Domain: talosintelligence.com
Stories and comments across the archive that link to talosintelligence.com.
Comments · 12
-
Real Article Link - Cisco Talos Blog
The Wired article is terrible - the author didn't understand the Talos blog.
https://blog.talosintelligence...
The Talso blog post is opaque: they present no evidence that root servers for top level domains, such as
.AM were compromised. They say it was possible, but a registrar != a registry, nor does that mean they masqueraded as the tech contact listed at IANA. IANA would have the history of any changes.Notably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on IANA for the ccTLD
.am. Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs.Perhaps you can explore the history here:
https://tldmon.dns-oarc.net/na... -
Re:Anti-Virus Hooks... do we still need them?
Seems like MDM is a codeword for what we call 'antivirus" on a PC/Mac. The antivirus developers have been given hooks that go all the way to BIOS, while a typical program can't touch system files nor the BIOS. We expect the certified antivirus programs to play by rules, but there's nothing preventing things like Norton's occasional behavior of starting P2P hole checks that end up overflowing the internet pipes.
So, here we are with a bunch of India cases of users trusting malware as their iPhone MDM/antivirus. Really, the operating system should be the only antivirus you need these days. So Apple, pull this app from the app store and replace the damaged phones.
MDM stands for Mobile Device Manager. It's purpose is to allow the management of devices without physical presence for tasks like setting / enforcing security policies, (un / re)installing or updating applicatons, managing user preferences, network configuration, etc.
The closest thing on a PC / MAC is either Active Directory's Group Policies, or third party software like Puppet.
It has nothing to do with antivirus software.
The MDM app wasn't the issue either. Apple has no reason to blacklist an MDM app. The malware author's certs yes, but the apps themselves no. Don't blame an app for doing what the clueless user told it to do.
Also nothing an MDM app can do will survive a factory reset. Apple has no "damaged" phones to replace, but they really do need to do something about educating their ignorant users.
Also, your astroturfing is annoying even to the ACs, but to address that as well:
This is where the MDM software "sideloads" in... it's gaining increased permissions that belong to MDM limiters, and instead it's malware.
That's a standard kind security vunerability, leftover debugging / test code, that you can find in just about anything. Also no legit iOS app "sideloads" on consumer devices. It's either downloaded from the App Store, or it's installed as an enterprise app from a device profile using Apple Configurator, and even the enterprise apps have to be signed using a cert issued by Apple to that enterprise.
No, if you read TFA at all, you'd would have seen this: At this time, we don't know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register.
So given a probable lack of physical access, we are left with classic social engineering of clueless users as a root cause. No amount, of protection provided by Apple could prevent that, unless Apple prohibited the user from using the device at all. But I'd imagine that level of "protection" would not be very profitable for Apple. Nor desirable by said users.
This is a Trogran pretended to be MDM/antivirus... sort of like Norton.
Once again, this has nothing to do with antivirus.
-
The detailed Cisco break down
can be found here. It's linked too off of the Ars Technica but for some reason not in the
/. one. -
Re:Nice.
I was thinking the same thing, so I went digging in the old (you know, that musty two-day old) slashdot thread. It wasn't straightforward to find it in there but there was a good comment with it. https://blog.talosintelligence.com/2018/05/VPNFilter.html. You can CTRL + F to "Known Affected Devices" and it has them listed. The original comment for aficionados.
Thanks for that. Doing the work OP didn't bother to in the article
-
Re:Nice.
I was thinking the same thing, so I went digging in the old (you know, that musty two-day old) slashdot thread. It wasn't straightforward to find it in there but there was a good comment with it. https://blog.talosintelligence.com/2018/05/VPNFilter.html. You can CTRL + F to "Known Affected Devices" and it has them listed. The original comment for aficionados.
-
Full technical Talos VPNFilter post
See also the full Cisco Talos post, New VPNFilter malware targets at least 500K networking devices worldwide, which has all of the technical details, including all indicators of compromise (IOCs).
-
Kind of a clever attack
-
I told you already: OFTEN AS YOU LIKE! apk
See subject & my sources my program gets do it @ diff. intervals ALL AROUND THE CLOCK & I go 'above & beyond it' personally - how?
SECURITY SITES I WILL LIST FOR YOU (these are excellent finding all kinds of exploiters & malicious sites/servers galore for ALL types of threats):
http://blog.talosintelligence....
https://www.welivesecurity.com...
https://blog.malwarebytes.com/
https://researchcenter.paloalt...
https://www.bleepingcomputer.c...
https://securityintelligence.c...
https://www.cyren.com/blog
http://garwarner.blogspot.com/
http://www.malwaretech.com/
https://securelist.com/all/?ca...
https://www.fireeye.com/blog/t...
https://www.secureworks.com/re...
https://research.checkpoint.co...
http://blog.trendmicro.com/tre...
https://www.proofpoint.com/us/...
https://blog.comodo.com/catego...That's 25 sources in total from the security community that UPDATES all the time around the clock - my program makes easy work of consolidating all that data is all! It works (see testimonials I posted in my other replies to you from
/. peers).APK
P.S.=>
... & YOU, personally, have FULL CONTROL OF THE DATA (try that w/ addons OR a REMOTE DNS - good luck on the latter & the former? You'd best know regular expressions)... apk -
Re:Anyone know if the malware is detectable / fixa
There is a more technical breakdown of the malware from the folks at Talos that discovered it. According to them ClamAV has a signature to detect the altered installers. Also it looks like Malwarebytes has the signature too so if that is what you are using get the updated signature files and run a scan.
Otherwise look for outbound traffic attempting to go to 216.126.225.148, that is the hardcoded C2 server the malware uses.
-
Superficial and inacurate
This post is sorely lacking tons of information and the few that are in it are wrong.
CCleaner is NOT a malware cleaning app. It's a registry and regular file cleaner software.
Furthermore, let's dig into the case:- This ONLY affects the 32-bit version of CCleaner and CCleaner Cloud, which accounts for some 3% of Piriform users. If you are using 64-bit version, you are probably safe. From Piriform’s website: “This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected.”;
- From Piriform’s accessment, here’s the actual danger: “The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done.”
- The investigation is still ongoing, but Piriform is saying that the issue has been solved, that no harm was done, and what seems like it didn’t originate from official CCleaner/Piriform sources. Which is to say, it could be embedded code that was inserted on 3rd party download websites. There is further explanation on Talos' post how it was a sofisticated attack because whoever did it managed to put up a valid cert on the infected version of Ccleaner though, so there should be more information coming out as the investigation proceeds.
If you wanna dig more into the whole thing, here's Piriform's official statement:
https://www.piriform.com/news/...And here's Talos security accessment of the case:
http://blog.talosintelligence.... -
Here's how it works
There's a good sumamry over at github.
Essentially, the malware looks for port 445 (SMB) on local computers and the internet. If you have this port open on the internet, and have older than Win10, and haven't updated with the Mar 2 patch, then you're vulnerable.
Note that WinXP has about 8% market share and cannot be patched. You can get infected from another machine on the local subnet as well.
Here is a good detailed description of how it works and what it does.
Note that the propagation has halted for now, however the virus also installs a rootkit on the user's machine. If the virus writer realizes that the domain has been taken, he could remotely change the hard-coded domain name on every currently-infected machine, thus restarting the propagation process.
-
Disable flash & keep endpoints up to date
The malicious yahoo ad used the angler exploit kit. 75% of the exploits used by angler are flash exploits: http://www.talosintelligence.c...
Just don't install flash per default, and require exceptions for people who need it for their job (hopefully a small amount).