Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.

Breaking the silence - Recent Truebot activity

TEST-2022YiR Livestream Post-TEST

Did you miss our livestream focused on the Ukraine topics presented in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Kendall McKay, Nick Randolph, and Vanja Svajcer as they discuss Talos' now-years-long critical infrastructure effort in Ukraine.

Thursday, December 8, 2022 11:12

Did you miss our livestream focused on the Ukraine topics presented in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Kendall McKay, Nick Randolph, and Vanja Svajcer as they discuss Talos' now-years-long critical infrastructure effort in Ukraine.  Their breifing gives critical insight into the topic of cyber warfare and creates useful comparisons for those defending against these same actors in different contexts.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  

You can access the full 2022 Cisco Talos Year in Review report directly here:

2022 Year in Review Livestream

TEST-2022 Talos Year in Review Report-TEST2

Piotr Bania of Cisco Talos discovered this vulnerability.
Cisco Talos recently discovered a memory corruption vulnerability in PowerISO.
TALOS-2022-1644 (CVE-2022-41992) is a memory corruption vulnerability that exists in the VHD File Format parsing functionality of PowerISO 8.3. A specially crafted file can lead to an out-of-bounds write. A victim

Wednesday, December 7, 2022 13:12

_Piotr Bania_ of Cisco Talos discovered this vulnerability.

Cisco Talos recently discovered a memory corruption vulnerability in PowerISO.

TALOS-2022-1644 (CVE-2022-41992) is a memory corruption vulnerability that exists in the VHD File Format parsing functionality of PowerISO 8.3. A specially crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability. The vulnerability exists because the "Num of blocks" value from the CXSPARSE record is not validated properly. An attacker can control the loop counter leading to arbitrary memory write.

Cisco Talos worked with PowerISO to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Although PowerISO has fixed this issue, they did not change the version number on the fixed release. Users should confirm that they are running PowerISO, version 8.3 with the most recent bug fixes. Talos tested and confirmed this version of PowerISO could be exploited by this vulnerability.

The following Snort rules will detect exploitation attempts against this vulnerability: 60805-60806. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Memory corruption vulnerability discovered in PowerISO

Piotr Bania of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver.
NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This

Tuesday, December 6, 2022 11:12

_Piotr Bania of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver.

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Two exploitable memory corruption vulnerabilities exist in the NVIDIA graphics driver: TALOS-2022-1603 (CVE-2022-34671) and TALOS-2022-1604 (CVE-2022-34671). An attacker can use arbitrary code execution to trigger these vulnerabilities. These vulnerabilities could also potentially be triggered from guest machines running virtualization environments (ie. VMware, qemu, VirtualBox, etc.) in order to perform guest-to-host escape.

Cisco Talos worked with NVIDIA to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: NVIDIA D3D10 Driver, Version 516.94 , 31.0.15.1694. Talos tested and confirmed this version of the NVIDIA could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60606-60607 and 60611-60612. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: NVIDIA driver memory corruption vulnerabilities discovered

Cisco Talos Incident Response (Talos IR) is sharing a white paper on the steps organizations should follow to secure any major event. These ten focus areas should help guide any organizing committee or participating businesses in preparation for securing such events..

Friday, December 2, 2022 10:12

The cyber security of major events, whether they are related to sports, professional conferences, expos or other events can be a time-consuming, complex undertaking. It necessitates a multifaceted approach and the involvement of multiple entities, including but not limited to the vendors, hospitality teams and service providers to facilitate a uniform approach to cybersecurity across the event ecosystem.

Cisco Talos Incident Response (Talos IR) is sharing a white paper on the steps organizations should follow to secure any major event. These ten focus areas should help guide any organizing committee or participating businesses in preparation for securing such events, including the key questions that need to be asked and associated answers.

Protecting major events: an incident response blueprint

Marcin ‘Icewall’ Noga of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several directory traversal and cross-site scripting vulnerabilities in Lansweeper.
Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and

Thursday, December 1, 2022 10:12

_Marcin ‘Icewall’ Noga of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered several directory traversal and cross-site scripting vulnerabilities in Lansweeper.

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

Talos has identified two directory traversal vulnerabilities that can lead to arbitrary file upload: TALOS-2022-1528 (CVE-2022-32573) and TALOS-2022-1529 (CVE-2022-29517). Two other vulnerabilities exist where directory traversal can lead to arbitrary file read: TALOS-2022-1530 (CVE-2022-29511) and TALOS-2022-1531 (CVE-2022-27498). An attacker can send an HTTP request to trigger these vulnerabilities.

Both TALOS-2022-1532 (CVE-2022-28703) and TALOS-2022-1541 (CVE-2022-32763) are cross-site scripting sanitation bypass vulnerabilities which can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities as well.

Cisco Talos worked with Lansweeper to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Lansweeper 10.1.1.0. Talos tested and confirmed this version of Lansweeper could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 59990-59992, 59999-60000, 60001-60002, 60054-60056, 60142-60144 and 60219. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Lansweeper directory traversal and cross-site scripting vulnerabilities

Talos’ lead of data strategy and insights has a lot of weight on her shoulders currently, but it’s nothing she’s not used to

Tuesday, November 29, 2022 08:11

**Talos’ lead of data strategy and insights has a lot of weight on her shoulders currently, but it’s nothing she’s not used to**

Most people who first meet Ashlee Benge do a double take when they hear about her past experience.

The average security practitioner at a networking event may share that they went to school and got a computer science degree, then started poking at code for a few years before making it into the “big leagues.”

Benge’s path is far different as a former astrophysics student, Olympic power lifter and muscle car enthusiast. Yet somehow, she’s ended up as a crucial cog in Talos’ work to help secure Ukraine during Russia’s invasion.

She even jokes that it was an “accident” that she ended up working at Talos in the first place.

Benge wanted to take a few years between receiving her bachelor’s degree in astrophysics and going back for a doctorate, so she started job searching. She eventually applied for a job as an analyst on the Talos detection team, and a recruiter reached out to her asking if it was a mistake. After all, she had no formal cybersecurity experience, though her degree did give her a strong background in coding, database management and data analysis.

After taking an interview, Benge was eventually hired, beginning her cybersecurity journey. She pivoted over time to the Talos Outreach team, writing blog posts and growing as a public speaker, appearing at security conferences to talk about some of her favorite topics, including diversity in hiring in security and making the security field more accessible to women.

Then, she spent some time working with Cisco’s threat hunting team, and eventually made her way back to Talos as the leader of data strategy and insights, using her Talos team members as resources to grow her cybersecurity knowledge.

Today, she’s still pulling in her education from astrophysics and years of experience in security to pull apart massive data sets that turn that into actionable intelligence and information for Talos researchers.

“If all the data that we have at Talos is water, I try to build pipelines and filters to make sure that data is as clean and usable as possible and flows to teams in the best way possible,” Benge said. “A lot of astronomy and astrophysics is mathematical modeling, writing code, working with large datasets — those sorts of analytical skills and problem-solving — these are skills I still use all the time.”

That’s just what’s in her job description, though. Since March, she’s also been part of Talos and Cisco’s massive effort to support Ukraine during Russia’s invasion. Benge used to work for the Cisco Secure Endpoint product team — a service that is currently being offered to any Ukrainian organizations for free. And she’s also currently going back to college to receive her Masters of Business Administration.

Those skills and experience combined set her up to help contribute to the larger team assisting Ukrainian organizations and companies along with J.J. Cummings’ team.

“It puts me in a unique position to be on the operations side of the house. I am facilitating communications around our findings in Ukraine and building out pipelines to our partners, while streamlining all the processes we use to track our work there — all so J.J.’s team can focus on doing their best work,” she said.

Outside of Ukraine, Benge said she hopes that once she finishes her MBA, it will set her up to work  more closely with sales- and marketing-related teams to better discuss what it is that Talos does, exactly, and the benefits of building out a strong security program.

“People wonder why on earth I would do this,” she said. “But my academic background is so concentrated in pure science and math that I didn’t have any experience with business or finance. Everyone thinks the work Talos does is cool, of course, but I could tell those stakeholders couldn’t really understand how it affected them as, say, a CISO or someone looking to spend money on security products.”

Given all of that, Benge has a full plate at work, so at home she makes sure to distance herself from her phone and laptop for a bit each day, either by going to her weightlifting gym to work toward her next personal record or competition, or just taking her dog for a walk. She said her current role with Talos offers her the flexibility to work different hours and take time for herself so she can come back to work more effective and focused.

Benge hopes that she can start delivering more public talks and presentations (she’s no stranger to Talos’ livestreams) to share her story and unique background to encourage others to dive right into cybersecurity, regardless of what experience they have.

It’s important to build a diverse team based on demographics, but security teams need to also consider their diversity of backgrounds and experience levels.

“I meet folks who have unique points of view, and they’re interested in security but they’re also really nervous because their background isn’t what would be considered ‘typical,’” she said. “Which is a shame because when you bring these people together from different backgrounds, the work product is more creative, more dynamic and more interesting.”

Researcher Spotlight: How working for Talos started out as an ‘accident’ for Ashlee Benge before coming a second career

Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered three denial-of-service vulnerabilities in Callback Technologies CBFS Filter.
Callback Technologies has a CBFS file storage solution for use in customizing data persistence on devices. To accompany this, their CBFS Filter manages this file storage solution, allowing users to

Tuesday, November 22, 2022 10:11

_Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three denial-of-service vulnerabilities in Callback Technologies CBFS Filter.

Callback Technologies has a CBFS file storage solution for use in customizing data persistence on devices. To accompany this, their CBFS Filter manages this file storage solution, allowing users to create filter and access rules, modify and encrypt data, etc.

Talos has identified three null pointer dereference vulnerabilities in CBFS Filter:

TALOS-2022-1647 (CVE-2022-43588)

TALOS-2022-1648 (CVE-2022-43589)

TALOS-2022-1649 (CVE-2022-43590)

A specially crafted I/O request packet (IRP) can lead to denial of service. An attacker can issue an ioctl to trigger these vulnerabilities.

Cisco Talos worked with Callback Technologies to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Callback technologies CBFS Filter 20.0.8317. Talos tested and confirmed this version of the CBFS Filter could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60811-60812, 60807-60808, 60809-60810. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Source

TALOS