Cisco Threat Research Blog

Vulnerabilities discovered by Cory Duplantis from Talos

Overview

Talos has discovered multiple vulnerabilities in Natus NeuroWorks software. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks.

We identified a number of vulnerabilities falling into two classes:

• Four code execution vulnerabilities
• One denial of service vulnerability.

The first category allows code execution on the medical device through a specially crafted network packet. The second category can cause the vulnerable service to crash. The vulnerabilities can be triggered remotely without authentication.

Read_more>>

This vulnerability is discovered by Patrick DeSantis and Dave McDaniel of Cisco Talos

Today, Talos is disclosing TALOS-2017-0507 (CVE-2017-14459), a vulnerability that has been identified in Moxa AWK-3131A industrial wireless access point.

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. The manufacturer specifically highlights automated materials handling and automated guided vehicles as target markets.

An exploitable OS Command Injection vulnerability exists in the Telnet login functionality of Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client in firmware versions 1.4 and newer. An attacker can inject commands via the username parameter, resulting in remote, unauthenticated, root-level operating system command execution.

Read More >>

This blog post is authored by Warren Mercer, Paul Rascagneres, Vitor Ventura and with contributions from Jungsoo An.

Summary

Several days ago, EST Security published a post concerning a fake antivirus malware targeting the Android mobile platform. In the Korean media, it was mentioned that there could be a link between this Android malware and Group 123. Talos decided to investigate this malware. And due to our reporting and history of following of Group 123, we discovered some interesting elements.

Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim’s phone calls. One variant uses a known Android exploit (CVE-2015-3636) in order to get root access on the compromised Android device. The data of both variants was sent using an HTTP POST to a unique command and control (C2) server. The ability to record calls was implemented based on an open-source project available on GitHub. We named this malware “KevDroid.”

Another RAT (this time targeting Windows) was identified hosted on the command and control server in use by KevDroid. This malware specifically uses the PubNub platform as its C2 server. PubNub is a global data stream network (DSN). The attackers use the PubNub API in order to publish orders to the compromised systems. This behaviour explains why we named it “PubNubRAT.”

At this time, we cannot identify a link between these samples and the Group 123 sample. We only identified a bundle of tactics, techniques and procedural elements that were too weak to identify a real link.

Read More >>

These vulnerabilities were discovered by Jared Rittle and Patrick DeSantis of Cisco Talos.

Summary

Rockwell Automation Allen-Bradley MicroLogix 1400 Programmable Logic Controllers (PLCs) are marketed for use in a variety of different Industrial Control System (ICS) applications and processes. As such, these devices are often relied upon for the performance of critical process control functions in many different critical infrastructure sectors. Previously, Cisco Talos released details regarding a vulnerability that was present in these devices. Cisco Talos continued analysis of these devices and discovered additional vulnerabilities that could be leveraged to modify device configuration and ladder logic, write modified program data into the device’s memory module, erase program data from the device’s memory module, or conduct Denial of Service (DoS) attacks against affected devices. Depending on the affected PLCs within an industrial control process, this could result in significant damages.

Read More >>

Discovered by Piotr Bania of Cisco Talos

Overview

Today, Cisco Talos is disclosing multiple vulnerabilities that exist within the Nvidia D3D10 driver. This driver is used throughout multiple GPU product lines available from Nvidia. This is a commonly used driver, and can be found within VMware, thus giving rise to a potential guest-to-host escape. It is strongly recommended that patches are applied immediately.

Read More >>

This blog post was authored by Edmund Brumaghin, Andrew Williams, and Alain Zidouemba.

Executive Summary

During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.

Read More >>

Cisco Talos presents a conference by Defenders, for Defenders.

Talos had one goal in mind when creating a brand new conference: Make something that we’d want to attend ourselves.  As such, the Talos Threat Research Summit is aimed at being a one-day conference by defenders, for defenders. This summit is designed to assist you in keeping your users and network safer. Our roster of experienced speakers will share their deep expertise in network defense, tracking the bad guys and identifying trends in the threat landscape. The goal of the summit is that you will leave with up-to-date, actionable intel you can take back to your network and use immediately.  There are also opportunities for networking with your defense-focused peers and security leaders.

More information, including the agenda and speaker line-up will be released in the coming weeks, so stay tuned!

WHAT: TALOS THREAT RESEARCH SUMMIT

WHEN: JUNE 10, 2018

WHERE: HYATT REGENCY, ORLANDO, FLORIDA – AT CISCO LIVE!

Here is what you can expect:

Read More>>

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 74 new vulnerabilities, with 14 of them rated critical and 59 of them rated important. These vulnerabilities impact Internet Explorer, Edge, Exchange, Scripting Engine, Windows Shell and more.

Read More >>

Gozi ISFB is a well-known and widely distributed banking trojan, and has been in the threat landscape for the past several years. Banking trojans are a widely distributed type of malware that attackers leverage in an attempt to obtain banking credentials from customers of various financial institutions. The source code associated with Gozi ISFB has been leaked several times over the years, and the robust features available within the Gozi ISFB code base have since been integrated into additional malware, such as GozNym. Talos published detailed research about GozNym in a September 2016 blog post. Talos has been monitoring Gozi ISFB activity since then, and has discovered a series of campaigns over the past six month that have been making use of the elusive “Dark Cloud” botnet for distribution. In investigating the infrastructure associated with Dark Cloud, we identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity. Talos is publishing details related to ongoing Gozi ISFB activity, the Dark Cloud botnet, as well as the additional threats we have observed using this infrastructure over the past couple of years.

Read More >>