Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week's Threat Source newsletter --- the perfect place to get caught up on all things Talos from the past week.
You've heard it a million times: Always patch. But in case you needed another example that it's important, Cisco Incident Response took a deep dive into a recent wave of Watchbog infections they observed. In this post, IR breaks down why this infection occurred, and what you can learn from it.
Speaking of patching, it's as good of a time as any to update all of your Microsoft products. The company released its latest security update as part of their monthly Patch Tuesday. Check out our breakdown of the most important vulnerabilities here and our Snort coverage here.
Ever considered an "illustrious career in cybercrime?" Well, don't do it. So says Craig on the latest Beers with Talos podcast where the guys talking about "hacking back" and Matt's level of Twitter fame.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we've seen (and blocked) over the past week.
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: "DNS on
Fire"
at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two
campaigns Talos discovered targeted DNS. The first actor developed a
piece of malware, named "DNSpionage," targeting several government
agencies in the Middle East, as well as an airline. During the research
process for DNSpionage, we also discovered an effort to redirect DNSs
from the targets and discovered some registered SSL certificates for
them. The talk will go through the two actors' tactics, techniques and
procedures and the makeup of their targets.
Event: "It's never DNS...It was DNS: How adversaries are abusing
network blind
spots"
at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network
protocols in most corporate networks, many organizations don't give it
the same level of scrutiny as other network protocols present in their
environments. DNS has become increasingly attractive to both red teams
and malicious attackers alike to easily subvert otherwise solid security
architectures. This presentation will provide several technical
breakdowns of real-world attacks that have been seen leveraging DNS for
a variety of purposes such as DNSMessenger, DNSpionage, and more.
============================================================
CYBER SECURITY WEEK IN REVIEW
Some states' Department of Motor Vehicles are selling driver's license data to private companies, including private investigators. Many individuals registering for licenses do not read data agreements that allow states to turn around and sell their personal information.
Some Chromebooks mistakenly alerted users that the devices were reaching their end-of-life. A small number of brand new devices, after a reboot, told the user to upgrade to newer hardware to receive the latest security update. Google has since fixed this bug.
A new report outlines the first recorded cyber attack on the U.S. power grid. North American Electric Reliability Corp. says it lost visibility into a small portion of its grid due to a "cyber event" in March.
The popular Wikipedia site went down across Europe and the Middle East due to a series of denial-of-service attacks. The actor behind the DDoS kept up their efforts for about three days.
The U.S. filed criminal charges against a professor in Texas for allegedly stealing information on behalf of Chinese tech company Huawei. The same person had already been named in a civil suit surrounding these claims.
Apple's reputation as having the most secure mobile operating system has taken a hit over the past few weeks due to multiple vulnerabilities being disclosed. Security researchers say the company may have put too much faith into its own code in iOS and the Safari web browser.
New emails show that the U.S. Drug Enforcement Agency was close to purchasing malware from Israel's controversial NSO group. But the agreement was eventually called off due to the high cost.
UNICEF, a well-known non-profit organization, mistakenly leaked the personal data of more than 8,000 users who had accessed its online portal. The non-profit sent the information in an email to 20,000 users, after which they disabled the portal for a short time.
A now-closed payroll processing firm withdrew millions of dollars from some New Yorkers' bank accounts --- and the CEO is nowhere to be found. MyPayrollHR alerted customers two weeks ago that it would be shutting down, and this week took back a month's worth of pay from employees who worked for those customers.
============================================================
NOTABLE RECENT SECURITY ISSUES
Title: Microsoft patches 19 critical bugs as part of security
update
Description: Microsoft released its monthly security update this
week, disclosing a variety of vulnerabilities in several of its
products. The latest Patch Tuesday covers 85 vulnerabilities, 19 of
which are rated "critical,\" 65 that are considered \"important\" and
one \"moderate.\" There is also a critical advisory relating to the
latest update to Adobe Flash Player. This month's security update covers
security issues in a variety of Microsoft services and software,
including the Jet Database Engine and the Hyper-V hypervisor. Most
notably, this release contains another round of vulnerabilities in
remote desktop services, the latest in a line of RDP bugs that are
considered \"wormable.\" Talos has already outlined how Cisco Firepower
users can stay protected from other series of RDP vulnerabilities known
as \"BlueKeep\" and \"DejaBlue.\"
Snort SIDs: 51436 - 51438, 51445, 51446, 51449 - 51452, 51454 -
51457, 51463 - 51465, 51479 -- 51483
Title: Some NETGEAR routers vulnerable to DoS
attacks
Description: The NETGEAR N300 line of wireless routers contains two
denial-of-service vulnerabilities. The N300 is a small and affordable
wireless router that contains the basic features of a wireless router.
An attacker could exploit these bugs by sending specific SOAP and HTTP
requests to different functions of the router, causing it to crash
entirely.
Snort SIDs: 50040 (Written by Dave McDaniel)
============================================================
MOST PREVALENT MALWARE FILES FROM THIS WEEK
SHA 256:
15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
MD5: c24315b0585b852110977dacafe6c8c1
Typical Filename: puls.exe
Claimed Product: N/A
Detection Name: W32.DoublePulsar:WNCryLdrA.22is.1201
SHA 256:
7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256:
46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256:
3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload
Claimed Product: qmreportupload.exe
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256:
093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG
============================================================
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you're not already, you can also subscribe to the weekly Threat Source newsletter here.