Cisco Threat Research Blog

Recently a large scale ransomware campaign delivering Samsam changed the threat landscape for ransomware delivery. Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat. Due to information provided from our Cisco IR Services Team, stemming from a recent customer engagement, we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This lead us to approximately 3.2 million at-risk machines.

As part of this investigation, we scanned for machines that were already compromised and potentially waiting for a ransomware payload. We found approximately 2,000 machines with a backdoor already installed. Over the last few days, Talos has been in the process of notifying affected parties including: schools, governments, aviation companies, and more.  Several of these systems had one specific software solution in common.  Read the full post for details, advisories, and recommended remediation.

Read More>>

Patch Tuesday for April has arrived with Microsoft releasing their latest monthly set of security bulletins to address security vulnerabilities in their products. This month’s release contains 13 bulletins relating to 31 vulnerabilities. Six bulletins address vulnerabilities rated as critical in Edge, Graphic Components, Internet Explorer, XML Core Service, Microsoft Office and Adobe Flash Player. The remaining seven bulletins address important vulnerabilities in Hyper-V, Microsoft Office and other Windows components.

Bulletins Rated Critical

Bulletins MS16-037 through MS16-040 and bulletins MS16-042, MS16-050 are rated as critical in this month’s release.

MS16-037 is related to six vulnerabilities in Internet Explorer. The most severe vulnerabilities allow an attacker to craft a website that executes arbitrary code on the victim’s device due to the memory corruption vulnerabilities in the browser. The attacker would be limited to executing code with same administrative rights as the current user, but with many users having full administrator rights, an attacker could use this to take full control of a device. To exploit the vulnerability the attacker must get the victim to view attacker controlled content. Previously, this has not proved a major limitation for attackers. Attackers have proved adept at sending spam messages, compromising legitimate websites and abusing web advertising networks to redirect users to malicious websites.

Read more >>

The rise of ransomware over the past year is an ever growing problem. Business often believe that paying the ransom is the most cost effective way of getting their data back – and this may also be the reality. The problem we face is that every single business that pays to recover their files, is directly funding the development of the next generation of ransomware. As a result of this we’re seeing ransomware evolve at an alarming rate.

In this blog post we explore traits of highly effective strains of self-propagating malware of the past, as well as advances in tools to facilitate lateral movement. This research is important as we expect adversaries to begin utilizing these capabilities in ransomware going forward. This blog post focuses on two avenues of thought – that our past is chock full of successful malware, and that successful cyber extortionists will look to the past to create new and evolving threats going forward.

Ransomware as we know it today has a sort of ‘spray and pray’ mentality; they hit as many individual targets as they can as quickly as possible. Typically, payloads are delivered via exploit kits or mass phishing campaigns. Recently a number of scattered ransomware campaigns deliberately targeting enterprise networks, have come to light. We believe that this is a harbinger of what’s to come — a portent for the future of ransomware.

Traditionally, malware was never terribly concerned with the destruction of data or denial of access to its contents; With few notable exceptions, data loss was mostly a side-effect of malware campaigns. Most actors were concerned with sustained access to data or the resources a system provided to meet their objectives. Ransomware is a change to this paradigm from subversion of systems to outright extortion; actors are now denying access to data, and demanding money to restore access to that data. This paper will discuss the latest ransomware trends as well as how to defend your enterprise against this threat.

Read more >>

Introduction

Exploit kits are constantly compromising users, whether it’s via malvertising or compromised websites, they are interacting with a large amount of users on a daily basis. Talos is continuously monitoring these exploit kits to ensure protection, analyze changes as they occur, and looking for shifts in payloads. Yesterday we observed a new technique  in the Nuclear kit and found a new payload and technique we’ve not seen before.

Details

It’s been awhile since we’ve discussed Nuclear so let’s start with an overview of how users are infected. Like most exploit kits it has a couple of key components: a gate, a landing page, and an exploit page with payload.  Let’s start by describing the gate that we have been observing associated with Nuclear and specifically this instance associated to a novel payload.

Gate

This particular infection begins with a compromised website. Buried on the website is a couple lines of javascript, which you can find below:

Read More >>>

In today’s threat landscape, Adobe Flash Player unfortunately remains an attractive attack vector for adversaries to exploit and compromise systems. Over the past year, Talos has observed several instances where adversaries have identified zero-day vulnerabilities and exploited them to compromise systems. Talos is aware of reports that CVE-2016-1019, an Adobe Flash 0-day vulnerability, is currently being exploited in the wild and is affecting systems running Windows 10 and earlier.

According to the Adobe Flash Player security advisory published on April 5, Flash Player versions 21.0.0.197 and earlier are susceptible to compromise via CVE-2016-1019. This includes Flash Player version 20.0.0.306 as well as Flash Player Extended Support Release (ESR) version 18.0.0.333 and earlier. One special note is that as of March 10, 2016, Adobe introduced a mitigation that prevents exploitation of CVE-2016-1019 in Flash version 21.0.0.182 and later.

Read more >>

Cisco Talos vulnerability researcher Piotr Bania recently discovered a vulnerability in the Apple Intel HD 3000 Graphics driver, which we blogged about here. In this post we are going to take a deeper dive into this research and look into the details of the vulnerability as well as the KASLR bypass and kernel exploitation that could lead to arbitrary local code execution. These techniques could be leveraged by malware authors to bypass software sandbox technologies, which can simply be within the software program (browser or application sandbox) or at the kernel level.

In the course of conducting our research, Talos found that Apple OSX computers with Intel HD Graphics 3000 GPU units possess a null pointer dereference vulnerability (in version 10.0.0) as presented below:

Read More

This post is authored by Tazz.

EXECUTIVE SUMMARY

At the end of February, one of the researchers on the team received a solicitation email from a domain reseller, which she reviewed the first week of March.  The email was from Namecheap offering deeply discounted domains for .88 cents. The timing of the email couldn’t have been more ironic as it overlapped with some current research into determining if there is a relationship between domain pricing and an aggregation of domains related to malware/phishing/spamming. This article will discuss the relationship between deeply discounting domains and nefarious activities.  For the purpose of discussion in this article, the word malicious will include malware, phishing, and spam activities.

BACKGROUND

Talos has previously investigated the magnetic relationship between bad guys and cheap/free services.  When it comes to the Internet, undoubtedly you get what you pay for, and when it’s cheap/free it’s bound to be infested with bad guys.  We saw this philosophy ring true with dynamic DNS, and saw bad guys leveraging cheap services when actors migrated to dynamic DNS which you can read more on https://blogs.cisco.com/security/dynamic-detection-of-malicious-ddns.

Any businessman, good or bad, seeks to make money, fast.  To do this, one must maximize return on investment and/or find a market with a low cost of entry.  If it costs $5,000 to get started, that might not be feasible for many, especially a criminal, but if it only costs $50 or even $5, well there’s obviously a greater chance that many people will seek out that market.  These rules are no different when it comes to bad guys doing bad things on the Internet.  So, given this email offering deeply discounted TLDs, the team formed a hypothesis and we began digging.

Hypothesis:  When domain prices are <= $1 there will be an increase in registrations and a corresponding increase in malicious activities associated with the TLDs.

Read more >>

Talos is disclosing the discovery of vulnerability TALOS-2016-0095 / CVE-2016-2347 in the Lhasa LZH/LHA decompression tool and library. This vulnerability is due to an integer underflow condition. The software verifies that header values are not too large, but does not check for a too small header length. Decompressing a LHA or LZH file containing an under-value header size leads to the decompression software allocating a pointer to point to released memory on the heap. An attacker controlling the length and content of such a file can use the vulnerability to overwrite the heap with arbitrary code.

Read More>>

Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits. This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom. A particular focus appears to have been placed on the healthcare industry.

Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.

Technical Details

Upon compromising the system the sample will launch a samsam.exe process which begins the process of encrypting files on the system.

Read more >>