Cisco Threat Research Blog

Vulnerability discovered by Aleksandar Nikolic of Talos.

Talos has identified an information disclosure vulnerability in Foxit PDF Reader (TALOS-2016-0201/CVE-2016-8334). A wrongly bounded call to `memcpy`, while parsing jbig2 segments within a PDF file, can be triggered in Foxit PDF Reader causing an out-of-bounds heap memory to be read into a buffer. The `memcpy` call is properly sized, but the source is smaller than the size argument, causing the adjacent memory to be copied into a buffer, where heap metadata, addresses and pointers can be copied and later reused, disclosing memory layout. Combined with another vulnerability, this information disclosure can be used to leak heap memory layout and bypass ASLR. Phishing campaigns commonly use PDF files, as malicious attachments or linked downloads, to deliver malware.

Read more

Locky has continued to evolve since its inception in February 2016. This has made it difficult to track at times due to changes in the way in which it’s distributed as well as various characteristics of the malware itself. The actors responsible for Locky have continuously attempted to improve operational security (OpSec) in regards to the tracking of affiliates making use of the ransomware.. This post will discuss a new Locky configuration extractor that Talos is releasing, which we are naming ‘LockyDump’. This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky ie; .locky, .zepto & .odin based ransomware.

Using LockyDump you can run a known Locky sample within a virtualized environment and it will extract and provide all of the configuration information for the sample, including the AffilID associated with the sample. The latest variant of Locky made this extraction process increasingly difficult. Once this config extraction changed Talos looked to reverse further Locky samples in an attempt to gain the all important AffilID information. Obtaining the affiliate information for individual samples allows the historical tracking of Locky affiliates to identify trends and other characteristics on an individual affiliate basis such as their primary distribution method of choice ie; through the use of Exploit Kits (EKs) or spam/phishing email.

Read More >>

Patch Tuesday has once again arrived! Microsoft’s monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today’s release sees a total of 10 bulletins with five of the bulletins rated critical, addressing vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.

Bulletins Rated Critical

The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127

MS16-118 and MS16-119 are this month’s bulletins for Internet Explorer and Edge respectively. The Internet Explorer bulletin fixes 11 vulnerabilities while the Edge bulletin fixes 13 vulnerabilities. Seven vulnerabilities were found to affect both Edge and IE. The majority of the vulnerabilities fixed are memory corruption flaws that could lead to arbitrary code execution. Several privilege escalation and information disclosure flaws were also fixed in this month’s release.

Read more >> 

Effectively protecting your assets increasingly involves effective threat intelligence to better understand the types of attackers targeting your sector, and what your vulnerabilities are. Lack of any threat intelligence at all, or even the foresight to use Google and Twitter to spot fake scams trending in top results can result in a company being one of the unfortunate victims paying out to one of the copycat DDoS threats making the rounds early in 2016, or to the even more recent Ranscam encrypting malware found to not release a victim’s files after a ransom is paid.

Recent studies have shown a significant uptrend in the percent of phishing campaigns being used to deliver ransomware. The combination of being used as an entry point for credential-stealing malware, Internet links designed to steal credentials, DDoS threat messages, and ever-increasing amounts of ransomware threat, clearly makes email one of the largest attack surfaces of an enterprise.

Protecting our assets from these threats begins with our Email Security Appliance, (ESA) designed to filter based on email volume, and other heuristics associated with spam and phishing campaigns. ESA is known to be effective in blocking over 99% of spam and phish emails. That leaves enterprise defenders with less than 1% of threats to deal with, but that remaining fraction is getting increasingly effective with more well-crafted spear phishing messages. These spear fishing campaigns target users with accurate branding logos, victim names, and messages that appear to be legitimate.

Instead being content that your spam/phish appliances are blocking 99%+ of phishing threats, and continuing to blindly deal with what may slip past controls, you could be using the data from your spam/phish quarantine to help bolster your defenses. The data in the phishing messages for recipients, subjects, and message bodies could be used to learn more about what type of threats are targeting your company, how to more effectively tune controls, and maybe most importantly, to serve as a method of early warning system for potential breaches of third parties your company is doing business with.

Targeted spear phishing campaigns stay under the radar of the spam controls, often by using smaller lists of valid email addresses purchased for a target organization in a campaign.  These lists can be from a variety of sources including data from previous data breaches. Protecting your organization from the remaining 1% of targeted phishing campaigns not caught by blocking appliances requires a defense-in-depth strategy such as the one outlined in this Cisco whitepaper.

Part of a defense-in-depth strategy for your entire organization can be enriched by better understanding the threats facing you. By knowing more about the attackers’ tactics, you can better inform and prepare users, and by knowing more about who is being targeted in your firm, you can wrap further protections around them. Using spam data sets to generate metrics on the subject line and message body allowed the Cisco Midyear Security Report to show how successful emails with “invoice” themes were so far this year.

If your organization conducts phishing awareness to help employees become more secure, how much value could be added by producing metrics like these to tailor the training to stay ahead of current threats? October is National Cyber Security Awareness Month. If your organization does not have any phishing awareness training in place, you can get started in the right direction using the free online phishing awareness test by Cisco’s OpenDNS to learn about commonly identifiable tactics used by scammers.

What could your organization learn by extracting the recipient data for each phishing campaign noted by subject and message body, or payload similarity?  How about if those recipients were bucketed by work group, types of access, or at an even deeper level, by what third parties they have been working with for activities such as closing sales, merger talks, and services?

If the same buckets of employees are ending up in targeted phishing campaigns fairly frequently it might be time to wrap more monitoring around those situations, examine the possibility of a third party they are working with being part of a breach where those employee email addresses could have been learned, or just as a warning that the deals they are working in are the subject of scrutiny by someone willing and able to employ phishing/malware to gain an edge.

Join the National Cyber Security Month conversation on Twitter @CiscoSecurity #CyberAware

FreeImage is widely used software integrated into over 100 products ranging from free to paid licensing and include multimedia software, games, developer tools, PDF generators and more.  FreeImage makes use of a common file format created by Adobe, Extensible Metadata Platform (XMP) that allows real-time managing of metadata.  Per Adobe, the XMP file format, allows users to “embed metadata into files themselves during the content creation process”, and FreeImage’s 3.17.0 integration of this file format into its software is vulnerable to an overflow in the “Colors Per Pixel” value of an XMP image.  Generally speaking, when FreeImage 3.17.0 opens an XMP file with a large enough Colors Per Pixel value, i.e. the number is too large, it is not handled properly by follow-on code in the function that uses it. You can liken it to taking a 99 oz. glass, turning on the faucet, and filling it up with 100+ ounces of water.  The water spills over and gets into areas you don’t want it to be.  In technical terms, the large value is not properly validated during the code execution and it can trigger an out of bounds write.  This causes an arbitrary memory overwrite that can effectively result in remote code execution. This is likely to be exploited if someone sends you a maliciously crafted image file as an email attachment or possibly via an instant message.

<<Read more>>

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos

Overview

Talos has identified an exploitable out-of-bounds vulnerability in the JPEG 2000 image file format parser implemented in OpenJPEG library (TALOS-2016-0193/CVE-2016-8332). The JPEG 2000 file format is commonly used for embedding images inside PDF documents. This particular vulnerability could allow an out-of-bound heap write to occur, resulting in heap corruption and lead to arbitrary code execution. Talos has disclosed this vulnerability responsibily to the library maintainers to ensure a patch is available.

Read More

This post was authored by Edmund Brumaghin

Summary

Tofsee is multi-purpose malware that has been in existence for several years, operating since at least 2013. It features a number of modules that are used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Once infected, systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Earlier this year, Talos published a blog post discussing how the RIG exploit kit was delivering this malware to compromised endpoints using malvertising. Malvertising is a technique commonly used by exploit kits to infect users that browse web sites that are serving compromised advertisements. This activity seemed to disappear in June, however Talos has recently observed a marked increase in the volume and velocity of spam email campaigns containing malicious attachments that are being used to distribute Tofsee.

Read More >>

This blog was authored by Ben Baker, Edmund Brumaghin, and Jonah Samost.

Executive Summary

GozNym is the combination of features from two previously identified families of malware, Gozi and Nymaim. Gozi was a widely distributed banking trojan with a known Domain Generation Algorithm (DGA) and also contained the ability to install a Master Boot Record (MBR) rootkit. Nymaim emerged in 2013 as malware which was used to deliver ransomware and was previously distributed by the Black Hole exploit kit. The code had various anti-analysis techniques, such as the obfuscation of Win32 API calls.

There have been multiple instances in which the source code of the Gozi trojan has been leaked. Due to these leaks it was possible for the GozNym authors to make use of the ‘best of breed’ methodologies incorporated into Gozi and create a significantly more robust piece of malware which was now capable of utilizing strengthened persistence methods and ultimately becoming a powerful banking trojan.

Given the recent success of the GozNym trojan and the number of targeted attacks seeking to infect victims with this malware, Talos decided to take a deep look at the inner workings of this particular malware family. Talos started by examining the binaries associated with GozNym as well as the distribution mechanisms. Additionally, we were able to successfully reverse engineer the DGA associated with a GozNym command and control (C2) infrastructure and sinkhole that botnet. This gave Talos great visibility into the size and scope of this threat and the number of infected systems beaconing to C2 servers under adversarial control.

Read More >>

This blog post was authored by Jaeson Schultz.

For the past five years we have enjoyed a relatively calm period with respect to spam volumes. Back at the turn of the decade the world was experiencing record-high volumes of spam. However, with the evolution of new anti-spam technologies, combined with some high-profile takedowns of spam-related botnets, voluminous and indiscriminate spam attacks fell precipitously in popularity with spammers. Subsequently, having lower volumes of spam to contend with, anti-spam systems had the luxury of dedicating more computer processing resources to analyzing fewer messages for email-based threats. But, as the fashion industry adage goes, “everything old is new again.” Spam volumes are back on the rise.

Read More