Cisco Threat Research Blog

This post was authored by Yves Younan.

Today, Microsoft is releasing their final Update Tuesday of 2014. Last year, the end of year update was relatively large. This time, it’s relatively light with a total of seven bulletins, covering 24 CVEs. Three of those bulletins are rated critical and four are considered to be important. Microsoft has made a few changes to the way they report their bulletins. Microsoft has dropped the deployment priority (DP) rating, which was very much environment-specific and might not be all that useful for non-default installations. Instead, they are now providing an exploitability index (XI), which ranges from zero to three. With zero denoting active exploitation and three denoting that it’s unlikely that the vulnerability would be exploited. Another change is to more clearly report on how the vulnerability was disclosed: was Microsoft notified via coordinated vulnerability disclosure or was the vulnerability publicly known before being released? (more…)

This post was written by Marcin Noga with contributions by Earl Carter and Martin Lee.

New vulnerabilities for old operating systems may not seem particularly interesting, until you consider the large number of legacy machines running outdated versions of Windows. Windows XP has reached its end of life, meaning that new vulnerabilities will not be patched. In this post we will show that a recent vulnerability can be used as a platform for exploiting Windows XP.

In October, Microsoft released a bulletin for a privilege escalation vulnerability in the FASTFAT driver that was released as:

MS14-063 — Vulnerability in FAT32 Disk Partition Driver Could Allow Elevation of Privilege (2998579),  CVE-2014-4115.

Let me present some of the most interesting parts of the advisory and add some details from my own research.

When the bug kicks in…

In the advisory, Microsoft indicates that the following OS’s are vulnerable:

• Microsoft Windows Server 2003 SP2
• Vista SP2
• Server 2008 SP2

The Microsoft bulletin does not mention Windows XP, since Windows XP is no longer supported. According to my research, however, this vulnerability is also present in the Windows XP FASTFAT driver.

See the following video.

This vulnerability can be exploited on Windows XP SP3 using a malicious usb stick with a malformed FAT32 partition. Let’s examine the reaction when the USB is inserted into the system.

(more…)

This post was authored by Alex Chiu with contributions from Joel Esler.

Advanced persistent threats are a problem that many companies and organizations of all sizes face.  In the past two days, information regarding a highly targeted campaign known as ‘Regin’ has been publicly disclosed.  The threat actors behind ‘Regin’ appear to be targeting organizations in the Financial, Government, and Telecommunications verticals as well as targeting research institutions in the Education vertical.  Talos is aware of these reports and has responded to the issue in order to ensure our customers are protected. (more…)

This post was authored by Dave McDaniel with contributions from Jaeson Schultz

Recently, we came across a malware sample that has been traversing the Internet disguised as an image of a woman. The malware sample uses several layers of obfuscation to hide its payload, including the use of steganography. Steganography is the practice of concealing a message, image, or file within another message, image, or file. Steganography can be used in situations where encryption might bring unwanted attention. Encrypted traffic from an unusual source is going to draw unwanted attention. Steganography allows malicious payloads to hide in plain sight. It also allows the attacker to bypass security devices. In our sample malware, steganography is used to decrypt and execute a second dropper, which in turn installs a user-land rootkit to further hide its intentions. The rootkit adds another layer of obfuscation by installing a DarkComet backdoor, using RC4 encryption to encrypt its configuration settings and send data to its command and control server.

(more…)

This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. They cover a total of 33 CVEs.

(more…)

This post was authored by Yves Younan and edited by Armin Pelkmann

Table of contents

CVE-2014-3697, VRT-2014-0205
CVE-2014-3696, VRT-2014-0204
CVE-2014-3695, VRT-2014-0203

Cisco Talos is announcing the discovery and patching of another three 3 CVE vulnerabilities in Pidgin (An open-source multi-platform instant messaging client – see wikipedia page). These vulnerabilities were discovered by our team and reported to the Pidgin team. They were found during our initial look at Pidgin which resulted in the first 4 vulnerabilities released in January, but were reported to Pidgin a little later and took longer to get patched. Now that these vulnerabilities were patched in the latest version of Pidgin, 2.10.10, we want to publicly disclose our findings.

The first vulnerability (CVE-2014-3697, VRT-2014-0205) is in the routines Pidgin uses to handle smiley and theme packages in Windows. These packages can be downloaded from websites and installed by dragging and dropping them to Pidgin. The packages are TAR files and Pidgin handles them by un-tarring the files to a specific directory. (more…)

This post was authored by Andrea Allievi, Douglas Goddard, Shaun Hurley, and Alain Zidouemba.

Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN.  This group is sophisticated, well funded, and exclusively targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sector. The primary attack vectors are watering-hole, spear phishing, and other web-based attacks.

Frequently, a remote administration tool (RAT) is used to maintain persistence within a victim’s organization. These tools are used to further compromise the organization by attacking other hosts inside the targets network.

ZxShell (aka Sensocode) is a Remote Administration Tool (RAT) used by Group 72 to conduct cyber-espionage operations. Once the RAT is installed on the host it will be used to administer the client, exfiltrate data, or leverage the client as a pivot to attack an organization’s internal infrastructure.  Here is a short list of the types of tools included with ZxShell:

• Keylogger (used to capture passwords and other interesting data)
• Command line shell for remote administration
• Remote desktop
• Various network attack tools used to fingerprint and compromise other hosts on the network
• Local user account creation tools

For a complete list of tools please see the MainConnectionIo section.

The following paper is a technical analysis on the functionality of ZxShell. The analysts involved were able to identify command and control (C2) servers, dropper and installation methods, means of persistence, and identify the attack tools that are core to the RAT’s purpose. In addition, the researchers used their analysis to provide detection coverage for Snort, Fireamp, and ClamAV.

(more…)

This post was written by Jaeson Schultz.

On October 14th information related to a new Windows vulnerability, CVE-2014-4114, was published. This new vulnerability affects all supported versions of Microsoft Windows. Windows XP, however, is not affected by this vulnerability. The problem lies in Windows’ OLE package manager. When triggered it allows for remote code execution.

(more…)

This post was written by Martin Lee

Old protocol versions are a fact of life. When a new improved protocol is released, products still need to support the old version for backwards compatibility. If previous versions contain weaknesses in security, yet their continued support is mandated, then security can become a major issue when a potential weakness is discovered to be a genuine vulnerability and an exploit is released.

The Transport Layer Security (TLS) protocol defines how systems can exchange data securely. The current version 1.2 dates from August 2008, however the protocol’s origins lie in the Secure Sockets Layer (SSL) standard first published in February 1995. As weaknesses in the cryptography and flaws in the protocol design were discovered, new versions of the protocol were released.

In order to maintain interoperability the most recent TLS standard requires that systems support previous versions down to SSL 3.0. The discovery of a cryptographic weakness in SSL 3.0 and the publication of an attack that can exploit this provide attackers with a means to attack TLS implementations by intercepting communications using the old SSL 3.0 protocol.

The vulnerability, assigned the Common Vulnerability and Exposure ID CVE-2014-3566, and referred to as POODLE, allows an attacker to modify the padding bytes that are inserted into SSL packets to ensure that they are of the correct length and replay modified packets to a system in order to identify the bytes within a message,  one by one. This allows an attacker to discover the values of cookies used to authenticate https secured web sessions. Nevertheless, the vulnerability potentially affects any application that secures traffic using TLS, not only https traffic. (more…)