Threat Research
Threat Roundup Sept 21 – 28
Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 21 and 28. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
VPNFilter III: More Tools for the Swiss Army Knife of Malware
Summary
VPNFilter — a multi-stage, modular framework that has infected hundreds of thousands of network devices across the globe — is now known to possess even greater capabilities. Cisco Talos recently discovered seven additional third-stage VPNFilter modules that add significant functionality to the malware, including an expanded ability to exploit endpoint devices from footholds on compromised network devices. The new functions also include data filtering and multiple encrypted tunneling capabilities to mask command and control (C2) and data exfiltration traffic. And while we believe our work, and the work of our international coalition of partners, has mostly neutralized the threat from VPNFilter, it can still be difficult to detect in the wild if any devices remain unpatched.
Talos has been researching VPNFilter for months. Our initial findings are outlined here, and a description of additional modules used by the framework is here. As part of our continued investigation, we developed a technique to examine a key protocol used by MikroTik networking devices to hunt for possible exploitation methods used by the actor.
As we followed the thread of VPNFilter infections, it became clear that MikroTik network devices were heavily targeted by the threat actor, especially in Ukraine. Since these devices seemed to be critical to the actor’s operational goals, this led us to try to understand how they were being exploited. Part of our investigation included the study of the protocol used by MikroTik’s Winbox administration utility. In this blog, we’ll share how and why we studied this protocol, as well as the decoder tool we developed as a way of helping the security community look into this protocol for potential malicious actor activity.
The sophistication of VPNFilter drives home the point that this is a framework that all individuals and organizations should be tracking. Only an advanced and organized defense can combat these kinds of threats, and at the scale that VPNFilter is at, we cannot afford to overlook these new discoveries.
Vulnerability Spotlight: Epee Levin Packet Deserialization Code Execution Vulnerability
This vulnerability was discovered by Lilith (>_>) of Cisco Talos.
Overview
The Epee library, which is leveraged by a large number of cryptocurrencies, contains an exploitable code execution vulnerability in the Levin deserialization functionality. An attacker can send a specially crafted network packet to cause a logic flaw, resulting in remote code execution.
In accordance with our coordinated disclosure policy, Cisco Talos has worked with the developers of Monero ‘Lithium Luna’ to ensure that these issues have been resolved and that an update has been made available for affected users. It is recommended that this update is applied as quickly as possible to ensure that systems are no longer affected by this vulnerability.
IDA-minsc Wins Second Place in Hex-Rays Plugins Contest
Ali Rizvi-Santiago of Cisco Talos recently tied second place in the IDA plugin contest with a plugin named “IDA-minsc.” IDA is a multi-processor disassembler and debugger created by the company Hex-Rays and this year there were a total of 4 winners with 9 submissions total. Every year, the company invites researchers to submit plugins that improve their products, and Talos determined that IDA-minsc would improve users’ experience enough that it deserved consideration for this year’s awards.
This plugin aims to make it easier for people to reverse and annotate binaries. We believe that this plugin expedites the annotation process and allows the user to work more efficiently. This is done by introducing a few concepts that change the way most users develop Python, which allows the user to treat the parts that they are reversing as more of a dataset that can be used to query and annotate as they see fit. This, combined with the plugin’s various components that automatically determine a function’s parameters based on the user’s current selection, allows the user to very quickly write code that can be used to mark and annotate the different parts of the database.
Adwind Dodges AV via DDE
This blog post is authored by Paul Rascagneres, Vitor Ventura and with the contribution of Tomislav Pericin and Robert Perica from ReversingLabs.
Introduction
Cisco Talos, along with fellow cybersecurity firm ReversingLabs, recently discovered a new spam campaign that is spreading the Adwind 3.0 remote access tool (RAT), targeting the three major desktop operating systems (Linux, Windows and Mac OSX). This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software.
The majority of the targets in this campaign are in Turkey, according to data from the Cisco Umbrella cloud security platform. After our research, we have discovered important details about this attack, as well as the malicious, forged Microsoft Office documents that the attackers are using.
Threat Roundup for Sept 14 – 21
Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 14 and 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Cyber Threat Alliance Releases Cryptomining Whitepaper
Despite the recent devaluation of some cryptocurrencies, illicit cryptocurrency miners remain a lucrative and widespread attack vector in the threat landscape. These miners are easy to deploy, and attackers see it as a quick way to steal other users’ processing power to generate cryptocurrency. These attacks are harder to notice than a traditional denial-of-service or malware campaign, resulting in reduced risk and a more stable foothold for a malicious actor. The Cyber Threat Alliance, with contributions from Cisco Talos and other CTA members, has released a whitepaper detailing the rise of cryptomining attacks that outlines what you — and your organization — should know about these kinds of campaigns.
This paper covers the fact that there is a low technical barrier to entry for attackers, and that there are accessible patches to protect users from many of these attacks. Because cryptomining campaigns are easy to launch, a broader set of actors have engaged in this activity, resulting in a higher rate of attacks. Talos often observes multiple actors with illicit cryptomining software on the same compromised box. The use of well-known vulnerabilities by attackers essentially turns this problem into a canary-in-the-coalmine situation for defenders. If you discover unauthorized cryptomining software on one of your assets, there is a high likelihood that other actors have also leveraged the weaknesses in your systems to gain access — potentially for more damaging purposes.
Threat Roundup for September 7 to September 14
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 7 and September 14. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
SigAnalyzer: Signature analysis with CASC
Executive summary
ClamAV Signature Creator (CASC) is an IDA Pro plugin that assists in the creation of ClamAV pattern signatures. We have enhanced this plugin to also analyze these signatures. The plugin highlights matching parts in a binary when its given a particular signature. This function is helpful when evaluating automatically generated signatures, e.g., from the BASS framework. As a larger number of signatures is automatically generated, it becomes ever more important to gain a quick understanding about the effects of these signatures. This functionality will allow us to check the accuracy of our signatures faster, and allow us to deliver a better product to our users.
You can read the the complete post and see the associated video on the Clam AV blog
Microsoft Patch Tuesday – September 2018
Microsoft released its monthly set of security updates today for a variety of its products that address a variety of bugs. The latest Patch Tuesday covers 61 vulnerabilities, 17 of which are rated “critical,” 43 that are rated “important” and one that is considered to have “moderate” severity.
The advisories cover bugs in the Internet Explorer web browser, Jet Database Engine and the Chakra scripting engine, among other products and software.
This update also includes two critical advisories, one of which covers security updates to Adobe Flash, and another that deals with a denial-of-service vulnerability in the Microsoft Windows operating system.
