Cisco Blogs

Threat Research

  • VPNFilter Update – VPNFilter exploits endpoints, targets new devices


    June 6, 2018 - 3 Comments

    Introduction

    Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding “VPNFilter.” In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.

    Read more here.

  • Talos Threat Research Summit Guide and Cisco Live Preview


    June 5, 2018 - 0 Comments

    The first Cisco Talos Threat Research Summit coming up at Cisco Live! in Orlando, so we are providing a quick guide to all the activities going on at the summit and beyond. The response to the summit was stronger than we could have anticipated for the first year – it sold out fast!  Next time, we definitely need a bigger boat. Whether or not you have a ticket to the summit, read on for a guide of how to stay on top of what’s happening in Orlando, and how you can connect with ALL the events Talos is holding around Cisco Live! 2018 –

    Read More >>

     

  • Vulnerability Spotlight: TALOS-2018-0535 – Ocularis Recorder VMS_VA Denial of Service Vulnerability


    June 4, 2018 - 0 Comments

    Talos is disclosing a denial-of-service vulnerability in the Ocularis Recorder. Ocularis is a video management software (VMS) platform used in a variety of settings, from convenience stores, to city-wide deployments. An attacker can trigger this vulnerability by crafting a malicious network packet that causes a process to terminate, resulting in a denial of service.

    <<READ MORE>>

  • NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea


    May 31, 2018 - 1 Comment

    This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.

    Executive Summary

    Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan that we’re calling “NavRAT” is downloaded, which can perform various actions on the victim machine, including command execution, and has keylogging capabilities.

    The decoy document is named “미북 정상회담 전망 및 대비.hwp” (Prospects for US-North Korea Summit.hwp). The HWP file format is mainly used in South Korea. An Encapsulated PostScript (EPS) object is embedded within the document in order to execute malicious shellcode on the victim systems. The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT.

    This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email. The uploaded file(s) are sent by email, and the downloaded files are retrieved from an email attachment. We have already observed malware using free email platforms for abuse, but this is the first time we have identified a malware that uses Naver — which is known for its popularity in South Korea.

    One of the most interesting questions we still have is regarding attribution — and who is behind this malware. Previously, we published several articles concerning Group123 (hereherehere, here and here). We currently assess with medium confidence that this campaign and NavRAT are linked to Group123.

    More >>

     

  • Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilites


    May 31, 2018 - 0 Comments

    Vulnerabilities discovered by Cory Duplantis from Talos.

    In April 2018, Talos published 5 vulnerabilities in Natus NeuroWorks software. We have also identified 3 additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.

    We strongly recommend readers to refer to the “Discussion” part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices.

    More >>

  • Threat Roundup for May 18-25


    May 26, 2018 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 18 and May 25. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read more here

  • New VPNFilter malware targets at least 500K networking devices worldwide


    May 23, 2018 - 25 Comments

    Intro

    For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor’s widespread use of a sophisticated modular malware system we call “VPNFilter.” We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.  In particular, the code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country. Weighing these factors together, we felt it was best to publish our findings so far prior to completing our research. Publishing early means that we don’t yet have all the answers — we may not even have all the questions — so this blog represents our findings as of today, and we will update our findings as we continue our investigation.

    Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.

    The type of devices targeted by this actor are difficult to defend. They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.

    This post provides the technical findings you would normally see in a Talos blog. In addition, we will detail some thoughts on the tradecraft behind this threat, using our findings and the background of our analysts, to discuss the possible thought process and decisions made by the actor. We will also discuss how to defend against this threat and how to handle a device that may be infected. Finally, we will share the IOCs that we have observed to this point, although we are confident there are more that we have not seen.

    Read More here

  • TeleGrab – Grizzly Attacks on Secure Messaging


    May 16, 2018 - 1 Comment

    Over the past month-and-a-half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10.

    While the first version only stole browser credentials and cookies, along with all text files it can find on the system, the second variant added the ability to collect Telegram’s desktop cache and key files, as well as login information for the Steam website.

    Talos intelligence research allowed the identification of the author behind this malware with high confidence. The author posted several YouTube videos with instructions on how to use the Telegram collected files to hijack Telegram sessions and how to package it for distribution.

    The operators of this malware use several pcloud.com hardcoded accounts to store the exfiltrated information. This information is not encrypted, which means that anyone with access to these credentials will have access to the exfiltrated information.

    The malware is mainly targeting Russian-speaking victims, and is intentionally avoiding IP addresses related with anonymizer services.

    More >>

  • Vulnerability Spotlight: Multiple Adobe Acrobat Reader DC Vulnerabilities


    May 15, 2018 - 0 Comments

    Discovered by Aleksandar Nikolic of Cisco Talos

    Overview

    Today, Talos is releasing details of a new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.

    A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044. This stack overflow can lead to return address overwrite which can result in arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

    Read More >>

     

  • Threat Roundup for May 04 – 11


    May 11, 2018 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 4 and May 11. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read more here