Cisco Threat Research Blog

This post is authored by Holger Unterbrink.

Patch Tuesday for May 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 16 bulletins addressing 33 vulnerabilities. Fourteen bulletins are rated critical, addressing vulnerabilities in Edge, Internet Explorer, Office, Graphic Components, VBScript, Windows Shell, and Adobe Flash Player. The remaining bulletins are rated important and address vulnerabilities in Internet Explorer, Office, Windows Kernel, Exchange, IIS, Media Center, Hyper-V, .NET, and several other Windows components.

Bulletins Rated Critical

Vulnerabilities in Microsoft bulletins MS16-051 through MS16-057 and MS16-064 are rated as critical in this month’s release.

MS16-051 and MS16-052 are this month’s Internet Explorer and Edge security bulletins respectively. One vulnerability is shared between IE and Edge, meaning that both Edge and IE are affected. The IE security bulletin addresses three memory corruption vulnerabilities marked as critical, one information disclosure vulnerability and one security feature bypass marked as important. The Edge one has four memory corruption vulnerabilities all marked as critical. For both Edge and IE, some vulnerabilities are potential remote code execution vulnerabilities. For Internet Explorer these critical vulnerabilities are: CVE-2016-0187, CVE-2016-0189 and CVE-2016-0192. For Microsoft Edge: CVE-2016-0186 , CVE-2016-0191 to 0193. IE CVEs flagged as important are CVE-2016-0188 and CVE-2016-0194.

This post authored by Nick Biasini with contributions from Erick Galinkin.

Exploit kits have been a recurring threat that we’ve discussed here on this blog as a method of driving users to maliciousness.  Users typically encounter exploit kit landing pages through  compromised websites and malvertising. However, we’ve found a new email twist to the standard procedures associated with getting users into the exploit kit infection chain.

Usually when we see compromised websites serving exploit kit gates there are malicious iframes dropped on single pages or throughout the entire site. These iframes can either be links to an exploit kit landing page directly or to a gate. Using a gate allows the adversary to change the location of the landing page without having to change the compromised wordpress site. In the spam campaign that we detected and blocked, adversaries were instead linking users to “hidden” web pages (pages located within the site’s directory structure) on these sites instead of linking users to pages containing an iframe.

Read More >>

This post was authored by Nick Biasini with contributions from Tom Schoellhammer and Emmanuel Tacheau

The threat landscape is ever changing and adversaries are always working to find more efficient ways to compromise users. One of the many ways that users are driven to malicious content is through malicious advertisements known as malvertising. Talos has been monitoring several large-scale malvertising campaigns, how the initial exploit occur, and the payloads that are downloaded as a result.

In a normal ad campaign, ad agencies buy ad space on publications and other trafficked websites, and the ad agency then tries to get those ads served to users that fit some criteria in the hopes that users click on the ads, which take the user to (for example) a product page. The aggregate of serving ads for a particular product is referred to as a ‘campaign.’ A malvertising campaign is similar. Ad space is purchased from an agency, users satisfying particular criteria are targeted. It may be that the content of the mal-ad itself can infect a user’s computer, or it may be that a user who clicks on the enticing mal-ad is taken somewhere which then infects the user’s computer. The initial infection will often download another payload.

Read More >>

We are pleased to announce the availability of the cryptolocker 4 white paper. Over the past year, Talos has devoted a significant amount of time to better understanding how ransomware operates, its relation to other malware, and its economic impact. This research has proven valuable for Talos and led the development of better detection methods within the products we support along with the disruption of adversarial operations. CryptoWall is one ransomware variant that has shown gradual evolution over the past year with CryptoWall 2 and Cryptowall 3. Despite global efforts to detect and disrupt the distribution of CryptoWall, adversaries have continued to innovate and evolve their craft, leading to the release of CryptoWall 4. In order to ensure we have the most effective detection possible, Talos reverse engineered CryptoWall 4 to better understand its execution, behavior, deltas from previous versions and share our research and findings with the community. The white paper is located here.

Talos posted a blog, September 2015, which aimed to identify how often seemingly benign software can be rightly condemned for being a piece of malware. With this in mind, this blog presents an interesting piece of “software” which we felt deserved additional information disclosure. This software exhibits several questionable behaviors including:

• Attempts to detect sandboxes via a number of techniques
• Attempts to detect AV
• Attempts to detect security tools and forensic software
• Attempts to detect remote desktop
• Secretly installs software on the end host without user interaction or EULAs
• Informs C2 via encrypted channel what software was installed and what “effective_price” was associated with it

Read More >>

As a member of the Linux Foundation Core Infrastructure Initiative, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. We previously identified a series of vulnerabilities in the Network Time Protocol daemon; through our continued research we have identified further vulnerabilities in the software.

Read More>>

This post authored by Nick Biasini

Talos is constantly monitoring the threat landscape and exploit kits are a constantly evolving component of it. An ongoing goal of Talos is to expose and disrupt these kits to protect the average internet user being targeted and compromised. We were able to gain unprecedented insight into Angler exploit kit and reveal details of the activity that were previously unknown. Now we have focused our attention on the Nuclear exploit kit with similar results.

Nuclear Exploit Kit has been steadily compromising users for years and has been effective in evolving as well as adding new exploits to their arsenal. However, it has been operating largely off the radar compared to some of the more prolific kits that are active today. This lack of deep visibility was one of the driving forces behind the deep investigation into its activity. What we found was a sophisticated threat that has been successfully targeting and compromising users in more than 10,000 different cities in more than 150 countries.

Read More >>

Talos has recently discovered a vulnerability in Oracle’s Outside In Technology  Image Export SDK which, when exploited, allows an attacker to overflow the heap, leading to arbitrary code execution. The vulnerability lies in the Image Export SDK’s parsing of Portable Document Format (PDF) files.

While parsing a PDF file which contains an Xref object, values from the /Index entry are used to handle the decoded stream. A malformed PDF file with many objects specified by the /Index entry can lead to a memory overwrite past the ends of the allocated buffer, overwriting adjacent heap chunks.

Read More