Monday, July 25, 2016

Ransomware: Because OpSec is Hard?


This blog was authored by Edmund Brumaghin and Warren Mercer

Summary


Talos recently published research regarding a new variant of destructive ransomware, which we dubbed Ranscam. During further analysis of Ranscam samples, we discovered several indicators of compromise (IOCs) that piqued our curiosity as to which malware this threat actor might be involved in or responsible for besides Ranscam. We began to expand the scope of our research into other destructive "ranscamware" in an effort to determine if they had any shared characteristics that might indicate the same threat actor or group might be responsible for multiple variants. We found several interesting ties between known destructive ransomware variants such as Jigsaw and AnonPop which correlated with the threat actor we believe to be responsible for Ranscam.

Thursday, July 21, 2016

Vulnerability Spotlight: OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability

This vulnerability was discovered by Richard Johnson and Yves Younan of Cisco Talos.

Talos is releasing an advisory for a vulnerability in OpenOffice Impress. (TALOS-2016-0051/CVE-2016-1513). Talos has discovered an exploitable out-of-bounds vulnerability which exists in OpenOffice when handling MetaActions. A specially crafted OpenDocument Presentation .ODP or Presentation Template .OTP file can cause an out-of-bounds read/write resulting in denial-of-service (memory corruption and application crash) and possible execution of arbitrary code.

Overview

OpenOffice is an open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and other office functions. It works on various operating systems and is available in a host of languages. It uses an international open standard format for the common file types and can also read and write files from other common office software packages, such as Microsoft Office. It’s flexibility and open source nature has led to wide adoption. 

OpenOffice currently reports a user base of over 84 million, over 125 million downloads, 87% of which runs Microsoft Windows. An attacker could trigger this vulnerability by enticing an end user to open a malicious file specially crafted to exploit this vulnerability. This could be accomplished by directing a user to open a file hosted on a web server, sent as an attachment in a phishing email, or any other means that could be used to convince a user to open the malicious file.

Details

In the attached sample the out of bounds vulnerability occurs when replacing a Polygon in the PolyPolygon object when performing a MetaPolyPolygonAction. In this case, the position in the array is 512, while the array containing Polygons (mpPolyAry) is only 2 in size. This will result in the deletion of a pointer which is read out of bounds at line 228 of file main\tools\source\generic\poly2.cxx. This will be immediately followed by an out-of-bounds write, writing a new pointer which is obtained by creating a new Polygon at that location. This provides an attacker with multiple ways to exploit this vulnerability: through a free of an invalid pointer, but if that fails, the writing of a new pointer out of bounds could provide a second opportunity for exploitation. Below are line 217-230 of main\tools\source\generic\poly2.cxx:


While there is a check to ensure that npos is smaller than the array size, at line 220, it is simply an assert that is only enabled in debug mode.

The value is read from the sample file in the function MetaPolyPolygonAction::Read in the file main\vcl\source\gdi\metaact.cxx at line 1189:



Here is the call stack when the problem occurs:



Conclusion

Finding and responsibly disclosing zero-day vulnerabilities helps improve the overall security of the software people use on a day-to-day basis. Talos is committed to this effort by developing programmatic ways to identify vulnerabilities that could be otherwise exploited by malicious adversaries. This helps secure the platforms and software customers use and also helps provide insight into how Cisco can improve its own processes to develop better, more secure products. 

In addition, Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort Rules:35828-35829.

For further zero day or vulnerability reports and information visit:
http://www.talosintelligence.com/vulnerability-reports/

Wednesday, July 20, 2016

Vulnerability Spotlight: Oracle's Outside In Technology, Turned Inside-Out

Vulnerabilities discovered by Aleksandar Nikolic. Blog post authored by Jaeson Schultz and Aleksandar Nikolic.

One of the most fundamental tasks performed by many software programs involves the reading, writing, and general processing of files. In today's highly networked environments, files and the programs that process them can be found just about everywhere: FTP transfers, HTTP form uploads, email attachments, et cetera.

Because computer users interact with files of so many different varieties on such a regular basis, Oracle Corporation has designed tools to assist programmers with writing software that will support these everyday tasks: Outside In Technology (OIT). From the OIT website: "Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats."

In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle. The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in this post, is severe because so many third-party products use Oracle's OIT to parse and transform files. A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle's Outside In SDK includes:

Tuesday, July 19, 2016

Vulnerability Spotlight: Apple Remote Code Execution With Image Files


Vulnerabilities discovered by Tyler Bohan of Cisco Talos.

Many of the wide variety of file formats are designed for specialized uses within specific industries. Apple offers APIs as interfaces to provide a definitive way to access image data for multiple image formats on the Apple OS X platform. Talos is disclosing the presence of five remote code execution vulnerabilities in Apple OS X related to processing image formats: TALOS-2016-0171, TALOS-2016-0180,TALOS-2016-0181, TALOS-2016-0183, TALOS-2016-186.

Tuesday, July 12, 2016

Microsoft Patch Tuesday - July 2016

This post was authored by William Largent

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is has 11 bulletins addressing 49 vulnerabilities. 6 of these bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Print Spooler, Office and Adobe Flash Player.  The remaining bulletins are rated important and address vulnerabilities in Windows Kernel, Office, Kernel-Mode Drivers, .NET Framework, and Secure Boot.

Bulletins Rated Critical

 

Microsoft bulletins MS16-084 through MS16-088, and MS16-093 are rated as critical in this month's release.

MS16-084 and MS16-085 are this month's Internet Explorer and Edge security bulletins respectively.  The IE security bulletin addresses vulnerabilities in Internet Explorer versions 9, 10, & 11. The IE bulletin covers 15 vulnerabilities in total and resolves 9 memory corruption bugs, 1 security feature bypass bug, 3 information disclosure, and 2 spoofing bugs. The Edge bulletin addresses 13 vulnerabilities in total and resolves 7 memory corruption bugs, 1 security feature bypass, 3 information disclosure and 2 spoofing bugs. The IE bugs are rated critical on affected Windows clients but only Moderate on affected Windows Servers.

Monday, July 11, 2016

When Paying Out Doesn't Pay Off

This blog post was authored by Edmund Brumaghin and Warren Mercer

Summary


Talos recently observed a new ransomware variant targeting users. This ransomware shows that new threat actors are continuing to enter the ransomware market at a rapid pace due to the lucrative nature of this business model. As a result, greater numbers of unique ransomware families are emerging at a faster rate. This sometimes results in complex variants emerging or in other cases, like this one, less sophisticated ones. In many cases these new ransomware threats share little resemblance to some of the more established operations in their approach to infecting systems, encrypting/removing files, or the way in which they attempt to coerce victims into complying with their ransom demands.

Ranscam is one of these new ransomware variants. It lacks complexity and also tries to use various scare tactics to entice the user to paying, one such method used by Ranscam is to inform the user they will delete their files during every unverified payment click, which turns out to be a lie. There is no longer honor amongst thieves. Similar to threats like AnonPop, Ranscam simply delete victims’ files, and provides yet another example of why threat actors cannot always be trusted to recover a victim’s files, even if the victim complies with the ransomware author’s demands. With some organizations likely choosing to pay the ransomware author following an infection,  Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy. Not only does having a good backup strategy in place help ensure that systems can be restored, it also ensures that attackers are no longer able to collect revenue that they can then reinvest into the future development of their criminal enterprise.

Vulnerability Spotlight: Local Code Execution via the Intel HD Graphics Windows Kernel Driver

This vulnerability was discovered by Piotr Bania.

Talos, in coordination with Intel, is disclosing the discovery of TALOS-2016-0087, a local arbitrary code execution vulnerability within the Intel HD Graphics Windows Kernel Driver. This vulnerability exists in the communication functionality of the driver and can be exploited if a specially crafted message is sent to the driver, resulting in a denial of service or arbitrary code execution. Note that exploitation of this vulnerability is only achievable in local contexts. This vulnerability has been responsibly disclosed to Intel in accordance with our Vulnerability Reporting and Disclosure guidelines. 

Friday, July 8, 2016

Vulnerability Spotlight: Symantec Norton Security IDSvix86 PE Remote System Denial of Service

Vulnerability discovered by Piotr Bania of Cisco Talos


Talos is disclosing the presence of a denial of service vulnerability (CVE-2016-5308 / TALOS-2016-0182) in the Portable Executable file scanning functionality of Symantec Norton Security.  A specially crafted PE file can cause an access violation in the IDSvix86 kernel driver when parsing PE files resulting in a denial of service. 

A malicious attacker could trigger this vulnerability by emailing the victim a crafted file with a large SizeOfRawData field in a section header. The parser does not check to make sure that this is within the bounds of the file, or MD5Compress which is the function that causes the segfault, therefore if the parameter is big enough, it can cause the MD5Compress function to access memory which is currently unavailable causing the machine to crash. 

Talos has worked with Symantec to responsibly disclose this vulnerability. Uncovering new 0-day vulnerabilities not only helps improve the overall security of the software that our customers use, but it also enables us to directly improve the procedures in our own security development lifecycle, which improves the security of all of the products that Cisco produces. 

This vulnerability is detected by sids 39466 and 39467.

For the most up to date list, please refer to Defense Center for FireSIGHT Management Center. For further 0-day or vulnerability reports and information visit:
http://talosintel.com/vulnerability-reports/

Full details for the advisory can be found at TALOS-2016-0182

Thursday, July 7, 2016

Connecting the Dots Reveals Crimeware Shake-up

This Post Authored by Nick Biasini

For a couple of weeks in June the threat landscape was changed. Several high profile threats fell off the scene, causing a shake-up that hadn't been seen before. For a period of three weeks the internet was safer, if only for a short time. Still to date the Angler exploit kit has not returned and the threat outlook appears to be forever changed. This post will discuss a series of connections tying back to a banking trojan called lurk and a registrant account with ties that were far reaching across crimeware.

Thursday, June 30, 2016

Gotta be SWIFT for this Spam Campaign!

This blog post was authored by Warren Mercer

Summary


Talos have observed a large uptick in the Zepto ransomware and have identified a method of distribution for the Zepto ransomware, Spam Email. Locky/Zepto continue to be well known ransomware variants and as such we will focus on the spam email campaign. We found 137,731 emails in the last 4 days using a new attachment naming convention. It was just coincidence that the number is a palindrome. The naming choice this time for this spam campaign is "swift [XXX|XXXX].js", where 'X' is some combination of letter/numbers we have seen both 3 and 4 char strings after the "swift" name. This began Monday 27th June with approx 4000 emails being caught within our Email Security Appliances (ESA) & Cloud Email Security platform (CES). This started to ramp up over the next few days, with spikes occurring around 7-10pm UTC and 7-10am over the next 4 days.