Author Archives: Talos Group

DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread

The DoNot team is known for targeting Kashmiri non-profit organizations and Pakistani government officials. The region of Kashmir is under ongoing disputes from India, China and Pakistan about its ownership. This fuels potential conflict at times. This actor, DoNot, recently started using a new malware loader we’re calling “Firestarter.” Our research revealed that DoNot has been experimenting with new techniques to keep a foothold on their victim machines. These experiments, substantiated in the Firestarter loader, are a sign of how determined they are to keep their operations despite being exposed, which makes them a particularly dangerous actor operating in the espionage area. The same experiments also showed the capability of keeping their operations stealthy as now they have the capability to decide which infections receive the final payload based on geographical and personal identification criteria. This reduces the likelihood that researchers will access it.

The post DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread appeared first on Cisco Blogs.

Threat Roundup for October 16 to October 23

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 16 and October 23. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201023-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 16 to October 23 appeared first on Cisco Blogs.

Dynamic Data Resolver – Version 1.0.1 beta

Cisco Talos is releasing a new beta version of Dynamic Data Resolver (DDR) today. This release comes with a new architecture for samples using multi-threading. The process and thread tracing has been completely reimplemented.

We also fixed a few bugs and memory leaks. Another new feature is that the DDR backend now comes in two flavors: a release version and a debugging version. The latter will improve code quality and bug hunting. It helps to detect memory leaks and minor issues which are silently handled by the underlying DynamoRIO framework in the release version. We also improved the installer and the IDA plugin is now installed to the user plugin directory instead to the IDA installation directory under Program Files. The IDA plugin and all its dependencies are also now automatically installed by a script.

Fantastic news! DDR has won the HexRays IDA plugin contest 2020

READ MORE>>

The post Dynamic Data Resolver – Version 1.0.1 beta appeared first on Cisco Blogs.

Threat Roundup for October 9 to October 16

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 9 and October 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201016-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 9 to October 16 appeared first on Cisco Blogs.

Lemon Duck brings cryptocurrency miners back into the spotlight

Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread. This threat, known as “Lemon Duck,” has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Some variants also support RDP brute-forcing. In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool.

Read More >>

The post Lemon Duck brings cryptocurrency miners back into the spotlight appeared first on Cisco Blogs.

Threat Roundup for October 2 to October 9

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 25 and October 2. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201009-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 2 to October 9 appeared first on Cisco Blogs.

90 days, 16 bugs, and an Azure Sphere Challenge

Talos Vuln Spotlight

Cisco Talos reports 16 vulnerabilities in Microsoft Azure Sphere’s sponsored research challenge.

By Claudio Bozzato and Lilith [-_-]; and Dave McDaniel.

 

On May 15, 2020, Microsoft kicked off the Azure Sphere Security Research Challenge, a three-month initiative aimed at finding bugs in Azure Sphere. Among the teams and individuals selected, Cisco Talos conducted a three-month sprint of research into the platform and reported 16 vulnerabilities of various severity, including a privilege escalation bug chain to acquire Azure Sphere Capabilities, the most valuable Linux normal-world permissions in the Azure Sphere context.

 

The Azure Sphere platform is a cloud-connected and custom SoC platform designed specifically for IoT application security. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption). Externally, the Azure Sphere platform is supported by Microsoft’s Azure Cloud, which handles secure updates, app deployment, and periodic verification of device integrity to determine if Azure Cloud access should be allowed or not. Note however, that while the Azure Sphere is updated and deploys through the Azure Cloud, customers can still interact with their own servers independently.

The post 90 days, 16 bugs, and an Azure Sphere Challenge appeared first on Cisco Blogs.