Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Oracle Releases Out of Band Security Advisory for Java Vulnerability Patched in 2013
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Evolution of the Angler Exploit Kit @ BSides Austin Date: 2016-04-01 Speaker: Earl Carter, Threat Researcher Description: Exploit kits are a well-known threat on the Internet that effectively targets users through malvertising and compromised websites. This threat indiscriminately targets both home and work users. Cisco Talos is constantly analyzing the functionality utilized by various exploit kits using massive data feeds that give us a unique insight into the constantly evolving threat landscape. Since the Angler Exploit kit is the most prolific exploit kit in operation today, we have done extensive analysis on how it operates and the various features it has incorporated to avoid detection. During this talk, we will perform a detailed analysis on the features incorporated into Angler that we have researched over the last year as well as our collaboration with Limestone Networks to research and expose the entire back-end network used to serve Angler (a campaign that was conservatively earning over $30 Million a year infecting users with ransomware). Reference: http://bsidesaustin.com/
Event: Emerging Threats @ AtlSecCon 2016 Date: 2016-04-07 & 2016-04-08 Speaker: Earl Carter, Threat Researcher Description: Cisco Talos has a unique view into the ever evolving and changing threat landscape. We constantly research and identify how threat actors are evolving their skills and tactics by analyzing massive data feeds and working with teams of security experts. During this talk we will provide detailed analysis of the current threat landscape by examining the major threats that we have researched over the past 6-9 months. Some of the threats we plan to cover include SSHPsychos, the evolution of the Cryptowall ransomware, the Angler Exploit Kit, Rombertik, and phishing campaigns. Reference: https://atlseccon.com/
Event: Talos: Threat Intelligence and the Emerging Threat Landscape Date: 2016-04-13 @ 10:30am Speaker: William Largent, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://cisco.cvent.com/events/2016-cisco-geekfest/event-summary-77abe9b97e3f414da87b3bfd8c1300ee.aspx
Event: Emerging Threats - The State of Cyber Security @ Cisco Connect Toronto Date: 2016-05-18 & 2016-05-19 Speaker: Earl Carter, Threat Researcher Description: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape. Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies. Reference: http://ciscoconnecttoronto.ca/
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Oracle Releases Out of Band Security Advisory for Java Vulnerability Patched in 2013
Description: Oracle has released an out-of-band security advisory for a Java vulnerability that was originally reported in 2013 and patched back then. Since the original release of the patch for CVE-2013-5838, new information detailing how the patch was incomplete and could still allow an attacker to remotely execute code has been made public. In response to this new information, Oracle has fixed the broken patch and has release an updated version of Java that addresses the issue. Per Oracle's website, "Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X are affected." Users are advised to update their Java installations.
- http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0636-2949497.html - http://seclists.org/fulldisclosure/2016/Mar/31 Snort SID: 38338-38339
Title: New Server-Side Ransomware Variant (Samas/Samsam) Hitting Hospitals Description: Researchers have identified a ransomware variant that appears to be currently targeting hospitals in the United States. Known as Samas/Samsam, this ransomware variant is unique in that instead of targeting individual users through phishing attacks or via exploit kits, adversaries are compromising systems via external facing JBoss servers that are vulnerable to compromise and moving laterally within the network to compromise additional systems. Multiple threat intelligence organizations have reported on this ransomware variant with detection being made available to detect and mitigate this threat. Reference: http://blog.talosintel.com/2016/03/samsam-ransomware.html Snort SID: 18794, 21516-21517, 24342-24343, 24642, 29909, 38279-38280, 38304 ClamAV: Win.Trojan.Samas
Title: Multiple Cross-site Scripting (XSS) Vulnerabilities in Zen Cart Patched
Description: Researchers at Trustwave have identified multiple XSS vulnerabilities in Zen Cart, a popular online shopping cart software package. Trustwave responsibly disclosed these vulnerabilities to Zen Cart and worked to ensure all vulnerabilities were properly patched before disclosure. Zen Cart has release Zen Cart 1.5.5 to address these vulnerabilities. Additionally, Zen Cart has made available the patches to address the flaws if patching is not immediately possible.
- https://www.zen-cart.com/showthread.php?219732-Trustwave-Security-report-Patch-Included - https://www.trustwave.com/Resources/SpiderLabs-Blog/TWSL2016-006--Multiple-XSS-Vulnerabilities-reported-for-Zen-Cart/ Snort SID: Detection pending release of vulnerability information
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Life after the Isolated Heap - A Look at Exploiting Flash Player http://googleprojectzero.blogspot.com/2016/03/life-after-isolated-heap.html
The FBI Drops Its Case Against Apple After Finding A Way Into That Phone http://www.wired.com/2016/03/fbi-drops-case-apple-finding-way-iphone/
New feature in Office 2016 can block macros and help prevent infection https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
Talos - Vulnerability Spotlight: Apple OS X Graphics Kernel Driver Local Privilege Escalation Vulnerability http://blog.talosintel.com/2016/03/apple-gfx-vuln.html
Malware is being signed with multiple digital certificates to evade detection http://www.symantec.com/connect/blogs/malware-being-signed-multiple-digital-certificates-evade-detection
Talos - Malware Word Search: Identifying Angler's Dictionary http://blog.talosintel.com/2016/03/angler-malware-word-search.html
Abusing bugs in the Locky ransomware to create a vaccine https://www.lexsi.com/securityhub/abusing-bugs-in-the-locky-ransomware-to-create-a-vaccine/?
MOST PREVALENT MALWARE FILES 2016-03-22 - 2016-03-29: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E MD5: de04a6ee625c7b8dd09ce22cd5cfb2e9 VirusTotal: https://www.virustotal.com/file/F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E/analysis/#additional-info Typical Filename: ApplicationManager Claimed Product: N/A Detection Name: OSX.Variant:SpigotD.19d2.1201
SHA 256: 1E12BDA263975D22103CD09B46EE238641CA890570FC7850254328AAE40C994D MD5: c69c9e7b12acee2ffa97057ddb123ecf VirusTotal: https://www.virustotal.com/file/1E12BDA263975D22103CD09B46EE238641CA890570FC7850254328AAE40C994D/analysis/#additional-info Typical Filename: smdmfu.exe Claimed Product: SmdmF Module Detection Name: Adware:KipodToolsC-tpd
SHA 256: 3B17689A486D68813C31BF2BA610BF36F4B1F5B0403B0316C9833348845306FC MD5: 37ee9a5257102d876cfae15bccfbbf78 VirusTotal: https://www.virustotal.com/file/3B17689A486D68813C31BF2BA610BF36F4B1F5B0403B0316C9833348845306FC/analysis/#additional-info Typical Filename: WebSocketServerApp Claimed Product: N/A Detection Name: W32.Auto.3b1768.182243.in01
SHA 256: F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55 MD5: 51e63633487f9180ec8031980684bf86 VirusTotal: https://www.virustotal.com/file/F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55/analysis/#additional-info Typical Filename: nidmp.exe Claimed Product: N/A Detection Name: W32.Malware:Pramro.19cf.1201
SHA 256: 8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A MD5: cc9e1075db0645f1032f8c4b4412deba VirusTotal: https://www.virustotal.com/file/8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A/analysis/#additional-info Typical Filename: winenfca.exe Claimed Product: N/A Detection Name: W32.Crypt:SalityGR.18i0.1201
SPAM STATS FOR 2016-03-22 - 2016-03-29:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM