Quantcast
Channel: Cisco Talos Blog
Viewing all 1927 articles
Browse latest View live

CRAT wants to plunder your endpoints

November 12, 2020, 5:52 am
$
0
0
By Asheer Malhotra. Cisco Talos has observed a new version of a remote access trojan (RAT) family known as CRAT.Apart from the prebuilt RAT capabilities, the malware can download and deploy additional malicious plugins on the infected endpoint.One of the plugins is a ransomware known as "Hansom."CRAT has been attributed to the Lazarus APT Group in the past.The RAT consists of multiple obfuscation techniques to hide strings, API names, command and control (C2) URLs and instrumental functions,...

[[ This is only the beginning! Please visit the blog for the complete entry ]]
Search

Threat Source newsletter (Nov. 12, 2020)

November 12, 2020, 11:39 am
$
0
0
Newsletter compiled by Jon Munshaw. Good afternoon, Talos readers.  We’re back after a few-week hiatus! And to celebrate, we just dropped some new research on the CRAT trojan that’s bringing some ransomware friends along with it. This blog post has all the details of this threat along with what you can do to stay protected.  We also had Microsoft Patch Tuesday this week. The company disclosed about 120 vulnerabilities this month that all users should patch now. Our blog post has a...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Vulnerability Spotlight: Multiple vulnerabilities in Pixar OpenUSD affects some versions of macOS

November 12, 2020, 12:15 pm
$
0
0
Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Aleksandar Nikolic and Jon Munshaw. Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions.  OpenUSD stands for “Open Universal Scene Descriptor.” Pixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for November 6 to November 13

November 13, 2020, 11:24 am
$
0
0
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 6 and Nov. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Nibiru ransomware variant decryptor

November 17, 2020, 10:56 am
$
0
0
Nikhil Hegde developed this tool. Weak encryption The Nibiru ransomware is a .NET-based malware family. It traverses directories in the local disks, encrypts files with Rijndael-256 and gives them a .Nibiru extension. Rijndael-256 is a secure encryption algorithm. However, Nibiru uses a hard-coded string "Nibiru" to compute the 32-byte key and 16-byte IV values. The decryptor program leverages this weakness to decrypt files encrypted by this variant. Ransomware Nibiru ransomware is a poorly...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Back from vacation: Analyzing Emotet’s activity in 2020

November 18, 2020, 10:21 am
$
0
0
By Nick Biasini, Edmund Brumaghin, and Jaeson Schultz. Emotet is one of the most heavily distributed malware families today. Cisco Talos observes large quantities of Emotet emails being sent to individuals and organizations around the world on an almost daily basis. These emails are typically sent automatically by previously infected systems attempting to infect new systems with Emotet to continue growing the size of the botnets associated with this threat. Emotet is often the initial...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Source newsletter (Nov. 19, 2020)

November 19, 2020, 10:51 am
$
0
0
Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers.  In case you hadn’t already realized, Snort somehow became a meme this week, so that was fun.  As 2020 (finally...or already...I can’t decide which) comes to an end, we’re going to start doing a look back at the year that was in malware. And although Emotet has been around long before this year, 2020 was particularly peculiar for the botnet because it went virtually dormant over the summer before coming back over the...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for November 13 to November 20

November 20, 2020, 2:19 pm
$
0
0
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 13 and Nov. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is...

[[ This is only the beginning! Please visit the blog for the complete entry ]]
Search

Vulnerability Spotlight: Multiple vulnerabilities in WebKit

November 30, 2020, 9:26 am
$
0
0
Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.Executive summary The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit. In...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Xanthe - Docker aware miner

December 1, 2020, 8:04 am
$
0
0
By Vanja Svajcer with contributions from Adam Pridgen NEWS SUMMARY Ransomware attacks and big-game hunting making the headlines, but adversaries use plenty of other methods to monetize their efforts in less intrusive ways.Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Xanthe," which attempted to compromise one of Cisco's security honeypots for tracking Docker-related threats. These threats demonstrate several techniques of the MITRE ATT&CK framework,...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Beers with Talos Ep. #96: The boogeyman and QR codes

December 1, 2020, 12:57 pm
$
0
0
Beers with Talos (BWT) Podcast episode No. 96 is now available. Download this episode and subscribe to Beers with Talos:Apple Podcasts Google PodcastsSpotify   StitcherIf iTunes and Google Play aren't your thing, click here. By Mitch Neff. We got delayed with Thanksgiving and PTO, but here is a long-awaited episode. We're ready to get an episode a week ahead of the holidays, so fret not. In this episode, we talk about QR codes becoming pervasive as easily deployed...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Vulnerability Spotlight: DoS, code execution vulnerabilities in EIP Stack Group OpENer

December 2, 2020, 1:21 pm
$
0
0
Martin Zeiser and Jared Rittle of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.Executive summary Cisco Talos recently discovered two vulnerabilities in the Ethernet/IP function of EIP Stack Group OpENer. OpENer is an Ethernet/IP stack for I/O adapter devices. It supports multiple I/O and explicit connections and includes objects and services for making Ethernet/IP-compliant products as defined in the ODVA specifications. The software contains two vulnerabilities that could...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Source newsletter (Dec. 3, 2020)

December 3, 2020, 11:00 am
$
0
0
Newsletter compiled by Jon Munshaw. Good afternoon, Talos readers.  While ransomware has made all the headlines this year, that doesn’t mean cryptocurrency miners are going anywhere. We recently discovered a new actor we’re calling “Xanthe” that’s mining Monero on targets’ machines. The main payload, in this case, is a variant of the XMRig Monero-mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for November 27 to December 4

December 4, 2020, 1:11 pm
$
0
0
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 27 and Dec. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Microsoft Patch Tuesday (Dec. 2020) — Snort rules and notable vulnerabilities

December 8, 2020, 11:12 am
$
0
0
By Jon Munshaw, with contributions from Bill Largent.  Microsoft released its monthly security update Tuesday, disclosing 58 vulnerabilities across its suite of products, the lowest number of vulnerabilities in any Patch Tuesday since January.  There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered “important.” Users of all Microsoft and Windows products are urged to update their software as...

[[ This is only the beginning! Please visit the blog for the complete entry ]]
Search

Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel

December 8, 2020, 11:09 am
$
0
0
Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.Cisco Talos recently discovered a code execution vulnerability in some versions of Microsoft Excel. An attacker could exploit this vulnerability by tricking the victim into opening a specially crafted XLS file, triggering a use-after-free condition and allowing them to execute remote code on the victim machine. Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Vulnerability Spotlight: Remote code execution vulnerabilities in Schneider Electric EcoStruxure

December 9, 2020, 6:16 am
$
0
0
Alexander Perez-Palma and Jared Rittle of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.Cisco Talos recently discovered two code execution vulnerabilities in Schneider Electric EcoStruxure. An attacker could exploit these vulnerabilities by sending the victim a specially crafted network request or project archive. coStruxure Control Expert (formerly UnityPro) is Schneider Electric's flagship software for program development, maintenance, and monitoring of industrial...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Quarterly Report: Incident Response trends from Fall 2020

December 9, 2020, 6:32 am
$
0
0
By David Liebenberg and Caitlin Huey.  For the sixth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. However, for the first quarter since we began compiling these reports, no engagements that were closed out involved the ransomware Ryuk (though there were engagements that were kicked off this quarter involving Ryuk, but have yet to close). The top ransomware families observed were Maze and Sodinokibi, though barely more than any...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

Vulnerability Spotlight: Multiple vulnerabilities in Foxit PDF Reader JavaScript engine

December 9, 2020, 8:31 am
$
0
0
Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.Executive summary Cisco Talos recently discovered multiple vulnerabilities in Foxit PDF Reader’s JavaScript engine. Foxit PDF Reader is a commonly used PDF reader that contains many features, including the support of JavaScript, which allows it to support interactive documents and dynamic forms. An adversary could take advantage of this JavaScript functionality, sending the victim a specially crafted file to...

[[ This is only the beginning! Please visit the blog for the complete entry ]]

FireEye Breach Detection Guidance

December 9, 2020, 4:57 pm
$
0
0
Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements. Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. This is even evident in the naming convention used in the coverage designated by FireEye. The use of Cobalt Strike beacons is popular among red teams and...

[[ This is only the beginning! Please visit the blog for the complete entry ]]
Viewing all 1927 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>