Welcome to this week’s ThreatSource newsletter — the perfect place to get caught up on all things Talos from the past week.
Many of us are out in Florida for Cisco Live! this week, so the blog is a bit more quiet than usual.
However, we still have coverage for Microsoft Patch Tuesday. There were 49 vulnerabilities covered in this month’s release, including 11 that were rated “critical.”
We specifically highlighted a remote code execution vulnerability in the Microsoft wimgapi library that our researchers discovered.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where Talos will be represented.
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Event name: Cisco Talos at C-Days in Portugal
Location: C-Days 2018, University of Coimbra, Coimbra, Portugal
Date: June 20 - 21
Speaker: Vitor Ventura
Synopsis: Vitor will be giving two different talks at the annual C-Days conference in Portugal. One will be a light and fast introduction to malware hunting, and the other will focus on how to protect all of your devices as the internet becomes more wide-reaching.
Reference: http://cs.co/CDaysPortugal
Event name: Virus Bulletin conference
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
Date: Oct. 3, 2018
Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
Reference: http://cs.co/VB2018
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
- The U.S. has imposed new sanctions on five Russian companies and three individuals for assisting the country’s cyber intelligence agencies. Treasury Secretary Steven Mnuchin said the move specifically targets "malicious actors" working to "increase Russia's offensive cyber capabilities".
- More than 70 people in the U.S. and Nigeria have been arrested over the past week for their roles in wide-scale email phishing campaigns targeting major corporations. The FBI specifically targeted these actors for sending fake messages to companies’ finance departments pretending to be a third-party vendor requiring payment.
- At least $175 million worth of the Monero cryptocurrency has been stolen as part of malicious malware campaigns, according to a new study from Palo Alto Networks’ Unit 42.
- A new malware known as “InvisiMole” allows attackers to take control of a machine and silently hear and see through the computer. The campaign is highly targeted, according to ESET, meaning that it has only infected a small number of machines.
- Chinese government hackers attacked a Naval contractor earlier this year, allowing them to access classified U.S. military plans. Six-hundred and fourteen gigabytes of data was taken regarding a secret project known as “Sea Dragon,” as well as submarine radio information and other highly sensitive information.
NOTABLE RECENT SECURITY ISSUES
Title: Microsoft fixes 49 flaws, 11 of them critical
Description: Microsoft has released its monthly set of fixes that cover many of its products. The patches address 49 vulnerabilities, 11 of which are rated as “critical” and 38 that are “important.”
Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/7d4489d6-573f-e811-a96f-000d3a33c573
Snort SID: 45628, 46927 - 46930, 46933 - 46935, 46938 - 46945, 46951 - 46958
Title: Adobe updates Flash Player to fix vulnerability used in the wild
Description: Adobe has released patches for multiple vulnerabilities in its Flash Player product. One of them, CVE-2018-5002, was being used in the wild. The bugs include one stack-based buffer overflow vulnerability, as well as an integer overflow.
Reference: https://helpx.adobe.com/security/products/flash-player/apsb18-19.html
Snort SID: 46917 - 46920
ClamAV: Swf.Exploit.CVE20185001-6581777-0
Title: Cisco Prime Collaboration Provisioning unauthenticated remote method invocation vulnerability
Description: A flaw in Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to access the Java Remote Method Invocation (RMI)system. The vulnerability is due to an open port in the Network Interface and Configuration Engine (NICE) service.
Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-prime-rmi
Snort SID: 46893
MOST PREVALENT MALWARE FILES June 7 - 14:
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- VirusTotal: https://www.virustotal.com/#/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: f1a706c48488b082d3bb53c84e5db1b02781482d63960b0af3cd54153acdb5c9
- MD5: 4e52f9a0c8f8c5856c9d73747c6645024e5
- VirusTotal: https://www.virustotal.com/#/file/f1a706c48488b082d3bb53c84e5db1b02781482d63960b0af3cd54153acdb5c9/details
- Typical Filename: beef-xss
- Claimed Product: N/A
- Detection Name: Win.Downloader.Powershell::in07.talos
- SHA 256: ea2c7060bcb9572472800941d54daed18758eb8806c589258b770f8d26f61b52
- MD5: a1a448f869f1711ab81a7101ce6f8dc2a1a
- VirusTotal: https://www.virustotal.com/#/file/ea2c7060bcb9572472800941d54daed18758eb8806c589258b770f8d26f61b52/details
- Typical Filename: mimikatz2.1.1-20180325-0kali1all.deb
- Claimed Product: N/A
- Detection Name: PUA.Win.Tool.Mimikatz::in01
- SHA 256: 5e9979a9676889a6656cbfa9ddc1aab2fa4b301155f5b55377a74257c9f9f583
- MD5: 10b7b8f4facbe16ee2ca6532bb4790b1
- VirusTotal: https://www.virustotal.com/#/file/5e9979a9676889a6656cbfa9ddc1aab2fa4b301155f5b55377a74257c9f9f583/details
- Typical Filename: Specification.docx
- Claimed Product: N/A
- Detection Name: Doc.Exploit.Generic::in03.talos
- SHA 256: c0e6e3beb661ee1ee5fd2544fb347a2d5c4d0abb7b0a3124ad404eb4fee44b56
- MD5: 923b27b289179f658be9edfe7aab50cb923
- VirusTotal: https://www.virustotal.com/#/file/c0e6e3beb661ee1ee5fd2544fb347a2d5c4d0abb7b0a3124ad404eb4fee44b56/details
- Typical Filename: 923b27b289179f658be9edfe7aab50cb.virus
- Claimed Product: N/A
- Detection Name: Andr.Trojan.Generic::other.talos
SPAM STATS FOR June 7 - 14:
TOP SPAM SUBJECTS OBSERVED
- "YOUNG CONSULTING-06/7/2018"
- "Tax Account Transcript"
- "This is Notification From Equity Bank Regarding Your Funds"
- "1099 Due Diligence Avoiding Costly Mistakes"
- "Review Recent Account Activity"
MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 4760 PCCW Limited
- 15169 Google LLC
- 7922 Comcast Cable Communications, LLC
- 16125 UAB Cherry Servers