction to jump to the malicious code. The well-known IDA Pro disassembler has trouble displaying the modification as we will show later in this post. Finally, we will present a way to identify this kind of modification and the limitation in this approach.

    Read More >>

  • Spoofed SEC Emails Distribute Evolved DNSMessenger

    - October 11, 2017 - 0 Comments

    This post was authored by Edmund Brumaghin, Colin Grady, with contributions from Dave Maynor and @Simpo13.

    Executive Summary

    Cisco Talos previously published research into a targeted attack that leveraged an interesting infection process using DNS TXT records to create a bidirectional command and control (C2) channel. Using this channel, the attackers were able to directly interact with the Windows Command Processor using the contents of DNS TXT record queries and the associated responses generated on the attacker-controlled DNS server.

    We have since observed additional attacks leveraging this type of malware attempting to infect several target organizations. These attacks began with a targeted spear phishing email to initiate the malware infections and also leveraged compromised U.S. state government servers to host malicious code used in later stages of the malware infection chain. The spear phishing emails were spoofed to make them appear as if they were sent by the Securities and Exchange Commission (SEC) in an attempt to add a level of legitimacy and convince users to open them. The organizations targeted in this latest malware campaign were similar to those targeted during previous DNSMessenger campaigns. These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate.

    Read More >>

  • Microsoft Patch Tuesday – October 2017

    - October 10, 2017 - 0 Comments

    Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 63 new vulnerabilities with 28 of them rated critical and 35 rated important. These vulnerabilities impact Graphics, Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.

    Read more »

  • Vulnerability Spotlight: Arbitrary Code Execution Bugs in Simple DirectMedia Layer Fixed

    - October 10, 2017 - 0 Comments

    Today, Talos is disclosing two vulnerabilities that have been identified in the Simple DirectMedia Layer library. Simple DirectMedia Layer (SDL) is a cross-platform development library designed for use in video playback software, emulators, and games by providing low level access to audio, keyboard, mouse, joystick, and graphics hardware. SDL, via its SDL_image library, also has the capability to handle various image formats such as XCF, the default layered image format for GIMP.

    An attacker could compromise a user by exploiting one of these vulnerabilities via a specifically crafted file that SDL would handle, such as a XCF file.

    Given that numerous applications make use of SDL, Talos has coordinated with the SDL community to disclose these vulnerabilities and ensure that an updated version of the library is available to use.

    Read more »

  • Vulnerability Spotlight: Multiple vulnerabilities in Computerinsel Photoline

    - October 4, 2017 - 0 Comments

    These vulnerabilities are discovered by Piotr Bania of Cisco Talos.

    Today, Talos is releasing details of multiple vulnerabilities discovered within the Computerinsel GmbH PhotoLine image processing software. PhotoLine, developed by Computerinsel GmbH, is a well established raster and vector graphics editor for Windows and Mac OS X that can also be used for desktop publishing.

    TALOS-2017-0387 (CVE-2017-2880). TALOS-2017-0427 (CVE-2017-2920), TALOS-2017-0458 (CVE-2017-12106) and TALOS-2017-0459 (CVE-2017-12107) may allow an attacker to execute arbitrary code remotely on the vulnerable system when a specially crafted image file is opened by the PhotoLine image processing software.

    Read More >>

  • Threat Round Up for Sept 22 – Sept 29

    - September 29, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 22 and September 29. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read more »

  • Banking Trojan Attempts To Steal Brazillion$

    - September 28, 2017 - 0 Comments

    This post was authored by Warren Mercer, Paul Rascagneres and Vanja Svajcer

    Introduction

    Banking trojans are among some of the biggest threats to everyday users as they directly impact the user in terms of financial loss. Talos recently observed a new campaign specific to South America, namely Brazil. This campaign was focused on various South American banks in an attempt to steal credentials from the user to allow for illicit financial gain for the malicious actors. The campaign Talos analysed focused on Brazilian users and also attempted to remain stealthy by using multiple methods of re-direction in an attempt to infect the victim machine. It also used multiple anti-analysis techniques and the final payload was written in Delphi which is quite unique to the banking trojan landscape.

     

    Read More>>

  • FIN7 Group Uses JavaScript and Stealer DLL Variant in New Attacks

    - September 27, 2017 - 0 Comments

    This post was authored by Michael Gorelik and Josh Reynolds

    Executive Summary

    Throughout this blog post we will be detailing a newly discovered RTF document family that is being leveraged by the FIN7 group (also known as the Carbanak gang) which is a financially-motivated group targeting the financial, hospitality, and medical industries. This document is used in phishing campaigns to execute a series of scripting languages containing multiple obfuscation mechanisms and advanced techniques to bypass traditional security mechanisms. The document contains messages enticing the user to click on an embedded object that executes scripts which are used to infect the system with an information stealing malware variant. This malware is then used to steal passwords from popular browsers and mail clients which are sent to remote nodes that are accessible to the attackers. These advanced mechanisms and the information stealing malware will be discussed in detail. We will also review a number of static and dynamic detection mechanisms used in the AMP for Endpoints and Threat Grid product lines to detect these document families.

    Read More >>

  • CCleaner Command and Control Causes Concern

    - September 20, 2017 - 0 Comments

    This post was authored by Edmund BrumaghinEarl CarterWarren MercerMatthew MolyettMatthew OlneyPaul Rascagneres and Craig Williams.

    Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

    Introduction

    Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files.

    In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.

    Interestingly the array specified contains Cisco’s domain (cisco.com) along with other high-profile technology companies. This would suggest a very focused actor after valuable intellectual property.

    These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.

    Read more »