Tuesday, May 17, 2016

Making Friends By Proactive Notification

This blog post is authored by Tazz.

Talos has continued to observe ongoing attacks leveraging the use of JBoss exploits. Through our research efforts, we have identified an additional 600 or so compromised hosts which contain webshells due to adversaries compromising unpatched JBoss environments. In response to this, Talos has been working to notify victims of these compromised hosts so that appropriate remediation may take place.This blog post outlines the notification process and provides additional indicators which you can use to review your own JBoss environments, such as a list of the 500 most common webshells we have observed in the wild.

Why Did I Get Notified?


After identifying the IP address of the hosts with one or more webshells, we extracted the contact email addresses provided in the WHOIS record of the organizations identified as the owner. The notification email contains a link which you can use to view this information. We are sending notifications via email to all listed email addresses as we have found many organizations where the designated abuse contact email listed is no longer valid. By emailing all available contacts we maximize the chances of successful notification.

Wednesday, May 11, 2016

Multiple 7-Zip Vulnerabilities Discovered by Talos

7-Zip vulnerabilities were discovered by Marcin Noga.
Blog post was authored by Marcin Noga, and Jaeson Schultz.


Update 2016-05-12: Related advisories for the 7-Zip issues covered in this blog can be found here:
http://www.talosintel.com/reports/TALOS-2016-0093/
http://www.talosintel.com/reports/TALOS-2016-0094/

7-Zip is an open-source file archiving application which features optional AES-256 encryption, support for large files, and the ability to use “any compression, conversion or encryption method”. Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.

TALOS-CAN-0094, Out-of-Bounds Read Vulnerability, [CVE-2016-2335]

An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.

Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the "PartitionRef" field from the Long Allocation Descriptor. Lack of checking whether the "PartitionRef" field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.

Tuesday, May 10, 2016

Microsoft Patch Tuesday - May 2016

This post is authored by Holger Unterbrink.

Patch Tuesday for May 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 16 bulletins addressing 33 vulnerabilities. Eight bulletins are rated critical, addressing vulnerabilities in Edge, Internet Explorer, Office, Graphic Components, VBScript, and Windows Shell. The remaining bulletins are rated important and address vulnerabilities in Internet Explorer, Office, Windows Kernel, IIS, Media Center, Hyper-V, .NET, and several other Windows components.

Bulletins Rated Critical


Vulnerabilities in Microsoft bulletins MS16-051 through MS16-057 and MS16-064 are rated as critical in this month's release.

MS16-051 and MS16-052 are this month's Internet Explorer and Edge security bulletins respectively. One vulnerability is shared between IE and Edge, meaning that both Edge and IE are affected. The IE security bulletin addresses three memory corruption vulnerabilities marked as critical, one information disclosure vulnerability and one security feature bypass marked as important. The Edge one has four memory corruption vulnerabilities all marked as critical. For both Edge and IE, some vulnerabilities are potential remote code execution vulnerabilities. For Internet Explorer these critical vulnerabilities are: CVE-2016-0187, CVE-2016-0189 and CVE-2016-0192. For Microsoft Edge: CVE-2016-0186 , CVE-2016-0191 to 0193. IE CVEs flagged as important are CVE-2016-0188 and CVE-2016-0194.

Tuesday, May 3, 2016

Angler Catches Victims Using Spam as Bait

This post is authored by Nick Biasini with contributions from Erick Galinkin and Alex McDonnell

Exploit kits have been a recurring threat that we've discussed here on this blog as a method of driving users to maliciousness. Users typically encounter exploit kit landing pages through compromised websites and malvertising. However, we've found a new email twist to the standard procedures associated with getting users into the exploit kit infection chain.

Usually when we see compromised websites serving exploit kit gates there are malicious iframes dropped on single pages or throughout the entire site. These iframes can either be links to an exploit kit landing page directly or to a gate. Using a gate allows the adversary to change the location of the landing page without having to change the compromised wordpress site. In the spam campaign that we detected and blocked, adversaries were instead linking users to "hidden" web pages (pages located within the site's directory structure) on these sites instead of linking users to pages containing an iframe.
Sample Spam Message

Threat Spotlight: Spin to Win...Malware

This post was authored by Nick Biasini with contributions from Tom Schoellhammer and Emmanuel Tacheau.

The threat landscape is ever changing and adversaries are always working to find more efficient ways to compromise users. One of the many ways that users are driven to malicious content is through malicious advertisements known as malvertising. Talos has been monitoring several large-scale malvertising campaigns, how the initial exploit occur, and the payloads that are downloaded as a result.

In a normal ad campaign, ad agencies buy ad space on publications and other trafficked websites, and the ad agency then tries to get those ads served to users that fit some criteria in the hopes that users click on the ads, which take the user to (for example) a product page. The aggregate of serving ads for a particular product is referred to as a 'campaign.' A malvertising campaign is similar. Ad space is purchased from an agency, users satisfying particular criteria are targeted. It may be that the content of the mal-ad itself can infect a user's computer, or it may be that a user who clicks on the enticing mal-ad is taken somewhere which then infects the user's computer. The initial infection will often download another payload.

Monday, May 2, 2016

Cryptolocker 4 White Paper Available: The Evolution Continues

We are pleased to announce the availability of the Cryptolocker 4 white paper. Over the past year, Talos has devoted a significant amount of time to better understanding how ransomware operates, its relation to other malware, and its economic impact. This research has proven valuable for Talos and led the development of better detection methods within the products we support along with the disruption of adversarial operations. CryptoWall is one ransomware variant that has shown gradual evolution over the past year with CryptoWall 2 and Cryptowall 3. Despite global efforts to detect and disrupt the distribution of CryptoWall, adversaries have continued to innovate and evolve their craft, leading to the release of CryptoWall 4. In order to ensure we have the most effective detection possible, Talos reverse engineered CryptoWall 4 to better understand its execution, behavior, deltas from previous versions and share our research and findings with the community. The white paper is located here.

Thursday, April 28, 2016

Research Spotlight: The Resurgence of Qbot

The post was authored by Ben Baker.

Qbot, AKA Qakbot, has been around for since at least 2008, but it recently experienced a large surge in development and deployments. Qbot primarily targets sensitive information like banking credentials. Here we are unveiling recent changes to the malware that haven’t been made public yet.

Qbot’s primary means of infection is as a payload in browser exploit kits. Website administrators often use FTP to access their servers, so Qbot attempts to steal FTP credentials to add these servers to its malware hosting infrastructure. Qbot can also spread across a network using SMB, which makes it very difficult to remove from an unprotected network.

Wednesday, April 27, 2016

The "Wizzards" of Adware

This post was authored by Warren Mercer with contributions from Matthew Molyett

Executive Summary


Talos posted a blog, September 2015, which aimed to identify how often seemingly benign software can be rightly condemned for being a piece of malware. With this in mind, this blog presents an interesting piece of “software” which we felt deserved additional information disclosure. This software exhibits several questionable behaviors including:

  • Attempts to detect sandboxes via a number of techniques 
  • Attempts to detect AV
  • Attempts to detect security tools and forensic software
  • Attempts to detect remote desktop
  • Secretly installs software on the end host without user interaction or EULAs
  • Informs C2 via encrypted channel what software was installed and what “effective_price” was associated with it

Vulnerability Spotlight: Further NTPD Vulnerabilities

As a member of the Linux Foundation Core Infrastructure Initiative, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. We previously identified a series of vulnerabilities in the Network Time Protocol daemon; through our continued research we have identified further vulnerabilities in the software.

Since 2013, criminals have been abusing NTP packets in order to cause amplified denial of service attacks. The ubiquity of the Network Time Protocol daemon and the importance of co-ordinated time for the correct functioning of many services means that it is a tempting target for attack. Vulnerabilities that allow the time as understood by ntpd to be altered can be used by attackers to set the time to an arbitrary value. This allows attackers to prevent time dependent services from starting because the time of activation is never reached, to provoke the depletion of system resources by repeatedly reaching the time of activation of services, to gain system access by using expired certificates, to deny service by expiring legitimate services and caches. Hence, the importance of identifying and remediating vulnerabilities within the time service.

Cisco has discovered six vulnerabilities within ntpd that allow attackers to craft UDP packets to either cause a denial of service condition or to prevent the correct time being set. We recommend that all users upgrade to the latest version of ntpd. 

Wednesday, April 20, 2016

Threat Spotlight: Exploit Kit Goes International Hits 150+ Countries


Nuclear Activity Across 10,000+ Cities in 150+ Countries
This post is authored by Nick Biasini with contributions from Erick Galinkin and Alex McDonnell

Overview

Talos is constantly monitoring the threat landscape and exploit kits are a constantly evolving component of it. An ongoing goal of Talos is to expose and disrupt these kits to protect the average internet user being targeted and compromised. We were able to gain unprecedented insight into Angler exploit kit and reveal details of the activity that were previously unknown. Now we have focused our attention on the Nuclear exploit kit with similar results.

Nuclear exploit kit has been steadily compromising users for years and has been effective in evolving as well as adding new exploits to their arsenal. However, it has been operating largely off the radar compared to some of the more prolific kits that are active today. This lack of deep visibility was one of the driving forces behind the deep investigation into its activity. What we found was a sophisticated threat that has been successfully targeting and compromising users in more than 10,000 different cities in more than 150 countries.