Cisco Threat Research Blog

Organizations across the country are on edge today after a flurry of phony bomb threats hit several public entities Thursday, such as universities, schools and news outlets, among others. The attackers distributed malicious emails claiming to have placed some type of explosive materials in the recipient’s building. The emails stated the attackers would detonate these explosives unless the victim made a Bitcoin payment of several thousand dollars.

Cisco Talos discovered that this campaign is actually an evolution of sextortion and extortion attacks that we reported on in October. The claims in the emails we’ve seen from this actor are completely false, yet they have caused untold amounts of damage as organizations have evacuated buildings and called upon law enforcement to investigate.

Read More

Messaging applications have been around since the inception of the internet. But recently, due to the increased awareness around mass surveillance in some countries, more users are installing end-to-end encrypted apps dubbed “secure instant messaging applications.” These apps claim to encrypt users’ messages and keep their content secure from any third parties.

However, after a deep dive into three of these secure messaging apps — Telegram, WhatsApp and Signal — we discovered that these services may not fulfill the promises they are meant to keep by putting users’ confidential information at risk.

This is a serious problem, considering users download these apps in the hopes that their photos and messages will stay completely protected from third parties. These apps, which have countless users, cannot assume that their users are security educated and understand the risk of enabling certain settings on their device. As such, they have an obligation to explain the risks to users, and when possible, adopt safer defaults in their settings. In this post, we will show how an attacker could compromise these applications by performing side-channel attacks that target the operating system these apps delegated their security to. This post will dive into the methods in which these apps handle users’ data. It will not include deep technical analysis of these companies’ security.

Read more >>>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 30 and Dec. 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More at Talosintelligence.com

TRU12072018

Tim Wadhwa-Brown of Portcullis Labs authored this post.

In preparation for our talk at Black Hat Europe, Security Advisory EMEAR would like to share the background on our recent research into some common Active Directory integration solutions. Just as with Windows, these solutions can be utilized to join UNIX infrastructure to enterprises’ Active Directory forests.

Read More >> 

This blog post was authored by Warren Mercer and Paul Rascagneres.

Executive Summary

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it’s clear that this adversary spent time understanding the victims’ network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.

Based on this actor’s infrastructure and TTPs, we haven’t been able to connect them with any other campaign or actor that’s been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling “DNSpionage,” supports HTTP and DNS communication with the attackers.

In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let’s Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don’t know at this time if the DNS redirections were successful.

In this post, we will break down the attackers’ methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as “help wanted” sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.

Read more >>

Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.

There are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authenticated session. The remote code execution is done under the context of HTTPD However, since the HTTPD process is running under root, an attacker can run code with elevated privileges.

All vulnerabilities were found on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3, except for TALOS 2018-0620, which was found only on HWv3 FRNv1.3.0.

Read more >>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 09 and Nov. 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More at Talosintelligence.com
TRU1109-1116

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 02 and Nov. 09. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More at Talosintelligence.com
Tru11092018

This blog post was authored by Edmund Brumaghin, Warren Mercer, Paul Rascagneres, and Vitor Ventura.

Executive Summary

Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card information and login credentials for various online banking and financial services websites so this data can be monetized by the attackers. Cisco Talos recently identified two ongoing malware distribution campaigns being used to infect victims with banking trojans, specifically financial institutions’ customers in Brazil. Additionally, during the analysis of these campaigns, Talos identified a dedicated spam botnet that is currently delivering malicious spam emails as part of the infection process.

Distribution campaigns

While analyzing these campaigns, Talos identified two separate infection processes that we believe attackers have used between late October and early November. These campaigns used different file types for the initial download and infection process, and ultimately delivered two separate banking trojans that target Brazilian financial institutions. Both campaigns used the same naming convention for various files used during the infection process and featured the abuse of link-shortening services to obscure the actual distribution servers used. The use of link shorteners also allows some additional flexibility. Many organizations allow their employees to access link shorteners from corporate environments, which could enable the attacker to shift where they are hosting malicious files, while also enabling them to leverage these legitimate services in email-based campaigns.

Read More >>