Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Adobe Releases Patch for Flash Vulnerability Under Exploitation in the Wild
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos: Cisco's Secret Weapon in Understanding Today's Threat Landscape @ Cisco Security Week - St. Louis Date: 2016-05-10 - 2016-05-12 Speaker: William Largent, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~STL
Event: Emerging Threats - The State of Cyber Security @ Cisco Connect - Toronto Date: 2016-05-18 - 2016-05-19 Speaker: Earl Carter, Threat Researcher Description: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape. Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies. Reference: http://ciscoconnecttoronto.ca/
Event: Exploit Kits: Hunting the Hunters @ 2016 HITBSecConf AMS Date: 2016-05-26 Speaker: Nick Biasini Description: Exploit kits are one of the threats that is ever present on the Internet. Indiscriminately compromising users that are simply surfing websites. As ransomware has exploded so has the proliferation of these exploit kits. This combination of ransomware, tor, and bitcoin has created a financially lucrative monster. For the last year Talos has been systematically diving into each exploit kit trying to find nuggets of gold from a sea of compromise. Thus far the results have been promising, with some extremely successful outcomes related to Angler and Rig exploit kits specifically. This talk will outline the process that was followed, what we found and how we leveraged it to inflict damage on the users of these exploit kits. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/exploit-kits-hunting-the-hunters/
Event: Go Speed Tracer: Guided Fuzzing @ 2016 HITBSecConf AMS Date: 2016-05-27 Speaker: Richard Johnson Description: The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/go-speed-tracer-guided-fuzzing/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Adobe Releases Security Bulletin for Flash Player; Flaws in Creative Cloud and RoboHelp Server Also Fixed Description: Adobe has release a security bulletin for Flash Player, Creative Cloud, and RoboHelp server to address security flaws. The Flash Player bulletin was released early while the bulletins for Creative Cloud and RoboHelp Server were release on Tues, Apr 12. The Flash bulletin addresses CVE-2016-1019, a type-confusion vulnerability under active exploitation in the wild, as well as 22 other vulnerabilities. The bulletins for Creative Cloud and RoboHelp address one security flaw each with the most severe being an arbitrary file read/write on the client system. Reference: - https://helpx.adobe.com/content/help/en/security/products/flash-player/apsb16-10.html - https://helpx.adobe.com/security.html Snort SID: 38401-38402, 38413-38416, 38425-38428, Additional rules pending release of vulnerability information
Title: Microsoft Release Monthly Set of Security Patches for April 2016 Description: This month's release of security advisories from Microsoft contains 13 bulletins relating to 31 vulnerabilities. Six bulletins address vulnerabilities rated as critical in Edge, Graphic Components, Internet Explorer, XML Core Service, Microsoft Office and Adobe Flash Player. The remaining seven bulletins address important vulnerabilities in Hyper-V, Microsoft Office and other Windows components. Reference: https://technet.microsoft.com/library/security/ms16-apr Snort SID: 38458-38464, 38469-38470, 38473-38474, 38479-38484, 38489-38490, 38495-38496, 38503-38506
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Badlock Vulnerability Falls Flat Against Its Hype https://threatpost.com/badlock-vulnerability-falls-flat-against-its-hype/117349/
How to unlock files encrypted by Petya ransomware for free http://www.zdnet.com/article/how-to-unlock-files-encrypted-by-petya-ransomware-for-free/
If You Can’t Break Crypto, Break the Client: Recovery of Plaintext iMessage Data https://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/
Practical Reverse Engineering Part 1 - Hunting for Debug Ports http://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/
ATM Malware on the Rise http://blog.trendmicro.com/trendlabs-security-intelligence/atm-malware-on-the-rise/
=========================================================
MOST PREVALENT MALWARE FILES 2016-04-05 - 2016-04-12: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55 MD5: 51e63633487f9180ec8031980684bf86 VirusTotal: https://www.virustotal.com/file/F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55/analysis/#additional-info Typical Filename: nidmp.exe Claimed Product: N/A Detection Name: W32.Malware:Pramro.19cf.1201
SHA 256: 8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A MD5: cc9e1075db0645f1032f8c4b4412deba VirusTotal: https://www.virustotal.com/file/8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A/analysis/#additional-info Typical Filename: winkaswww.exe Claimed Product: N/A Detection Name: W32.Crypt:SalityGR.18i0.1201
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: winhgwir.exe Claimed Product: N/A Detection Name: W32.Malware:Pramro.19di.1201
SHA 256: 74BBB7C171E56910F0A08DADD7FE4729409EDC09D56387BAA5ABC2AC26E74FA9 MD5: 34cb9a943f654b37bd95157112a98837 VirusTotal: https://www.virustotal.com/file/74BBB7C171E56910F0A08DADD7FE4729409EDC09D56387BAA5ABC2AC26E74FA9/analysis/#additional-info Typical Filename: PrinterInstallerClientUpdater.exe Claimed Product: unknown Detection Name: W32.74BBB7C171-100.SBX.VIOC
SHA 256: EDD00D866A8C164697D0E0A60D73D6D4BEE46B03EACC73CA58546E4C33920EC0 MD5: f94261f0ed93f843d038a4b3fb9ffc6f VirusTotal: https://www.virustotal.com/file/EDD00D866A8C164697D0E0A60D73D6D4BEE46B03EACC73CA58546E4C33920EC0/analysis/#additional-info Typical Filename: Raku-Navi_Launcher.exe Claimed Product: unknown Detection Name: W32.Auto.edd00d.182265.in01
============================================================
SPAM STATS FOR 2016-04-05 - 2016-04-12:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM