Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Apple Release Security Updates for iOS, OS X, watchOS, and Other Platforms
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Evolution of the Angler Exploit Kit @ BSides Austin Date: 2016-03-31 & 2016-04-01 Speaker: Earl Carter, Threat Researcher Description: Exploit kits are a well-known threat on the Internet that effectively targets users through malvertising and compromised websites. This threat indiscriminately targets both home and work users. Cisco Talos is constantly analyzing the functionality utilized by various exploit kits using massive data feeds that give us a unique insight into the constantly evolving threat landscape. Since the Angler Exploit kit is the most prolific exploit kit in operation today, we have done extensive analysis on how it operates and the various features it has incorporated to avoid detection. During this talk, we will perform a detailed analysis on the features incorporated into Angler that we have researched over the last year as well as our collaboration with Limestone Networks to research and expose the entire back-end network used to serve Angler (a campaign that was conservatively earning over $30 Million a year infecting users with ransomware). Reference: http://bsidesaustin.com/
Event: Emerging Threats @ AtlSecCon 2016 Date: 2016-04-07 & 2016-04-08 Speaker: Earl Carter, Threat Researcher Description: Cisco Talos has a unique view into the ever evolving and changing threat landscape. We constantly research and identify how threat actors are evolving their skills and tactics by analyzing massive data feeds and working with teams of security experts. During this talk we will provide detailed analysis of the current threat landscape by examining the major threats that we have researched over the past 6-9 months. Some of the threats we plan to cover include SSHPsychos, the evolution of the Cryptowall ransomware, the Angler Exploit Kit, Rombertik, and phishing campaigns. Reference: https://atlseccon.com/
Event: Talos: Threat Intelligence and the Emerging Threat Landscape Date: 2016-04-13 @ 10:30am Speaker: William Largent, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://cisco.cvent.com/events/2016-cisco-geekfest/event-summary-77abe9b97e3f414da87b3bfd8c1300ee.aspx
Event: Emerging Threats - The State of Cyber Security @ Cisco Connect Toronto Date: 2016-05-18 & 2016-05-19 Speaker: Earl Carter, Threat Researcher Description: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape. Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies. Reference: http://ciscoconnecttoronto.ca/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Apple Release Security Updates for iOS, OS X, watchOS, and Other Platforms Description: Apple has released a large number of security updates for various supported platforms such as iOS, OS X El Capitan, OS X Server, Safari, tvOS, watchOS, and Xcode. In total, over 110 fixes were released addressing vulnerabilities within the listed seven products. Most of the fixes were targeted at OS X El Capitan with the most severe vulnerabilities patched being arbitrary code execution flaws. Additionally, the iMessage encryption flaw was also addressed with the latest release of iOS. Reference: https://support.apple.com/en-us/HT201222 Snort SID: Detection pending release of vulnerability information
Title: VMware Patches Cross-Site Scripting (XSS) Flaws in vRealize Automation and vRealize Business Advanced and Enterprise
Description: VMware has released a security advisory for a pair of Cross-Site Scripting (XSS) flaws in VMware vRealize Automation and vRealize Business Advanced and Enterprise. CVE-2015-2344 identifies the XSS flaw in vRealize Automation while CVE-2016-2075 identifies the flaw in vRealize Business Advanced and Enterprise. Note that vRealize Automation 6.x on Linux and vRealize Business Advanced and Enterprise 8.x on Linux are affected by these vulnerabilities.
Reference: http://www.vmware.com/security/advisories/VMSA-2016-0003.html
Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Talos: SamSam: The Doctor Will See You, After He Pays The Ransom http://blog.talosintel.com/2016/03/samsam-ransomware.html
Vulnerability Spotlight: Apple OS X Graphics Kernel Driver Local Privilege Escalation Vulnerability http://blog.talosintel.com/2016/03/apple-gfx-vuln.html
Malware Word Search: Identifying Angler's Dictionary http://blog.talosintel.com/2016/03/angler-malware-word-search.html
Exploiting a Leaked Thread Handle - A Look at MS16-032 https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html
BinDiff now available for free https://security.googleblog.com/2016/03/bindiff-now-available-for-free.html
LastPass Authenticator: Technical Analysis http://fireoakstrategies.com/lastpass-authenticator-security-review-part-1/
FBI suspends case against Apple after feds find way to break into seized iPhone http://www.zdnet.com/article/fbi-suspends-apple-court-case-after-it-finds-way-to-unlock-iphone/
Uber Will Pay $10,000 'Bug Bounties' to Friendly Hackers http://www.wired.com/2016/03/uber-bug-bounties/
=========================================================
MOST PREVALENT MALWARE FILES 2016-03-15 - 2016-03-22: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F225D108365AAABE348D7A4013FF6BB46D2D378DD18C97B8F3573088014A614F MD5: 38cbab2da620985b724305214a1b3d81 VirusTotal: https://www.virustotal.com/file/F225D108365AAABE348D7A4013FF6BB46D2D378DD18C97B8F3573088014A614F/analysis/#additional-info Typical Filename: helperamc Claimed Product: N/A Detection Name: W32.Auto.f225d1.191563.in01
SHA 256: F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E MD5: de04a6ee625c7b8dd09ce22cd5cfb2e9 VirusTotal: https://www.virustotal.com/file/F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E/analysis/#additional-info Typical Filename: ApplicationManager Claimed Product: Detection Name: OSX.Variant:SpigotD.19d2.1201
SHA 256: 1E12BDA263975D22103CD09B46EE238641CA890570FC7850254328AAE40C994D MD5: c69c9e7b12acee2ffa97057ddb123ecf VirusTotal: https://www.virustotal.com/file/1E12BDA263975D22103CD09B46EE238641CA890570FC7850254328AAE40C994D/analysis/#additional-info Typical Filename: smdmfu.exe Claimed Product: SmdmF Module Detection Name: Adware:KipodToolsC-tpd
SHA 256: F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55 MD5: 51e63633487f9180ec8031980684bf86 VirusTotal: https://www.virustotal.com/file/F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55/analysis/#additional-info Typical Filename: winunfxo.exe Claimed Product: N/A Detection Name: W32.Malware:Pramro.19cf.1201
SHA 256: 8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A MD5: cc9e1075db0645f1032f8c4b4412deba VirusTotal: https://www.virustotal.com/file/8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A/analysis/#additional-info Typical Filename: winvfmr.exe Claimed Product: N/A Detection Name: W32.Crypt:SalityGR.18i0.1201
============================================================
SPAM STATS FOR 2016-03-15 - 2016-03-22:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM