What's new arround internet
Last one

Src Date (GMT) Titre Description Tags Stories Notes
2022-11-15 21:09:03 Vulnerability Spotlight: Microsoft Office class attribute double-free vulnerability (lien direct) Marcin 'Icewall’ Noga of Cisco Talos discovered these vulnerabilities.Cisco Talos recently discovered a class attribute double-free vulnerability in Microsoft Office.Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that Vulnerability
2022-10-25 08:00:00 Quarterly Report: Incident Response Trends in Q3 2022 (lien direct) Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarterBy Caitlin Huey.For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter.  It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective.This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming tool Brute Ratel and the recently discovered Manjusaka and Alchimist attack frameworks. TargetingAttackers targeted the education sector the most of any vertical this quarter, closely followed by the financial services, government, and energy sectors, respectively. For the first time since Q4 2021, telecommunications was not the top-targeted vertical. While the reason for the education sector being more frequently targeted this quarter is unknown, this is a popular time Ransomware Tool Vulnerability Threat Guideline
2022-10-20 09:30:53 Vulnerability Spotlight: Vulnerabilities in Abode Systems home security kit could allow attacker to take over cameras, remotely disable them (lien direct) Matt Wiseman of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors.  The devices communicate with the user via a website or app on their mobile device and can connect to smart hubs like Google Home, Amazon Alexa and Apple Homekit. The vulnerabilities Talos discovered could lead to a variety of conditions, including providing attackers with the ability to change users' login passwords, inject code onto the device, manipulate sensitive device configurations, and cause the system to shut down. The devices contain several format string injection vulnerabilities in various functions of its software that could lead to memory corruption, information disclosure and a denial of service. An attacker could send a malicious XML payload to trigger these vulnerabilities. TALOS-2022-1585 (CVE-2022-35884 - CVE-2022-35887) TALOS-2022-1584 (CVE-2022-33938) TALOS-2022-1581 (CVE-2022-35874 - CVE-2022-35877) TALOS-2022-1568 (CVE-2022-33204 – CVE-2022-33207) TALOS-2022-1561 (CVE-2022-29520) TALOS-2022-1558 (CVE-2022-33189) There are four other vulnerabilities - TALOS-2022-1567 (CVE-2022-27804), TALOS-2022-1566 (CVE-2022-29472), TALOS-2022-1563 (CVE-2022-32586) and TALOS-2022-1562 (CVE-2022-30603) - that can also lead to code execution, though it requires the adversary to send a specially crafted HTTP request, rather than XML.  TALOS-2022-1559 (CVE-2022-33192 - CVE-2022-33195), TALOS-2022-1558 (CVE-2022-33189), TALOS-2022-1557 (CVE-2022-30541) and Vulnerability Guideline
2022-10-13 08:00:07 Alchimist: A new attack framework in Chinese for Mac, Linux and Windows (lien direct) By Chetan Raghuprasad, Asheer Malhotra and Vitor Ventura, with contributions from Matt Thaxton.Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities.The Alchimist has a web interface in Simplified Chinese with remote administration features.The attack framework is designed to target Windows, Linux and Mac machines. Alchimist and Insekt binaries are implemented in GoLang.This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies. Cisco Talos has discovered a new single-file command and control (C2) framework the authors call "Alchimist [sic]." Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools.Cisco Talos assesses with moderate-high confidence that this framework is being used in the wild. "Alchimist" is a 64-bit Linux executable written in GoLang and packed with assets including resources for the web interface and Insekt RAT payloads compiled for Windows and Linux. Insekt RAT, a new trojan Cisco Talos discovered, is Alchimist's beacon implant written in GoLang and has a variety of remote access capabilities that can be instrumented by the Alchimist C2 server.Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution and run arbitrary commands. Among the remaining tools, Cisco Talos found a Mach-O dropper embedded with an exploit to target a known vulnerability CVE-2021-4034, a privilege escalation issue in polkit's pkexec utility, and a Mach-O bind shell backdoor. The Qualys Research Team discovered CVE-2021-4034 in November 2021, and in January 2022, the U.S.'s National Security Agency Cybersecurity Director warned that the vulnerability was being exploited in the wild. The server also contained dual-use tools like psexec and netcat, along with a scanning tool called "fscan," which the author defines as an "intranet scanning tool," essentially all the necessary tools for lateral movement. Alchimist framework The attack framework we discovered during the course of this research consists of a standalone C2 server called "Alchimist" and its corresponding implants the authors call the "Insekt" RAT family.Alchimist isn't the first self-contained framework we've discovered recently, with Manjusaka being another single file-based C2 framework disclosed by Talos recently. Both follow the same design philosophy, albeit implemented in different ways, to the point where they both seem to have the same list of requirements despite being implemented by different programmers. However, Manjusaka and Alchimist have virtually the same set of feat Malware Tool Vulnerability Threat
2022-10-12 15:33:07 Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service (lien direct) Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 - CVE-2022-33329) TALOS-2022-1572 (CVE-2022-33312 - CVE-2022-33314) TALOS-2022-1580 (CVE-2022-34845) and TALOS-2022-1570 (CVE-2022-32585) can also lead to arbitrary code execution, though this vulnerability exists when a user logs in as an administrator. An attacker could also send a specially crafted network request to trigger TALOS-2022-1575 (CVE-2022-35261 - CVE-2022-35271), a denial-of-service vulnerability in the device's web server hashFirst functionality that could allow an adversary to crash the web server.  Another vulnerability, TALOS-2022-1571 (CVE-2022-28127) also exists in the web server on the device, but instead could be exploited to remove arbitrary files, even though a path traversal check is in place. Cisco Talos worked with Robustel to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco's vulnerability disclosure policy Vulnerability Guideline
2022-10-11 14:11:23 Microsoft Patch Tuesday for October 2022 - Snort rules and prominent vulnerabilities (lien direct) By Jon Munshaw and Vanja Svajcer.Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across the company's hardware and software line, including seven critical issues in Windows' point-to-point tunneling protocol. October's security update features 11 critical vulnerabilities, with the remainder being “important.”  One of the most notable vulnerabilities Microsoft fixed this month is CVE-2022-41038, a remote code execution issue in Microsoft SharePoint. There are several other SharePoint vulnerabilities included in this month's Patch Tuesday, though this seems the most severe, as Microsoft continues it to be “more likely” to be exploited.  An attacker must be authenticated to the target site with the correct permissions to use manage lists in SharePoint to exploit this vulnerability, and eventually gain the ability to execute remote code on the SharePoint server.  CVE-2022-37968, an elevation of privilege vulnerability in Azure Arc Connect, has the highest severity score out of all the vulnerabilities Microsoft fixed this month - a maximum 10 out of 10. Successful exploitation of this vulnerability, which affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters, could allow an unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster. CVE-2022-37976 and CVE-2022-37979 are also critical elevation of privilege vulnerabilities in Windows Active Directory and Hyper-V, respectively.  The Windows' point-to-point tunneling protocol, which is a network protocol used to create VPN tunnels between public networks, contains eight vulnerabilities that Microsoft disclosed Tuesday, seven of which are rated “critical” severity: CVE-2022-22035CVE-2022-24504 CVE-2022-30198 CVE-2022-33634 CVE-2022-38000 CVE-2022-38047 CVE-2022-41081 CVE-2022-38000 is the most serious among the group wit Vulnerability Uber
2022-10-10 10:23:17 Vulnerability Spotlight: Data deserialization in VMware vCenter could lead to remote code execution (lien direct) Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. Cisco Talos recently discovered an exploitable data deserialization vulnerability in the VMware vCenter server platform.  VMware is one of the most popular virtual machine solutions currently available, and its vCenter software allows users to manage an entire environment of VMs. The vulnerability Talos discovered is a post-authentication Java deserialization issue that could corrupt the software in a way that could allow an attacker to exploit arbitrary code on the target machine. TALOS-2022-1587 (CVE-2022-31680) is triggered if an adversary sends a specially crafted HTTP request to a targeted machine. The attacker would first have to log in with legitimate credentials to vCenter to be successful. Cisco Talos worked with VMware to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco's vulnerability disclosure policy. Users are encouraged to update these affected products as soon as possible: VMware vCenter Server, version 6.5, update 3t. Talos tested and confirmed this version of vCenter could be exploited by this vulnerability. The following Snort rules will detect exploitation attempts against this vulnerability: 60433. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.  Vulnerability
2022-10-07 10:11:53 Vulnerability Spotlight: Issue in Hancom Office 2020 could lead to code execution (lien direct) Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. Cisco Talos recently discovered an exploitable memory corruption vulnerability in Hancom Office 2020.  Hancom Office is a popular software collection among South Korean users that offers similar products to Microsoft Office, such as word processing and spreadsheet creation and management.  TALOS-2022-1574 (CVE-2022-33896) exists in the way the Hword word processing software processes XML files. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, triggering a memory corruption error on the software and potentially leading to remote code execution on the targeted machine.   Cisco Talos worked with Hancom to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco's vulnerability disclosure policyUsers are encouraged to update these affected products as soon as possible: Hancom Office 2020, version 11.0.0.5357. Talos tested and confirmed this version of Hancom Office could be exploited by this vulnerability. The following Snort rules will detect exploitation attempts against this vulnerability: 60254 and 60255. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.  Vulnerability Guideline
2022-10-04 08:51:05 Developer account body snatchers pose risks to the software supply chain (lien direct) By Jaeson Schultz.Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research.Developer account takeovers present a substantial risk to the software supply chain because attackers who successfully compromise a developer account could conceal malicious code in software packages used by others.Talos analyzed several of the major software repositories to assess the level of developer account security, focusing specifically on whether developer accounts could be recovered by re-registering expired domain names and triggering password resets.Many software repositories have already begun taking steps to enhance the security of developer accounts. Talos has identified additional areas where the security of developer accounts could be improved. Talos worked with vulnerable repositories to resolve issues that we found. Software supply chain attacks, once the exclusive province of sophisticated state-sponsored attackers, have been gaining popularity recently among a broader range of cyber criminals. Attackers everywhere have realized that software supply chain attacks can be very effective, and can result in a large number of compromised victims. Software supply chain attacks more than tripled in 2021 when compared with 2020. Why are software supply chain attacks so effective? Organizations that possess solid cyber defenses may be difficult to attack directly. However, these same organizations are likely vulnerable to a software supply chain attack because they still regularly run/build software obtained from vendors who are trusted.Rather than attacking an entire software repository itself, or identifying an unpatched vulnerability in a software package, compromising the software supply chain can be as simple as attacking the accounts of the package developers and maintainers. Most software repositories track the identities of their software developers using those developers' email addresses. If a cybercriminal somehow gains access to a developer's email account, the attacker can theoretically generate password reset emails at these software repositories a Malware Vulnerability
2022-10-03 12:40:56 Researcher Spotlight: Globetrotting with Yuri Kramarz (lien direct) From the World Cup in Qatar to robotics manufacturing in east Asia, this incident responder combines experience from multiple arenas By Jon Munshaw. Yuri “Jerzy” Kramarz helped secure everything from the businesses supporting the upcoming World Cup in Qatar to the Black Hat security conference and critical national infrastructure. He's no stranger to cybersecurity on the big stage, but he still enjoys working with companies and organizations of all sizes in all parts of the world. “What really excites me is making companies more secure,” he said in a recent interview. “That comes down to a couple things, but it's really about putting a few solutions together at first and then hearing the customer's feedback and building from there.” Yuri is a senior incident response consultant with Cisco Talos Incident Response (CTIR) currently based in Qatar. He walks customers through various exercises, incident response plan creation, recovery in the event of a cyber attack and much more under the suite of offerings CTIR has. Since moving from the UK to Qatar, he is mainly focused on preparing various local entities in Qatar for the World Cup slated to begin in November. Qatar estimates more than 1.7 million people will visit the country for the international soccer tournament, averaging 500,000 per day at various stadiums and event venues. For reference, the World Bank estimates that 2.9 million people currently live in Qatar. This means the businesses and networks in the country will face more traffic than ever and will no doubt draw the attention of bad actors looking to make a statement or make money off ransomware attacks. “You have completely different angles in preparing different customers for defense during major global events depending on their role, technology and function,” Kramarz said.  In every major event, there were different devices, systems and networks interconnected to provide visitors and fans with various hospitality facilities that could be targeted in a cyber attack. Any country participating in the event needs to make sure they understand the risks associated with it and consider various adversary activities that might play out to secure these facilities. Kramarz has worked in several different geographic areas in his roughly 12-year security career, including Asia, the Middle East, Europe and the U.S. He has experience leading red team engagements (simulating attacks against targets to find potential security weaknesses) in traditional IT and ICS/OT environments, vulnerability research and blue team defense. The incident response field has been the perfect place for him to put all these skills to use. He joined Portcullis Securit Ransomware Hack Vulnerability Guideline
2022-09-28 08:18:45 New campaign uses government, union-themed lures to deliver Cobalt Strike beacons (lien direct) By Chetan Raghuprasad and Vanja Svajcer. Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand. The attack involves a multistage and modular infection chain with fileless, malicious scripts. Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints. The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a victim opens the maldoc, it downloads a malicious Word document template hosted on an attacker-controlled Bitbucket repository. Talos discovered two attack methodologies employed by the attacker in this campaign: One in which the downloaded DOTM template executes an embedded malicious Visual Basic script, which leads to the generation and execution of other obfuscated VB and PowerShell scripts and another that involves the malicious VB downloading and running a Windows executable that executes malicious PowerShell commands to download and implant the payload. The payload discovered is a leaked version of a Cobalt Strike beacon. The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic. Although the payload discovered in this campaign is a Cobalt Strike beacon, Talos also observed usage of the Redline information-stealer and Amadey botnet executables as payloads. This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory. Defenders should implement behavioral protection capabilities in the organization's defense to effectively protect them against fileless threats. Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain. Initial vectorThe initial infection email is themed to entice the recipient to review the attached Word document and provide some of their personal information. Initial malicious email message.The maldocs have lures containing text related to the collection of personally identifiable information (PII) which is used to determ Malware Vulnerability Threat Guideline
2022-09-22 10:01:26 Vulnerability Spotlight: Vulnerabilities in popular library affect Unix-based devices (lien direct) Lilith >_> of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered a memory corruption vulnerability in the uClibC library that could affect any Unix-based devices that use this library. uClibC and uClibC-ng are lightweight replacements for the popular gLibc library, which is the GNU Project's implementation of the C standard library. TALOS-2022-1517 (CVE-2022-29503 - CVE-2022-29504) is a memory corruption vulnerability in uClibC and uClibc-ng that can occur if a malicious user repeatedly creates threads. Many embedded devices utilize this library, but Talos specifically confirmed that the Anker Eufy Homebase 2, version 2.1.8.8h, is affected by this vulnerability. Anker confirmed that they've patched for this issue. However, uClibC has not issued an official fix, though we are disclosing this vulnerability in accordance with Cisco's 90-day vulnerability disclosure policy. Talos tested and confirmed the following software is affected by these vulnerabilities: uClibC, version 0.9.33.2 and uClibC-ng, version 1.0.40.  Vulnerability ★★
2022-09-13 14:24:22 Microsoft Patch Tuesday for September 2022 - Snort rules and prominent vulnerabilities (lien direct) By Jon Munshaw and Asheer Malhotra. Microsoft released its monthly security update Tuesday, disclosing 64 vulnerabilities across the company's hardware and software line, a sharp decline from the record number of issues Microsoft disclosed last month. September's security update features five critical vulnerabilities, 10 fewer than were included in last month's Patch Tuesday. There are two moderate-severity vulnerabilities in this release and a low-security issue that's already been patched as a part of a recent Google Chromium update. The remainder is considered “important.” The most serious vulnerability exists in several versions of Windows Server and Windows 10 that could allow an attacker to gain the ability to execute remote code (RCE) by sending a singular, specially crafted IPv6 packet to a Windows node where IPSec is enabled. CVE-2022-34718 only affects instances that have IPSec enabled. This vulnerability has a severity score of 9.8 out of 10 and is considered “more likely” to be exploited by Microsoft. Microsoft disclosed one vulnerability that's being actively exploited in the wild - CVE-2022-37969. Microsoft's advisory states this vulnerability is already circulating in the wild and could allow an attacker to gain SYSTEM-level privileges by exploiting the Windows Common Log File System Driver. The adversary must first have the access to the targeted system and then run specific code, though no user interaction is required.CVE-2022-34721 and CVE-2022-34722 also have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft. These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet.Two other critical vulnerabilities, CVE-2022-35805 and CVE-2022-34700 exist in on-premises instances of Microsoft Dynamics 365. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner. Talos would also like to highlight five important vulnerabilities that Microsoft considers to be “more likely” to be exploited:  CVE-2022-37957 - Windows Kernel Elevation of Privilege Vulnerability
2022-09-08 08:39:42 Lazarus and the tale of three RATs (lien direct) By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long term access and subsequently exfiltrating data of interest to the adversary's nation-state.Talos has discovered the use of two known families of malware in these intrusions - VSingle and YamaBot.Talos has also discovered the use of a recently disclosed implant we're calling "MagicRAT" in this campaign. IntroductionCisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between February and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of vulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment of the group's custom malware implants, VSingle and YamaBot. In addition to these known malware families, we have also discovered the use of a previously unknown malware implant we're calling "MagicRAT."This campaign was previously partially disclosed by other security firms, but our findings reveal more details about the adversary's modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting infrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June advisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.In this research, we illustrate Lazarus Group's post-exploitation tactics, techniques and procedures (TTPs) to establish a foothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We also provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the infected endpoints.In this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean govern Malware Tool Vulnerability Threat Medical APT 38
2022-08-16 11:54:34 Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass (lien direct) Claudio Bozzato of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass. AVideo is an open-source web application that allows users to build a video streaming and sharing platform. Anyone who joins the community can host videos on-demand, launch a live stream or encode different video formats.  TALOS-2022-1542 (CVE-2022-32777 - CVE-2022-32778), TALOS-2022-1549 (CVE-2022-32761) and TALOS-2022-1550 (CVE-2022-28710) are information disclosure vulnerabilities that are triggered if an adversary sends the targeted instance a specially crafted HTTP packet. TALOS-2022-1550 and TALOS-2022-1549 could allow the adversary to read arbitrarily selected files, while TALOS-2022-1542 could allow them to steal the session cookie. Some of the most serious vulnerabilities discovered in this product are code injection issues. TALOS-2022-1546 (CVE-2022-30534), TALOS-2022-1551 (CVE-2022-33147 - CVE-2022-33149) and TALOS-2022-1548 (CVE-2022-32572) are triggered in a similar way, but instead could lead to arbitrary command execution.  That could allow an attacker to gain access to an administrator's account: TALOS-2022-1537 (CVE-2022-26842) TALOS-2022-1538 (CVE-2022-32770 - CVE-2022-32772) TALOS-2022-1539 (CVE-2022-30690) TALOS-2022-1540 (CVE-2022-28712) The app also contains three privilege escalation vulnerabilities: TALOS-2022-1534 (CVE-2022-29468), TALOS-2022-1535 (CVE-2022-30605) and TALOS-2022-1545 (CVE-2022-32282). An attacker could exploit TALOS-2022-1545 to log in with only a hashed version of a user's password. TALOS-2022-1534 and TALOS-2022-1535 could be triggered if the attacker sends Vulnerability Guideline
2022-08-16 10:03:51 Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution (lien direct) Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device. These issues arise in the libhdf5 gif2h5 tool that's normally used to convert a GIF file to the HDF5 format, commonly used to store large amounts of numerical data. An attacker could exploit these vulnerabilities by tricking a user into opening a specially crafted, malicious file. TALOS-2022-1485 (CVE-2022-25972) and TALOS-2022-1486 (CVE-2022-25942) are out-of-bounds write vulnerabilities in the gif2h5 tool that trigger a specific crash, opening the door for code execution from the adversary. TALOS-2022-1487 (CVE-2022-26061) works similarly but is a heap-based buffer overflow vulnerability. Cisco Talos is disclosing these vulnerabilities despite no official fix from HDF5 in adherence to the 90-day deadline outlined in Cisco's vulnerability disclosure policyUsers are encouraged to update these affected products as soon as possible: HDF5 Group libhdf5, version 1.10.4. Talos tested and confirmed these versions of the library could be exploited by these vulnerabilities. The following Snort rules will detect exploitation attempts against this vulnerability: 59296, 59297, 59300, 59301, 59303 and 59304. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.  Tool Vulnerability
2022-08-09 16:44:37 Microsoft Patch Tuesday for August 2022 - Snort rules and prominent vulnerabilities (lien direct) By Jon Munshaw and Vanja Svajcer.Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its line of products and software, the most in a single Patch Tuesday in four months.  This batch of updates also includes a fix for a new vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that's actively being exploited in the wild, according to Microsoft. MSDT was already the target of the so-called “Follina” zero-day vulnerability in June.  In all, August's Patch Tuesday includes 15 critical vulnerabilities and a single low- and moderate-severity issue. The remainder is classified as “important.” Two of the important vulnerabilities CVE-2022-35743 and CVE-2022-34713 are remote code execution vulnerabilities in MSDT. However, only CVE-2022-34713 has been exploited in the wild and Microsoft considers it “more likely” to be exploited. Microsoft Exchange Server contains two critical elevation of privilege vulnerabilities, CVE-2022-21980 and CVE-2022-24477. An attacker could exploit this vulnerability by tricking a target into visiting a malicious, attacker-hosted server or website. In addition to applying the patch released today, potentially affected users should enable Extended Protection on vulnerable versions of the server. The Windows Point-to-Point Tunneling Protocol is also vulnerable to three critical vulnerabilities. Two of them, CVE-2022-35744 and CVE-2022-30133, could allow an attacker to execute remote code on an RAS server machine. The other, CVE-2022-35747, could lead to a denial-of-service condition. CVE-2022-35744 has a CVSS severity score of 9.8 out of 10, one of the highest-rated vulnerabilities this month. An attacker could exploit these vulnerabilities by communicating via Port 1723. Affected users can render these issues unexploitable by blocking that port, though it runs the risk of disrupting other legitimate communications. Another critical code execution vulnerability, CVE-2022-35804, affects the SMB Client and Server and the way the protocol handles specific requests. An attacker could exploit this on the SMB Client by config Tool Vulnerability Guideline ★★★★
2022-08-03 14:46:38 (Déjà vu) Vulnerability Spotlight: Vulnerabilities in Alyac antivirus program could stop virus scanning, cause code execution (lien direct) Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Update (Aug. 3, 2022): Talos disclosed two new vulnerabilities in the Alyac antivirus software and added their details to this post.Cisco Talos recently discovered out-of-bounds read and buffer overflow vulnerabilities in ESTsecurity Corp.'s Alyac antivirus software that could cause a denial-of-service condition or arbitrary code execution. Alyac is an antivirus software developed for Microsoft Windows machines. TALOS-2022-1452 (CVE-2022-21147) is a vulnerability that exists in a specific Alyac module that, eventually, leads to a crash of Alyac's scanning process, which effectively neutralizes the antivirus scan. If successful, an attacker could trigger this vulnerability to stop the program from scanning for malware, which would be crucial in a potential attack scenario. TALOS-2022-1527 (CVE-2022-32543) and TALOS-2022-1533 (CVE-2022-29886) are heap-based buffer overflow vulnerabilities that an attacker could exploit to execute arbitrary code on the targeted machine. The adversary would have to convince a user to open a specially crafted OLE file to trigger this condition.Cisco Talos worked with ESTsecurity to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco's vulnerability disclosure policyUsers are encouraged to update these affected products as soon as possible: ESTsoft Alyac, versions 2.5.7.7 and 2.5.8.544. Talos tested and confirmed ESTsoft Alyac, version 2.5.7.7, is affected by TALOS-2022-1452. Version 2.5.8.544 is vulnerable to TALOS-2022-1533 and TALOS-2022-1527.The following Snort rules will detect exploitation attempts against these vulnerabilities: 59014, 59015, and 60035 - 60042. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Vulnerability Guideline
2022-08-01 12:18:19 Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities (lien direct) By Carl Hurd. The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area. What makes the LInkHub system unique is the lack of a network interface to manage the devices individually or in the mesh. Instead, a phone application is the only method to interact with these devices. This is noteworthy because, in theory, it significantly reduces the common attack surface on most small office/home office (SOHO) routers, as it moves the entire HTTP/S code base from the product. This means, in theory, fewer issues with integration or hacked-together scripts to trigger various functions within the device. One of the issues with this approach though is that its functionality still needs to reside somewhere for the user to manage the device. However, this setup leaves the LinkHub Mesh Wi-Fi system open to several vulnerabilities, which we are disclosing today. An attacker could exploit these vulnerabilities to carry out a variety of malicious actions, including injecting code at the operating system level, stealing credentials and causing a denial of service of the entire network. Cisco Talos is disclosing these vulnerabilities despite no official fix from TCL, all in adherence to Cisco's vulnerability disclosure policyMoving all the management functionality to the phone application makes it the most interesting path to research for this device. The first step is to understand the protocol used for communication. There are a few easy choices, TCL could have decided to use HTTP with hidden endpoints, or some hand-rolled protocol for communication, to make capturing and identifying the traffic the priority. Looking at the capture right away, it's not HTTP or another text-based protocol, so the next step is determining if this is a custom protocol or something more widely used.  Vulnerability
2022-08-01 08:00:00 Researcher Spotlight: You should have been listening to Lurene Grenier years ago (lien direct) The exploit researcher recently rejoined Talos after starting her career with the company's predecessor By Jonathan Munshaw. Lurene Grenier says state-sponsored threat actors keep her up at night, even after years of studying and following them.  She's spent her security career warning people why this was going to be a problem. Today if someone is compromised by a well-funded, state-sponsored actor, she is concerned but doesn't necessarily feel sorry. After all, she's been warning the security community about this for years. “You think about the phrase 'fool me once, shame on you...' Five years ago if we had this discussion and you were hit with an attack, you'd think 'shame on China,'” she said. “Today, if we have that discussion about why you were hit, it's shame on us.” Grenier has spent her career looking at state-sponsored actor trends and writing detection content to block those actors. She was one of the first of the smaller research staff at the Sourcefire Vulnerability Research Team, which eventually merged with a few other teams to form Talos. Matt Watchinski, who is now the vice president of Talos, initially hired Grenier as a vulnerability exploit researcher, doing the job of what more than a dozen people do today for Talos. Grenier looked at vulnerability details for regular patch cycles like Microsoft Patch Tuesday and write her own exploit code for the vulnerabilities, which eventually fed into detection content that would block attackers' attempts to target these issues in the wild. She grew with VRT, eventually overseeing the Analyst Team, which today is the main producer of detection content for Cisco Secure products and Snort.  She eventually took a few other paths on her security journey outside of Cisco and Talos, but recently rejoined Talos as a special advisor to Watchinski, studying state-sponsored actors and major attacker trends using Talos' data and telemetry.  “My main directive is to come up with plans for this mountain of data that we have,” Grenier said. “I look at the data that we do have and see what outcomes for customers we can achieve with it. Can we create something like a semi-autonomous mediation plan when there is a breach? Can we track actors in a more granular manner so we can match them with what we've seen in the past?” Even during her time away from Talos, Grenier never lost connection, speaking at two Talos Threat Research Summits that were a part of Cisco Live. In 2018, she even gave a presentation on how organizations were not taking threats from state-sponsored actors seriously enough and warned about the theft of intellectual property. Some of the same techniques and actors she warned about in that talk resurfaced earlier this year in a warning from federal agencies in the U.S. and the U.K., stating that Chinese state-sponsored actors were stealing important IP and creating fraudulent “tech transfer” agreements. While Grenier still tracks these same actors daily, she views their activity as more of an inevitability that's going to produce the worst-case scenario rather than anything that can be avoided at this point. “It's like earthquakes or famine, it's really just horrible,” she said. At this point, Grenier is focusing her work on how to make attacks as costly as possible for the adversary, rather than trying to avoid them altogether. If her research can help even slow down an actor for a bit or cost them more resources when they go to attack again, that's a small victory to build off. “People have to see the cost of these breaches,” she said. “And they're not going to see the inflection point for a while now, but it will eventually become very obvious.” Although she spent several years away from Talos, coming back to the organization (a few hundred mor Vulnerability Threat Guideline
2022-07-27 12:22:17 Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products (lien direct) By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code:  Vulnerability Guideline Medical APT 38 APT 19
2022-07-21 08:00:05 Attackers target Ukraine using GoMet backdoor (lien direct) Executive summarySince the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine - this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named "GoMet." The malware was first observed on March 28, 2022. GoMet backdoorThe story of this backdoor is rather curious - there are two documented cases of its usage by sophisticated threat actors. First, in 2020, attackers were deploying this malware after the successful exploitation of CVE-2020-5902, a vulnerability in F5 BIG-IP so severe that USCYBERCOM posted a tweet urging all users to patch the application. The second is more recent and involved the successful exploitation of CVE-2022-1040, a remote code execution vulnerability in Sophos Firewall. Both cases are very similar. They both start with the exploitation of a public vulnerability on appliances where the malicious actors then dropped GoMet as a backdoor. As of publishing time, Cisco Talos has no reason to believe these cases are related to the usage of this backdoor in Ukraine. The original GoMet author posted the code on GitHub on March 31, 2019 and had commits until April 2, 2019. The commits didn't add any features but did fix some code convention aesthetics. The backdoor itself is a rather simple piece of software written in the Go programming language. It contains nearly all the usual functions an attacker might want in a remotely controlled agent. Agents can be deployed on a variety of operating systems (OS) or architectures (amd64, arm, etc.). GoMet supports job scheduling (via Cron or task scheduler depending on the OS), single command execution, file download, file upload or opening a shell. An additional notable feature of GoMet lies in its ability to daisy chain - whereby the attackers gain access to a network or machine and then use that same information to gain access to multiple networks and computers - connections from one implanted host to another. Such a feature could allow for communication out to the internet from otherwise completely "isolated" hosts.This version was changed by malicious actors, in the original code, the cronjob is configured to be executed once every hour on the hour. In our samples, the cronjob is configured to run every two seconds. This change makes the sample slightly more noisy since it executes every two seconds, but also prevents an hour-long sleep if the connection fails which would Malware Vulnerability Threat
2022-07-19 08:45:52 (Déjà vu) Vulnerability Spotlight: Issue in Accusoft ImageGear could lead to memory corruption, code execution (lien direct) Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered a use-after-free vulnerability in Accusoft ImageGear's PSD header processing function. The ImageGear library is a document-imaging developer toolkit that allows users to create, edit, annotate and convert various images. It supports more than 100 file formats such as DICOM, PDF and Microsoft Office. This vulnerability, TALOS-2022-1526 (CVE-2022-29465) could allow an attacker to cause a use-after-free condition by tricking the targeted user into opening a malformed .psd file in the application. The vulnerability leads to out-of-bounds heap writes, which causes memory corruption and, possibly, code execution. In adherence to Cisco's vulnerability disclosure policy, Accusoft patched this issue and released an update for ImageGear.Talos tested and confirmed Accusoft ImageGear, version 19.10, is affected by this vulnerability. The following Snort rules will detect exploitation attempts against this vulnerability: 60228 and 60229. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.  Vulnerability Guideline
2022-07-14 06:24:52 Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGPU (lien direct) Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.  Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome's WebGPU standard.   Google Chrome is a cross-platform web browser - and Chromium is the open-source version of... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2022-06-03 16:08:10 Threat Advisory: Atlassian Confluence zero-day vulnerability under active exploitation (lien direct) Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2022-06-01 06:40:40 Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution (lien direct) A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]] Tool Vulnerability
2022-05-10 09:24:11 Threat Advisory: Critical F5 BIG-IP Vulnerability (lien direct) Summary A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity. This vulnerability, tracked as... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability Guideline ★★★★
2022-05-10 07:20:09 Vulnerability Spotlight: Vulnerability in Alyac antivirus program could stop virus scanning, cause denial of service (lien direct) Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered an out-of-bounds read vulnerability in the ESTsecurity Corp.'s Alyac antivirus software that could cause a denial-of-service condition.   If successful, an attacker could... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability ★★★★
2022-03-23 13:16:44 Vulnerability Spotlight: Heap overflow in Sound Exchange libsox library (lien direct)   Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the sphere.c start_read() functionality of Sound Exchange libsox. The libsox library is a library of... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2022-03-07 08:45:21 Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device (lien direct) Cisco Talos' vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE's patch, we decided to take an even closer look at two of these vulnerabilities - CVE-2021-21748 and... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2022-02-16 11:15:13 Vulnerability Spotlight: Vulnerability in Hancom Office could lead to memory corruption, code execution (lien direct) Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered a vulnerability in Hancom Office - a popular software suite in South Korea - that could allow an attacker to corrupt memory on the targeted machine or execute remote... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2022-02-07 06:55:37 (Déjà vu) Vulnerability Spotlight: Use-after-free in Google Chrome could lead to code execution (lien direct) Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.  Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.   Google Chrome is a cross-platform web browser - and Chromium is the open-source version of the browser... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2022-01-31 06:43:31 Vulnerability Spotlight: Memory corruption and use-after-free vulnerabilities in Foxit PDF Reader (lien direct) Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered a memory corruption and use-after-free vulnerability in the Foxit PDF Reader.   Foxit PDF Reader is one of the most popular PDF document readers currently... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2022-01-25 09:31:20 Vulnerability Spotlight: Vulnerability in Apple iOS, iPad OS and MacOS could lead to disclosure of sensitive memory data (lien direct) Jaewon Min of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered an out-of-bounds read vulnerability in Apple's macOS and iOS operating systems that could lead to the disclosure of sensitive memory content. An attacker could capitalize on that... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability Guideline
2022-01-11 07:07:00 (Déjà vu) Vulnerability Spotlight: Heap buffer overflow condition in Google Chrome could lead to code execution (lien direct) Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.  Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Google Chrome.   Google Chrome is a cross-platform web browser - and Chromium is the open-source version of... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2022-01-10 06:45:06 Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin (lien direct) Carl Hurd of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.  Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin.  Chitubox is 3-D printing software for users to download and process models and send them... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-12-10 11:49:54 Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild (lien direct) Cisco Talos is aware of CVE-2021-44228, an actively exploited vulnerability in Apache Log4j. We are releasing coverage to defend against the exploitation of this vulnerability, which you can find below.The vulnerability affects a widely used Java logging library that many large organizations may... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-12-01 05:23:18 (Déjà vu) Vulnerability Spotlight: Use-after-free condition in Google Chrome could lead to code execution (lien direct) Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.  Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome.   Google Chrome is a cross-platform web browser - and Chromium is the open-source version of the browser... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-11-23 10:54:23 Attackers exploiting zero-day vulnerability in Windows Installer - Here\'s what you need to know and Talos\' coverage (lien direct) Cisco Talos is releasing new SNORTⓇ rules to protect against the exploitation of a zero-day elevation of privilege vulnerability in Microsoft Windows Installer. This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator. This... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-11-22 09:16:47 Vulnerability Spotlight: PHP deserialize vulnerability in CloudLinux Imunity360 could lead to arbitrary code execution (lien direct) Marcin “Icewall” Noga of Cisco Talos. Blog by Jon Munshaw.  Cisco Talos recently discovered a vulnerability in the Ai-Bolit functionality of CloudLinux Inc Imunify360 that could lead to arbitrary code execution.  Imunify360 is a security platform for web-hosting servers that allows users... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability Guideline
2021-10-19 17:01:51 Malicious campaign uses a barrage of commodity RATs to target Afghanistan and India (lien direct) Cisco Talos recently discovered a threat actor using political and government-themed malicious domains to target entities in India and Afghanistan.These attacks use dcRAT and QuasarRAT for Windows delivered via malicious documents exploiting CVE-2017-11882 - a memory corruption vulnerability in... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability Threat
2021-10-12 12:48:55 Vulnerability Spotlight: Use-after-free vulnerability in Microsoft Excel could lead to code execution (lien direct) Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.  Cisco Talos recently discovered a use-after-free vulnerability in the ConditionalFormatting functionality of Microsoft Office Excel 2019 that could allow an attacker to execute arbitrary code on the... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-10-07 12:36:06 (Déjà vu) Threat Advisory: Apache HTTP Server zero-day vulnerability opens door for attackers (lien direct) A recently discovered vulnerability in Apache HTTP Server (CVE-2021-41733) is being actively exploited in the wild. This vulnerability is a path traversal and file disclosure vulnerability that could allow an attacker to map URLs outside of the document root. It could also result in exposure of... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-09-23 08:00:11 Vulnerability Spotlight: Information disclosure vulnerability in D-LINK DIR-3040 mesh router (lien direct) Dave McDaniel of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw. Cisco Talos recently discovered an exploitable information disclosure vulnerability in the D-LINK DIR-3040 smart WiFi mesh router that could allow an adversary to eventually turn off the device or remove other... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-09-13 07:12:02 Vulnerability Spotlight: Code execution vulnerability in Nitro Pro PDF (lien direct) A Cisco Talos team member discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered a vulnerability in the Nitro Pro PDF reader that could allow an attacker to execute code in the context of the application.  Nitro Pro PDF is part of Nitro Software's... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-09-09 12:57:25 Talos release protection against zero-day vulnerability in Microsoft MSHTML (lien direct) Cisco Talos released new SNORT® rules Thursday to protect against the exploitation of a zero-day vulnerability in Microsoft MSHTML that the company warns is being actively exploited in the wild.  Users are encouraged to deploy SIDs 58120 – 58129, Snort 3 SID 300049 and ClamAV... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-09-09 11:00:00 Threat Source newsletter (Sept. 9, 2021) (lien direct) Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers.   The biggest security news this week is no doubt another Microsoft zero-day. On the heels of PrintNightmare and multiple Exchange Server vulnerabilities comes a code execution vulnerability in MSHTML, the rendering engine... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-09-07 08:56:17 (Déjà vu) Vulnerability Spotlight: Heap buffer overflow vulnerability in Ribbonsoft dxflib library (lien direct) Lilith >_> of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.  Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in Ribbonsoft's dxflib library that could lead to code execution.  The dxflib library is a C++ library utilized by... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability Guideline
2021-08-17 10:02:50 Vulnerability Spotlight: Memory corruption vulnerability in Daemon Tools Pro (lien direct) Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.  Cisco Talos recently discovered a memory corruption vulnerability in Disc Soft Ltd.'s Daemon Tools Pro.  Daemon Tools Pro is a professional emulation software that works with disc images and virtual... [[ This is only the beginning! Please visit the blog for the complete entry ]] Vulnerability
2021-08-12 15:35:12 Vice Society Leverages PrintNightmare In Ransomware Attacks (lien direct) By Edmund Brumaghin, Joe Marshall, and Arnaud Zobec. Executive Summary Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent... [[ This is only the beginning! Please visit the blog for the complete entry ]] Ransomware Vulnerability Threat
Last update at: 2024-05-20 01:08:03
See our sources.
My email:

To see everything: Our RSS (filtrered) Twitter