Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Major Vulnerability in ImageMagick Library Potentially Leading to Remote Code Execution Disclosed
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos Quarterly Threat Briefing - Webinar (Free for anyone to attend) Date: 2016-05-11 at 8:00 am Pacific Time Speaker: Craig Williams, Security Outreach Manager Description: Cyberthreats will never disappear. Adversaries are only getting smarter and more adept at evading security measures. The security experts at Talos invite you to their quarterly threat briefing, where they will share their insights into recent attacks that exemplify the latest trends within the security industry. By discussing these new and emerging threats, the Talos team will help you understand new protection strategies and build better defenses. Reference: https://grs.cisco.com/grsx/cust/grsEventSite.html?EventCode=14120&LanguageId=1&KeyCode=001169931
Event: Talos: Cisco’s Secret Weapon in Understanding Today’s Threat Landscape @ Cisco Security Week - St. Louis Date: 2016-05-10 - 2016-05-12 Speaker: William Largent, Threat Researcher Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~STL
Event: Emerging Threats - The State of Cyber Security @ Cisco Connect - Toronto Date: 2016-05-18 - 2016-05-19 Speaker: Earl Carter, Threat Researcher Description: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape. Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies. Reference: http://ciscoconnecttoronto.ca/
Event: Exploit Kits: Hunting the Hunters @ 2016 HITBSecConf AMS Date: 2016-05-26 Speaker: Nick Biasini Description: Exploit kits are one of the threats that is ever present on the Internet. Indiscriminately compromising users that are simply surfing websites. As ransomware has exploded so has the proliferation of these exploit kits. This combination of ransomware, tor, and bitcoin has created a financially lucrative monster. For the last year Talos has been systematically diving into each exploit kit trying to find nuggets of gold from a sea of compromise. Thus far the results have been promising, with some extremely successful outcomes related to Angler and Rig exploit kits specifically. This talk will outline the process that was followed, what we found and how we leveraged it to inflict damage on the users of these exploit kits. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/exploit-kits-hunting-the-hunters/
Event: Go Speed Tracer: Guided Fuzzing @ 2016 HITBSecConf AMS Date: 2016-05-27 Speaker: Richard Johnson Description: The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/go-speed-tracer-guided-fuzzing/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Major Vulnerability in ImageMagick Library Potentially Leading to Remote Code Execution Disclosed Description: A major vulnerability in ImageMagick that could lead to remote code execution has been disclosed to the public is under active exploitation in the wild. The flaw (CVE-2016–3714) manifests due to improperly handling images and can be exploited if the library is used to process user submitted images. Researchers have indicated that several image processing plugins utilize the ImageMagick library such as PHP, Ruby, and node.js. Mitigations to reduce the risk of compromise are available if patching is not an immediate viable option. Reference: https://imagetragick.com/ Snort SID: Detection pending
Title: OpenSSL Releases Security Advisory for Six Vulnerabilities Description: OpenSSL has released a security advisory to address six vulnerabilities within the open source crypto library. Two vulnerabilities are high severity with one issue (CVE-2016-2108) being a potential memory corruption issue while the other (CVE-2016-2107) is a padding oracle attack in AES-NI CBC MAC Check. The remaining four vulnerabilities are low-severity. OpenSSL has released an updated version of OpenSSL to address these issues. Users are advised to update their systems as patches for operating systems and software packages become available. Reference: https://www.openssl.org/news/secadv/20160503.txt Snort SID: Detection pending
Title: Google Releases Monthly Security Bulletin for Android; 40 Vulnerabilities Patched Description: Google has released their monthly security bulletin for the Android mobile operating system. This month’s bulletin addresses 25 issues across 17 different components. The most critical issues addressed in this month’s patch are in Mediaserver, Debuggerd, Qualcomm TrustZone, Qualcomm Wi-Fi Driver, NVIDIA Video Driver, and the Kernel which could result in remote code execution or privilege escalation. Google has released an over-the-air security update for Nexus devices. For other Android devices, Google has notified partners and will be releasing the source code for these patches. Reference: https://source.android.com/security/bulletin/2016-05-01.html Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The “Wizzards” of Adware http://blog.talosintel.com/2016/04/the-wizzards-of-adware.html?f_l=s
Practical Reverse Engineering Part 2 - Scouting the Firmware http://jcjc-dev.com/2016/04/29/reversing-huawei-router-2-scouting-firmware/
Slack bot token leakage exposing business critical information https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/
Brazilian Judge Overturns 72-Hour WhatsApp Suspension https://threatpost.com/brazilian-judge-overturns-72-hour-whatsapp-suspension/117808/
Prince of Persia: Infy Malware Active In Decade of Targeted Attacks http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/
=========================================================
MOST PREVALENT MALWARE FILES 2016-04-26 - 2016-05-03: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E MD5: de04a6ee625c7b8dd09ce22cd5cfb2e9 VirusTotal: https://www.virustotal.com/file/F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E/analysis/#additional-info Typical Filename: ApplicationManager Claimed Product: N/A Detection Name: OSX.Variant:SpigotD.19d2.1201
SHA 256: 97C9999ABEDAB138C9E4D9E2E5A3EBCD441033821C00B5ECC1186ED935A16D1B MD5: 4c5b29389fd665eec95b16d3bdfaf5be VirusTotal: https://www.virustotal.com/file/97C9999ABEDAB138C9E4D9E2E5A3EBCD441033821C00B5ECC1186ED935A16D1B/analysis/#additional-info Typical Filename: LPS.exe Claimed Product: livePCsupport Detection Name: W32.Auto:97c999.in03.Talos
SHA 256: 4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76 MD5: 781a020ee3641da19fe4eba0fbab1444 VirusTotal: https://www.virustotal.com/file/4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76/analysis/#additional-info Typical Filename: nwngb.exe Claimed Product: (none) Detection Name: Trojan:Sality-tpd
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: wincbath.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19di.1201
SHA 256: 83CEC41170390E5E6D49ED7BF4FA76DDFB581C9E39D9EFE7ED9382957DE152DD MD5: c913d292a9a907799526695c9ad3bfac VirusTotal: https://www.virustotal.com/file/83CEC41170390E5E6D49ED7BF4FA76DDFB581C9E39D9EFE7ED9382957DE152DD/analysis/#additional-info Typical Filename: helperamc Claimed Product: (none) Detection Name: OSX.83CEC41170.agent.tht.Talos
=========================================================
SPAM STATS FOR 2016-04-26 - 2016-05-03:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM