Talos has discovered two XSS vulnerabilities in Ruby Rails Gems. Rails is a Ruby framework designed to create web services or web pages. Ruby Gems is a package manager for distributing software packages as ‘gems’. The two XSS vulnerabilities were discovered in two different gem packages: delayed_job_web and rails_admin.

Ruby is widely used as a language for web development. Gem packages allow software engineers to reuse code across multiple development projects. As such, the discovery of a vulnerability in a gem may mean that many different systems are affected by that vulnerability.

Read More >>

Talos is disclosing the presence of multiple vulnerabilities in the CPP and the Parity Ethereum clients.

TALOS-2017-0503 / CVE-2017-14457 describes a denial of service vulnerability and potential memory leak in libevm. The function is not currently enabled in the default build. This vulnerability only affects nodes which have manually enabled it during build time.

TALOS-2017-0508 / CVE-2017-14460 is an overly permissive cross-domain (CORS) whitelist policy vulnerability in the Ethereum Parity client. It can lead to the leak of sensitive data about existing accounts, parity settings and network configurations, in addition to accounts and parity settings modifications, if certain APIs have been turned on.

Further on, TALOS-2017-0464 – TALOS-2017-0471 / CVE-2017-12112 – CVE-2017-12119 describe multiple Authorization Bypass Vulnerabilities which an attacker could misuse to access functionality reserved only for users with administrative privileges without any credentials.

Finally, Talos found TALOS-2017-0471 / CVE-2017-12119, another denial of service vulnerabilities in the CPP-Ethereum JSON-RPC implementation. A specially crafted json request can cause an unhandled exception resulting in a denial of service.

<< Read More >>

Cisco Talos is aware of three new vulnerabilities impacting Intel, AMD, Qualcomm and ARM processors used by almost all computers. We are investigating these issues and although we have not observed exploitation of these vulnerabilities in the wild, that does not mean that it has not occurred. We have observed publicly available proof of concept exploit code being developed to exploit these vulnerabilities.

These issues have been assigned the following CVE entries:

Meltdown: An attacker can access kernel memory from user space

• Rogue data cache load (CVE-2017-5754)

Spectre: An attacker can read memory contents from other users’ running programs

• Branch target injection (CVE-2017-5715)
• Bounds check bypass (CVE-2017-5753)

Read More >>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between December 29 and January 05. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read more »

This post was authored by Edmund Brumaghin with contributions from Ben Baker, Dave Maynor and Matthew Molyett.

Introduction

Talos has observed a cyber attack which was launched using the official website of the Ukraine-based accounting software developer Crystal Finance Millennium (CFM). This vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. However, the attackers did not compromise the firm’s update servers and did not have the level of access noted in the Nyetya compromise. CFM’s website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. Websites being compromised to serve malicious content is common and it appears that CFM’s website was leveraged in the same way. This can be achieved through exploitation of existing vulnerabilities in server-side software or brute-forcing weak credentials, allowing attackers to gain remote administrative access. The fact that it is an accounting software company in Ukraine and the timing of the attack increased visibility.

This attack occurred in August 2017, during the time frame associated with the observance of the Independence Day holiday in Ukraine. The details of the specific malware infection process itself have been previously documented here. Talos was able to register and sinkhole one of the Command and Control (C2) domains and through this, obtain additional details regarding the scope of this attack and associated victims. This blog provides additional information related to the geographic regions that were targeted by this attack as well as the size and scope of of systems that were successfully compromised.

Read More >>

Today, Talos is disclosing a pair of vulnerabilities in the VNC implementation used in VMWare’s products that could result in code execution. VMWare implements VNC for its remote management, remote access, and automation purposes in VMWare products including Workstation, Player, and ESXi which share a common VMW VNC code base. The vulnerabilities manifest themselves in a way that would allow an attacker to initiate of VNC session causing the vulnerabilities to be triggered. Talos has coordinated with VMWare to ensure the issue was disclosed responsibly and patched by the vendor. Additionally, Talos has developed Snort signatures that can detect attempts to exploit these vulnerabilities.

Read More >>

Virus Bulletin conference is a well regarded intimate technical conference focused on malware research. It provides a good balance between listening to technical talks and spending time exchanging experiences with colleagues from different companies; all working on the same task of making our computing environments more secure.

This past October, Talos participated at the Virus Bulletin conference in Madrid with a talk presented by Warren Mercer and me, Paul Rascagneres. This talk covered the latest techniques used in the reconnaissance phase of attacks by APT actors. During the presentation, we demonstrated how the reconnaissance phase is executed as a part of the infection process in order to protect valuable zero-day exploits, malware frameworks, and other tools.

Read More >>

Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 34 new vulnerabilities with 21 of them rated critical and 13 of them rated important. These vulnerabilities impact Edge, Exchange, Internet Explorer, Office, Scripting Engine, Windows, and more.

In addition to the 33 vulnerabilities addressed, Microsoft has also released an update for Microsoft Office which improves security by disabling the Dynamic Data Exchange (DDE) protocol. This update is detailed in ADV170021 and impacts all supported versions of Office. Organizations who are unable to install this update should consult the advisory for workaround that help mitigate DDE exploitation attempts.

Read More >>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between December 01 and December 08. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read more »