Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: OpenSSL Releases Security Advisory for Several Vulnerabilities
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: BRKSEC-2010 Emerging Threats @ Cisco Live! Melbourne Date: March 9, 2016 2:30 PM - 4:00 PM Pacific Time Speaker: Jaeson Schultz, Technical Leader Description: Cisco’s Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: https://www.ciscolive.com/anz2016/connect/sessionDetail.ww?SESSION_ID=4638
Event: Evolution of the Angler Exploit Kit @ BSides Austin Date: 2016-03-31 & 2016-04-01 Speaker: Earl Carter, Threat Researcher Description: Exploit kits are a well-known threat on the Internet that effectively targets users through malvertising and compromised websites. This threat indiscriminately targets both home and work users. Cisco Talos is constantly analyzing the functionality utilized by various exploit kits using massive data feeds that give us a unique insight into the constantly evolving threat landscape. Since the Angler Exploit kit is the most prolific exploit kit in operation today, we have done extensive analysis on how it operates and the various features it has incorporated to avoid detection. During this talk, we will perform a detailed analysis on the features incorporated into Angler that we have researched over the last year as well as our collaboration with Limestone Networks to research and expose the entire back-end network used to serve Angler (a campaign that was conservatively earning over $30 Million a year infecting users with ransomware). Reference: http://bsidesaustin.com/
Event: Emerging Threats @ AtlSecCon 2016 Date: 2016-04-07 & 2016-04-08 Speaker: Earl Carter, Threat Researcher Description: Cisco Talos has a unique view into the ever evolving and changing threat landscape. We constantly research and identify how threat actors are evolving their skills and tactics by analyzing massive data feeds and working with teams of security experts. During this talk we will provide detailed analysis of the current threat landscape by examining the major threats that we have researched over the past 6-9 months. Some of the threats we plan to cover include SSHPsychos, the evolution of the Cryptowall ransomware, the Angler Exploit Kit, Rombertik, and phishing campaigns. Reference: https://atlseccon.com/
Event: Emerging Threats - The State of Cyber Security @ Cisco Connect Toronto Date: 2016-05-18 & 2016-05-19 Speaker: Earl Carter, Threat Researcher Description: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape. Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies. Reference: http://ciscoconnecttoronto.ca/
============================================================
NOTABLE RECENT SECURITY ISSUES
Title: OpenSSL Releases Security Advisory for Several Vulnerabilities
Description: The OpenSSL Software Foundation has released a security advisory to address several security flaws within the library. The most severe vulnerabilities addressed are related to the newly disclosed DROWN vulnerability (CVE-2016-0800) as well as a “Divide-and-conquer session key recovery” attack (CVE-2016-0703). Several other Low to Moderate severity flaws were also addressed in the security advisory. Patches for these vulnerabilities have been developed and released. Users and administrators are strongly encouraged to update their systems as soon as possible.
Reference:
- https://mta.openssl.org/pipermail/openssl-announce/2016-March/000066.html
- https://drownattack.com/
Snort SID: Detection pending
Title: Drupal Releases Critical Security Advisory for Multiple Vulnerabilities Description: Drupal has released a critical security advisory for several vulnerabilities in the Drupal Core. The most severe flaws patched could could allow a user to bypass access controls related to form submission or to conduct HTTP header injection attacks through the use of line breaks on servers with older versions of PHP. Several other vulnerabilities that were rated Less Critical to Moderately Critical were also addressed in the security advisory. Drupal has released updated software that addresses these vulnerabilities. Reference: https://www.drupal.org/SA-CORE-2016-001 Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Talos Blog: Angler Attempts to Slip The Hook http://blog.talosintel.com/2016/03/angler-slips-hook.html?f_l=ts
Talos Blog: Tax Scams Gone International http://blog.talosintel.com/2016/02/tax-scams.html?f_l=ts
Google Project Zero: The Definitive Guide on Win32 to NT Path Conversion https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html
Nissan Leaf hackable through insecure APIs http://www.zdnet.com/article/nissan-leaf-hackable-through-insecure-apis/?f_l=s
OpenSSL CVE-2016-0799: heap corruption via BIO_printf https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-corruption-via-bio_printf/
Judge Says Apple Doesn’t Have to Unlock iPhone in Case Similar to San Bernardino http://www.wired.com/2016/02/judge-says-apple-doesnt-have-to-unlock-iphone-in-case-similar-san-bernardino/
Getting Domain Admin with Kerberos Unconstrained Delegation http://www.labofapenetrationtester.com/2016/02/getting-domain-admin-with-kerberos-unconstrained-delegation.html
============================================================
MOST PREVALENT MALWARE FILES 2016-02-23 - 2016-03-01: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 1E12BDA263975D22103CD09B46EE238641CA890570FC7850254328AAE40C994D MD5: c69c9e7b12acee2ffa97057ddb123ecf VirusTotal: https://www.virustotal.com/file/1E12BDA263975D22103CD09B46EE238641CA890570FC7850254328AAE40C994D/analysis/#additional-info Typical Filename: smdmfu.exe Claimed Product: SmdmF Module Detection Name: Adware:KipodToolsC-tpd
SHA 256: 3E05352FBA39AED7B20B03D74DCE6C277A73218C7FFCC0334ED4805395CB0FDE MD5: 55fe2c1ea9246468d70a82f22438f410 VirusTotal: https://www.virustotal.com/file/3E05352FBA39AED7B20B03D74DCE6C277A73218C7FFCC0334ED4805395CB0FDE/analysis/#additional-info Typical Filename: Application Claimed Product: N/A Detection Name: OSX.MAC:GenieoK.17nk.1201
SHA 256: 3B17689A486D68813C31BF2BA610BF36F4B1F5B0403B0316C9833348845306FC MD5: 37ee9a5257102d876cfae15bccfbbf78 VirusTotal: https://www.virustotal.com/file/3B17689A486D68813C31BF2BA610BF36F4B1F5B0403B0316C9833348845306FC/analysis/#additional-info Typical Filename: WebSockServerApp Claimed Product: N/A Detection Name: W32.Auto.3b1768.182243.in01
SHA 256: 56CCB8B34246A278CB2A6BA4396C88D58C587BB37894D048AB9943DB8F8B8532 MD5: c56c5a9510d0c36bbfe871abd4be5403 VirusTotal: https://www.virustotal.com/file/56CCB8B34246A278CB2A6BA4396C88D58C587BB37894D048AB9943DB8F8B8532/analysis/#additional-info Typical Filename: xlgamebox_0.0.0.0.exe Claimed Product: “??????????” Detection Name: W32.56CCB8B342.Ramnit.tht.Talos
SHA 256: 870C2938FC255EF479C519D4E8340BC39AB534C5EA406CD591D99F4E16441FB5 MD5: 7d2b812bb164fa5ed6e58486e22e9ae3 VirusTotal: https://www.virustotal.com/file/870C2938FC255EF479C519D4E8340BC39AB534C5EA406CD591D99F4E16441FB5/analysis/#additional-info Typical Filename: SetupDependencies.exe Claimed Product: N/A Detection Name: Auto.870C2938FC.RSU-1202.tht.Talos
============================================================
SPAM STATS FOR 2016-02-23 - 2016-03-01:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM