Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Microsoft Releases Monthly Set of Security Advisories for March 2016
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos and the Evolving Threat Landscape Date: 2016-03-23 @ 13:30 Speaker: Holger Unterbrink, Technical Leader Description: Talos is Cisco's Threat Research group. Today's IT organizations need security solutions relying on leading threat intelligence to effectively safeguard their extended networks. Creating leading threat intelligence is the focus of the Cisco Talos Security Intelligence and Research Group. In this session, you will learn what is Talos and what it means to youm, learn about the scale and severity of the current threat landscape, and discover how attackers change in attack behavior. Reference: http://www.infosecurity.be/default.aspx
Event: Evolution of the Angler Exploit Kit @ BSides Austin Date: 2016-03-31 & 2016-04-01 Speaker: Earl Carter, Threat Researcher Description: Exploit kits are a well-known threat on the Internet that effectively targets users through malvertising and compromised websites. This threat indiscriminately targets both home and work users. Cisco Talos is constantly analyzing the functionality utilized by various exploit kits using massive data feeds that give us a unique insight into the constantly evolving threat landscape. Since the Angler Exploit kit is the most prolific exploit kit in operation today, we have done extensive analysis on how it operates and the various features it has incorporated to avoid detection. During this talk, we will perform a detailed analysis on the features incorporated into Angler that we have researched over the last year as well as our collaboration with Limestone Networks to research and expose the entire back-end network used to serve Angler (a campaign that was conservatively earning over $30 Million a year infecting users with ransomware). Reference: http://bsidesaustin.com/
Event: Emerging Threats @ AtlSecCon 2016 Date: 2016-04-07 & 2016-04-08 Speaker: Earl Carter, Threat Researcher Description: Cisco Talos has a unique view into the ever evolving and changing threat landscape. We constantly research and identify how threat actors are evolving their skills and tactics by analyzing massive data feeds and working with teams of security experts. During this talk we will provide detailed analysis of the current threat landscape by examining the major threats that we have researched over the past 6-9 months. Some of the threats we plan to cover include SSHPsychos, the evolution of the Cryptowall ransomware, the Angler Exploit Kit, Rombertik, and phishing campaigns. Reference: https://atlseccon.com/
Event: Talos: Threat Intelligence and the Emerging Threat Landscape Date: 2016-04-13 @ 10:30am Speaker: William Largent, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://cisco.cvent.com/events/2016-cisco-geekfest/event-summary-77abe9b97e3f414da87b3bfd8c1300ee.aspx
Event: Emerging Threats - The State of Cyber Security @ Cisco Connect Toronto Date: 2016-05-18 & 2016-05-19 Speaker: Earl Carter, Threat Researcher Description: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape. Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies. Reference: http://ciscoconnecttoronto.ca/
============================================================
NOTABLE RECENT SECURITY ISSUES
Title: Microsoft Releases Monthly Set of Security Advisories for March 2016 Description: Microsoft has released their monthly set of security bulletins addressing security vulnerabilities within various products. This month’s release contains 13 bulletins addressing 44 vulnerabilities. Five bulletins are rated critical and address vulnerabilities in Edge, Graphic Fonts, Internet Explorer, Windows Media Player, and Window PDF. The remaining eight bulletins are rated important and address vulnerabilities in .NET, Office, and several other Windows components. Reference: http://blog.talosintel.com/2016/03/ms-tuesday.html Snort SID: 38061-38086, 38088-38101, 38106-38115, 38117-38120, 38122-38123
Title: New OS X Ransomware "KeRanger" Found in the Wild Description: Researchers at Palo Alto Networks have discovered a new ransomware variant targeting Mac OS X. This ransomware variant, dubbed "KeRanger", was found in the Transmission BitTorrent client installer for OS X and was signed by a valid Mac app development certificate. In response to this threat, Apple has revoked the app development certificate and updated its XProtect rules to protect users. Snort rules and ClamAV signatures are also available and can detect this threat. Reference: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/ Snort SID: 38116 ClamAV: Osx.Trojan.KeRanger
Title: Cisco Releases Security Advisory for Insecure Default Credentials for Nexus 3000 Series and 3500 Platform Switches Description: Cisco has released a security advisory for CVE-2016-1329, an insecure default credentials vulnerability in Cisco NX-OS Software running on Nexus 3000 Series Switches and Nexus 3500 Platform Switches. An unauthenticated attacker who exploits this vulnerability could log in to an affected device with root privileges and with bash shell access. CVE-2016-1329 manifests as a result of a "user account that has a default and static password" being created at installation that cannot be removed without impacting the functionality of the system. Cisco has published workarounds that mitigate the impact of this vulnerability as well as updated software that addresses the flaw. Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-n3k
Title: Google Releases Security Bulletin for Android and Nexus Devices Description: Google has released a security bulletin for Android and Nexus devices which address multiple vulnerabilities. Six critical vulnerabilities have been patched with two of the flaws being remote code execution vulnerabilities in Mediasever and in libvpx. Both of these vulnerabilities manifest as a result of improperly processing media files and could be exploited via MMS or browser playback of media. Eight high severity vulnerabilities and two moderate severity vulnerabilities were also addressed in Google's latest over-the-air update for Nexus devices. Google has notified partners about these vulnerabilities and will be releasing the source code for these patches to the Android Open Source Project. Reference: https://source.android.com/security/bulletin/2016-03-01.html Snort SID: Detection pending release of vulnerability information
Title: Adobe Releases Security Bulletin for Acrobat, Reader, and Digital Editions Description: Adobe has released two security advisories addressing vulnerabilities in Adobe Acrobat, Reader, and Digital Editions. APSB16-09 targets Adobe Acrobat and Reader and fixes three vulnerabilities, two of which could release to arbitrary code execution while the other could lead information disclosure. The other bulletin, APSB16-06, addresses CVE-2016-0964 which is a memory corruption flaw that could lead to arbitrary code execution. Adobe has released updated software that addresses the vulnerabilities in these affected products. Reference: - https://helpx.adobe.com/security/products/acrobat/apsb16-09.html - https://helpx.adobe.com/security/products/Digital-Editions/apsb16-06.html Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Locky Ransomware on Rampage With JavaScript Downloader https://blogs.mcafee.com/mcafee-labs/locky-ransomware-rampage-javascript-downloader/
Verizon Wireless to pay $1.35M fine to settle 'supercookie' privacy case http://www.zdnet.com/article/verizon-wireless-to-pay-million-dollar-fine-supercookie-case/
OpenSSL Operating With Renewed Vision Two Years After Heartbleed https://threatpost.com/openssl-operating-with-renewed-vision-two-years-after-heartbleed/116567/
[Responsible disclosure] How I could have hacked all Facebook accounts http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html
Inspeckage - Android Package Inspector http://blog.tempest.com.br/antonio-martins/inspeckage-android-package-inspector.html
=========================================================
MOST PREVALENT MALWARE FILES 2016-03-01 - 2016-08-08: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F0200428A8E7B6B51FF92C6D71D85B99AD8B80F0382C3A9C9C2F4DC73F3E5240 MD5: 188ff507561f9882729b117cb411af8e VirusTotal: https://www.virustotal.com/file/F0200428A8E7B6B51FF92C6D71D85B99AD8B80F0382C3A9C9C2F4DC73F3E5240/analysis/#additional-info Typical Filename: ApplicationManager Claimed Product: ApplicationManager Detection Name: OSX.Variant:SpigotD.19cg.1201
SHA 256: 83CEC41170390E5E6D49ED7BF4FA76DDFB581C9E39D9EFE7ED9382957DE152DD MD5: c913d292a9a907799526695c9ad3bfac VirusTotal: https://www.virustotal.com/file/83CEC41170390E5E6D49ED7BF4FA76DDFB581C9E39D9EFE7ED9382957DE152DD/analysis/#additional-info Typical Filename: helperamc Claimed Product: N/A Detection Name: W32.Auto.83cec4.191642.in01
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: winpivpas.exe Claimed Product: N/A Detection Name: W32.Malware:Pramro.19di.1201
SHA 256: 3041609F9A5A8DDF6336C044D95DED232F14D07C2A50ACEC692EB785F04C32E4 MD5: ea397c683289f02e4f5fe09327e03962 VirusTotal: https://www.virustotal.com/file/3041609F9A5A8DDF6336C044D95DED232F14D07C2A50ACEC692EB785F04C32E4/analysis/#additional-info Typical Filename: wingliej.exe Claimed Product: N/A Detection Name: Trojan:Sality-tpd
SHA 256: 8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A MD5: cc9e1075db0645f1032f8c4b4412deba VirusTotal: https://www.virustotal.com/file/8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A/analysis/#additional-info Typical Filename: windkuh.exe Claimed Product: N/A Detection Name: W32.Crypt:SalityGR.18i0.1201
============================================================
SPAM STATS FOR 2016-03-01 - 2016-03-08:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM