Cisco Threat Research Blog

Piotr Bania of Cisco Talos is credited with the discovery of this vulnerability.

Cisco Talos, in conjunction with Apple’s security advisory issued on Mar 22, is disclosing the discovery of a local vulnerability in the communication functionality of the Apple Intel HD3000 Graphics kernel driver. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple.

There is a local privilege escalation vulnerability in the Apple Intel HD3000 Graphics kernel driver (TALOS-2015-0088/CVE-2016-1743) which Talos has identified on OS X 10.11. Exploitation of this vulnerability requires user interaction, such as executing a malicious executable received via email or downloaded and run on the user’s Mac. With OS X becoming more common in the workplace this can be especially impactful as the common user accounts often do not have root-level permissions.

Read more

This post authored by Steve Poulson with contributions from Nick Biasini.

Exploit kits are constantly evolving and changing. We recently wrote about some subtle Angler changes but then Angler changed drastically on March 8. In this blog post, we will briefly cover these changes, examining different characteristics of the URL structure for Angler and the origins of the words being leveraged to create them.

This post is authored by Andrea Allievi and Holger Unterbrink

Executive Summary

Ransomware is malicious software that is designed to hold users’ files (such as photos, documents, and music) for ransom by encrypting their contents and demanding the user pay a fee to decrypt their files. Typically, users are exposed to ransomware via email phishing campaigns and exploit kits. TeslaCrypt is one well-known ransomware variant, infecting many victims worldwide. It is in the top 5 of ransomware we see most often in our analysis systems. The core functionality of TeslaCrypt 3 remains the same as it continues to encrypt users’ files and then presents a message demanding the user to pay a ransom.

While the Information Security community has responded to the ransomware threat by disrupting distribution mechanisms and developing better detection methods, adversaries realize they must also continue to adapt and evolve their capabilities. Unfortunately, this has lead adversaries to iterating and improving upon previous releases of TelsaCrypt, leading to the release of TelsaCrypt 3. In response to this latest TeslaCrypt variant which is compromising users, Talos reversed engineered TeslaCrypt 3 to better understand its functionality, how it works, and what’s changed since the last release.

The former variant had a weakness in its way to store the encryption key, which enabled researchers to provide a tool for decryption of the files encrypted by TeslaCrypt [1]. Unfortunately, so far we are not aware of any tool which can do the same for this variant of TeslaCrypt.

This analysis gives an overview about the encryption algorithm used by TeslaCrypt 3.0.1. which is the latest as of the writing of this article. To improve readability, we will refer to this as TeslaCrypt 3 for the remainder of the blog. We will explain the cryptographic details in a way that they can be understood using high school mathematics. Nevertheless, expect a tough cryptographic journey.

 Read More>>

This post was authored by Nick Biasini with contributions from Joel Esler and Melissa Taylor

Talos has discussed at length the sophistication of the Angler exploit kit. One thing that always makes Angler stand apart is the speed with which they develop and implement new techniques. Whether its domain shadowing, 302 cushioning, encrypted payloads, or quick exploit development Angler is constantly trying to maintain its lead in the exploit kit arms race.
Recently we noticed some changes in Angler.

Read More >>

Tax time in the US is quickly approaching. Everyone should be on the lookout for scams that are designed to trick you out of your money and personal information. The IRS is warning users about an increase in the number of email scams being used this year. However, these attacks are no longer limited to just the United States.  Earlier this year we notice tax phishing campaigns targeting Ireland. Therefore, we decided to take a look back over the last year and see how widespread tax scams have become. We quickly realized that tax scams have gone international and now impact numerous countries across the world.

To give you an idea of the scope of the problem that we uncovered, our post will look at tax phishing campaigns from the following perspectives:

• Tax Related Domains
• Countries Impacted
• Attack Techniques
• Timing of Attacks
• Interesting Twists

Read More >>

The threat landscape is in constant flux. In many situations, the entire security community must work together to combat some of today’s larger threats. Novetta researched a group of malware families that all appear to be related to the same group of threat actors dubbed “The Lazarus Group” (Group 77).According to Novetta’s analysis, which was released in a report titled “Operation Blockbuster”,  these malware families have been behind multiple high profile attacks over the last nine years. By working with Novetta, Talos was able to ensure that our customers were protected against this threat.

Talos examined the various malware families involved in the research through the samples provided to us to verify that we have coverage for all of the malware families.

Read More >>

Bulletins Rated Critical

• MS16-009 is the IE bulletin for IE versions 9 through 11. Three critical memory corruption issues specific to Internet Explorer are addressed (CVE-2016-0063, CVE-2016-0067 and CVE-2016-0072).
• MS16-011 is the Edge bulletin. A critical memory corruption issues specific to Edge is addressed (CVE-2016-0084).

Read More >>

This post is authored by Nick Biasini.

In October 2015, Talos released our detailed investigation of the Angler Exploit Kit which outlined the infrastructure and monetary impact of an exploit kit campaign delivering ransomware. During the investigation we found that two thirds of Angler’s payloads were some variation of ransomware and noted one of the other major payloads was Bedep. Bedep is a malware downloader that is exclusive to Angler. This post will discuss the Bedep side of Angler and draw some pretty clear connections between Angler and Bedep.

Adversaries continue to evolve and have become increasingly good at hiding the connections to the nefarious activities in which they are involved. As security researchers we are always looking for the bread crumbs that can link these threats together to try and identify the connections and groups that operate. This is one of those instances were a couple of crumbs came together and formed some unexpected connections. By tying together a couple of registrant accounts, email addresses, and domain activity Talos was able to track down a group that has connections to threats on multiple fronts including: exploit kits, trojans, email worms, and click fraud. These activities all have monetary value, but are difficult to quantify unlike a ransomware payload with a specific cost to decrypt.

Read More >>