Cisco Threat Research Blog

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 06 and April 13. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read more here

These vulnerabilities were discovered by Carlos Pacho of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.

Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.

Read_more>>

This post was authored by Xabier Ugarte Pedrero

In July 2017 we released PyREBox, a Python Scriptable Reverse Engineering Sandbox as an open source tool. This project is part of our continuous effort to create new tools to improve our workflows. PyREBox is a versatile instrumentation framework based on QEMU.

It allows us to run a whole operating system in a virtual environment (emulator), and to inspect and modify its memory and registers at run-time. A small set of QEMU modifications allows users to instrument certain events such as instruction execution or memory read/writes.

On top of this, PyREBox leverages Virtual Machine Introspection techniques to bridge the semantic gap, that is, understanding OS abstractions such as processes, threads, or libraries. You can find the more detailed description of the framework as well as its capabilities in the original blogpost.

In the past few months we have received positive feedback from the community, fixed bugs and added features suggested by the users. We also added support for GNU/Linux guests, and implemented an agent (program run inside the emulated guest) that allows file transfer between a host and a guest, as well as execution of samples in the guest on demand.

As part of this ongoing effort, today we are releasing a set of PyREBox scripts that are designed to aid malware analysis: Malware monitor. These scripts automate different tasks, such as code coverage analysis, API tracing, memory monitoring, and process memory dumping.

Read_more>>

Vulnerabilities discovered by Tyler Bohan from Talos

Overview
Talos is disclosing three remote code execution vulnerabilities in the NASA CFITSIO library. CFITSIO is a library of C and Fortran subroutines for reading and writing data files in the Flexible Image Transport System (FITS) data format. FITS is a standard format endorsed by both NASA and the International Astronomical Union for astronomical data.

Specially crafted images parsed via the library can cause a stack-based buffer overflow, overwriting arbitrary data. An attacker can deliver a malicious FIT image to trigger this vulnerability, and potentially gain the ability to execute code.

<<READ MORE>>

Discovered by Lilith Wyatt of Cisco Talos

Overview

Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer’s SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valve’s award winning catalog and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. The latest SDL version (2.0.8) can be found here.

Read More here

Discovered by Tyler Bohan of Cisco Talos

Overview

Today, Cisco Talos is disclosing a vulnerability within Computerinsel PhotoLine’s PSD-parsing functionality. Photoline is an image processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PSD documents. PSD is a document format used by Adobe Photoshop, and is supported by many third-party applications throughout the industry.

Read More here

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 68 new vulnerabilities, with 26 of them rated critical, 40 of them rated important and 1 of them rated moderate. These vulnerabilities impact Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office, Windows kernel, Windows Hyper-V, Microsoft Scripting Engine and more.

Read_more>>

Beers with Talos (BWT) Podcast Episode 26 is now available.  Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren’t your thing: www.talosintelligence.com/podcast

EP26 Show Notes:

Recorded 3/29/18 – Joel is sitting out this week, and Bill Largent from the Outreach team fills in. We are pretty sure he was just running late trying to live on Joel Mean Time which, coincidentally, is now a GitHub project thanks to Moses (link below). We cover a wide range of topics in this episode, so stay with us! We chat about the Talos Threat Research Summit coming in June, we wonder where the carrots to match the sticks in security are, and weigh the value of finding your own damn vulns. The last part of the show starts with discussing GoScanSSH, which ends up being a discussion on the larger battle for the edge.

>> Read More

Update: 4/9 Cisco PSIRT has released additional guidance available here.

Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol. Some of these attacks are believed to be associated with nation-state actors, such as those described in U.S. CERT’s recent alert. As a result, we are taking an active stance, and are urging customers, again, of the elevated risk and available remediation paths.

On Feb. 14, 2017, Cisco’s Product Security Incident Response Team (PSIRT) released an advisory detailing active scanning associated with Cisco Smart Install Clients. The Cisco Smart Install Client is a legacy utility designed to allow no-touch installation of new Cisco equipment, specifically Cisco switches. As a response to this activity, Cisco Talos published a blog and released an open-source tool that scans for devices that use the Cisco Smart Install protocol. In addition to the release of the scanning tool, additional coverage has been released for Snort (SID: 41722-41725) to detect any attempts to leverage this type of technology.

Read More >>