Friday, September 30, 2016

Vulnerability Spotlight: OpenJPEG JPEG2000 mcc record Code Execution Vulnerability

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos


Overview

Talos has identified an exploitable out-of-bounds vulnerability in the JPEG 2000 image file format parser implemented in OpenJPEG library (TALOS-2016-0193/CVE-2016-8332). The JPEG 2000 file format is commonly used for embedding images inside PDF documents. This particular vulnerability could allow an out-of-bound heap write to occur, resulting in heap corruption and lead to arbitrary code execution. Talos has disclosed this vulnerability responsibily to the library maintainers to ensure a patch is available.


Exploitation of this vulnerability is possible if a user were to open a file containing a specifically crafted JPEG 2000 image that exploits this flaw. Examples where this could be achieved would be in an email attack, where a user opens an attachment in a spam/phishing email, or in a hosted content scenario where a user downloads a file from Google Drive or Dropbox.


Coverage

Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 40314-40315

For further zero day or vulnerability reports and information visit:
http://talosintelligence.com/vulnerability-reports/

Vulnerability Spotlight: Redis CONFIG SET client-output-buffer-limit Code Execution Vulnerability

Vulnerability Discovered by Cory Duplantis of Talos

Overview

Talos is disclosing TALOS-2016-0206/CVE-2016-8339, an out-of-bounds write vulnerability in Redis. Redis is a simple in-memory data structure store using a key-value model. Redis has been growing in popularity due to its ability to handle problems that other databases can't solve or are inherently slow at. This particular vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write, potentially resulting in code execution.

Thursday, September 29, 2016

Want Tofsee My Pictures? A Botnet Gets Aggressive

This post was authored by Edmund Brumaghin

Summary 

Tofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013. It features a number of modules that are used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Once infected, systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Earlier this year, Talos published a blog post discussing how the RIG exploit kit was delivering this malware to compromised endpoints using malvertising. Malvertising is a technique commonly used by exploit kits to infect users that browse web sites that are serving compromised advertisements. This activity seemed to disappear in June, however Talos has recently observed a marked increase in the volume and velocity of spam email campaigns containing malicious attachments that are being used to distribute Tofsee.

Tuesday, September 27, 2016

Threat Spotlight: GozNym

This blog was authored by Ben Baker, Edmund Brumaghin and Jonah Samost.

Executive Summary


GozNym is the combination of features from two previously identified families of malware, Gozi and Nymaim. Gozi was a widely distributed banking trojan with a known Domain Generation Algorithm (DGA) and also contained the ability to install a Master Boot Record (MBR) rootkit. Nymaim emerged in 2013 as malware which was used to deliver ransomware and was previously distributed by the Black Hole exploit kit. The code had various anti-analysis techniques, such as the obfuscation of Win32 API calls.

There have been multiple instances in which the source code of the Gozi trojan has been leaked. Due to these leaks it was possible for the GozNym authors to make use of the ‘best of breed’ methodologies incorporated into Gozi and create a significantly more robust piece of malware which was now capable of utilizing strengthened persistence methods and ultimately becoming a powerful banking trojan.

Given the recent success of the GozNym trojan and the number of targeted attacks seeking to infect victims with this malware, Talos decided to take a deep look at the inner workings of this particular malware family. Talos started by examining the binaries associated with GozNym as well as the distribution mechanisms. Additionally, we were able to successfully reverse engineer the DGA associated with the GozNym command and control (C2) infrastructure and sinkhole the botnet. This gave Talos great visibility into the size and scope of this threat and the number of infected systems beaconing to C2 servers under adversarial control.

Monday, September 26, 2016

Project APT: How to Build an ICS Network and Have fun at the Same Time

The Industrial Control System (ICS) security team at Talos frequently see requests from peers and from students on how to build an ICS test lab. After all, the best way to learn is to get some equipment and learn with good old-fashioned hands-on tinkering. Unfortunately, many frame their test lab inquiries based on more traditional IT standards and network topologies. This is an easy error to make. After all, we can all generally name the components of a modern IT network - workstations, servers,switches, routers and firewalls for example. It’s easy to fall back on things for which we are most familiar.  It’s only natural. It would be easy to assume building an ICS network is just assembling the usual suspects of ICS equipment, and soon you will have an ICS test lab.

The truth is, nothing is atypical with industrial control system networks. Understanding industrial control systems and how they work together to deliver a process is not an easy thing. An electrical utility and an oil refinery may make use of the exact same ICS equipment in completely different environments and configurations, which effectively makes understanding implementation difficult. With such a diversity of industries and verticals, it can be difficult to even find a starting point much less procure (often expensive) equipment to start a proper ICS test lab. 

Members of the ICS team (Joe Marshall, Patrick DeSantis II & Carlos Pacho) were challenged with this problem by Talos senior leadership, and were told to find a way to build a ICS test lab. No easy task! As it turns out, the answer was easy, but the road to get there would not be.

Wednesday, September 21, 2016

The Rising Tides of Spam

This blog post was authored by Jaeson Schultz.

For the past five years we have enjoyed a relatively calm period with respect to spam volumes. Back at the turn of the decade the world was experiencing record-high volumes of spam. However, with the evolution of new anti-spam technologies, combined with some high-profile takedowns of spam-related botnets, voluminous and indiscriminate spam attacks fell precipitously in popularity with spammers. Subsequently, having lower volumes of spam to contend with, anti-spam systems had the luxury of dedicating more computer processing resources to analyzing fewer messages for email-based threats. But, as the fashion industry adage goes, "everything old is new again." Spam volumes are back on the rise.

Tuesday, September 13, 2016

Microsoft Patch Tuesday - September 2016

This post was authored by Jaeson Schultz.

Well it's Microsoft Patch Tuesday, again, and that must mean we are girding our systems against another round of security vulnerabilities. This month Microsoft has released fourteen (14) bulletins covering fifty (50) security vulnerabilities. There are seven bulletins in the set whose severity is considered "Critical". These "Critical" bulletins affect Internet Explorer, Microsoft Edge, Microsoft Graphics Component, Microsoft Exchange Server, Microsoft Office, OLE Automation for VBScript Scripting Engine, and the Adobe Flash Player. The remaining seven bulletins impact products such as Silverlight, Windows, Windows Kernel, Windows Lock Screen, Windows Secure Kernel Mode, Windows SMBv1 Server, and the Microsoft Windows PDF Library.

Tuesday, September 6, 2016

Vulnerability Spotlight: Kaspersky Unhandled Windows Messages Denial of Service Vulnerability

Vulnerability discovered by Marcin 'Icewall' Noga of Cisco Talos.

Overview

Talos is disclosing the presence of TALOS-2016-0175 / CVE-2016-4329, a local denial of service vulnerability within Kaspersky anti-virus. A system user is able to cause a denial of service attack against Kaspersky’s avpui.exe process by executing malicious code on a system. As a result, avpui.exe process protected by Kaspersky Self-Protection dies.

Thursday, September 1, 2016

Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted

This blog authored by Nick Biasini.

Exploit kits are a class of threat that indiscriminately aims to compromise all users. Talos has continued to monitor this threat over time resulting in large scale research and even resulting in a large scale takedown. The focus of this investigation is on the tools and techniques being used to drive users to the exploit kits. This blog looks at the anatomy of a global malvertising campaign and how users interact with exploit kit gates, regardless of the sites they visit and the countries they reside.

Talos observed a large malvertising campaign affecting potentially millions of users visiting sites in North America, Europe, Asia Pac, and the Middle East. The research culminated in a joint effort with GoDaddy to mitigate the threat by taking back the registrant accounts used to host the activity, and taking down all applicable subdomains. This is yet another example of how organizations work together to stop threats affecting users around the globe. If you are a provider or online ad company that would like to work with Talos, please contact us.

Online advertising is a key component of the Internet today, especially for sites that provide content free of charge. In this blog we will be discussing a global malvertising campaign that has affected a wide array of websites. These websites don't bear responsibility for these malicious ads; it is just the nature of online advertising. As security organizations get better at identifying and shutting down malicious content, adversaries are going to continue to move and stay agile. The advantage to malicious advertising is if you visit the same site twice you are unlikely to receive the same content from an advertising perspective. This is where protections like ad blockers, browsers with advanced sandboxing technologies, and detection/prevention technologies are paramount to ensure protection from this type of content.

Friday, August 26, 2016

Vulnerability Spotlight: Kernel Information Leak & Multiple DOS Issues Within Kaspersky Internet Security Suite

Vulnerability discovered by Piotr Bania and Marcin ‘Icewall’ Noga of Cisco Talos.

Overview

Talos has discovered multiple vulnerabilities in Kaspersky’s Internet Security product which can be used by an attacker to cause a local denial of service attack or to leak memory from any machine running Kaspersky Internet Security software.

Details

To provide anti-virus functionality, Kaspersky’s software hooks into the Windows API via a driver named KLIF. Talos has identified two vulnerabilities in the way that the driver handles intercepted NtUserCreateWindowEx and NtAdjustTokenPrivileges calls. In both cases a malicious application on a machine with Kaspersky’s KLIF driver installed is able to execute a malicious API call using invalid parameters. This can cause an attempt to access inaccessible memory by the driver resulting in a system crash.

A further local denial of service attack is possible through Kaspersky’s KL1 driver. A malicious user can send a specially crafted IOCTL call to the KL1 driver. Under certain conditions, this can causing the driver to read memory outside of an allocated buffer. This may provoke a memory access violation resulting in a system crash.