Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Microsoft Releases Monthly Set of Security Bulletins for May 2016
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Breaking Down The Ransomware Attack - Webinar (Free for anyone to attend) Date: 2016-05-18 @ 11:00am PDT Speaker: Nick Biasini, Threat Researcher Description: Are you prepared if you lose all your critical data? It could be any digital asset, from personal family pictures to sensitive customer records that you couldn’t get back unless you paid a ransom. This kind of attack is called Ransomware and it’s becoming increasingly common. Join Cisco for a special webcast focused on Ransomware. Leading the talk will be Nick Biasini from Cisco’s threat research team Talos and Joseph Muniz from the security architecture team. Reference: http://go.sourcefire.com/CiscoSecurityWebinarSeries/Email/AmericasWebinarSeries/registration-page-1583G-43732S.html
Event: Emerging Threats - The State of Cyber Security @ Cisco Connect - Toronto Date: 2016-05-18 - 2016-05-19 Speaker: Earl Carter, Threat Researcher Description: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape. Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies. Reference: http://ciscoconnecttoronto.ca/
Event: Exploit Kits: Hunting the Hunters @ 2016 HITBSecConf AMS Date: 2016-05-26 Speaker: Nick Biasini Description: Exploit kits are one of the threats that is ever present on the Internet. Indiscriminately compromising users that are simply surfing websites. As ransomware has exploded so has the proliferation of these exploit kits. This combination of ransomware, tor, and bitcoin has created a financially lucrative monster. For the last year Talos has been systematically diving into each exploit kit trying to find nuggets of gold from a sea of compromise. Thus far the results have been promising, with some extremely successful outcomes related to Angler and Rig exploit kits specifically. This talk will outline the process that was followed, what we found and how we leveraged it to inflict damage on the users of these exploit kits. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/exploit-kits-hunting-the-hunters/
Event: Go Speed Tracer: Guided Fuzzing @ 2016 HITBSecConf AMS Date: 2016-05-27 Speaker: Richard Johnson Description: The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/go-speed-tracer-guided-fuzzing/
Event: Emerging Threats - The State of Cyber Security Date: 2016-06-22 and 2016-06-23 Speaker: Craig Williams, Security Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Boston
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft Releases Monthly Set of Security Bulletins for May 2016 Description: Microsoft has released their monthly set of security bulletins to address many various security vulnerabilities that have been identified in various products. This month's release contains 16 bulletins addressing 33 vulnerabilities. Eight bulletins are rated critical and address flaws in Edge, Internet Explorer, Office, Graphic Components, VBScript, Windows Shell, and Adobe Flash Player. The remaining bulletins are rated important and address vulnerabilities in the Windows Kernel, IIS, Media Center, Hyper-V, .NET, and several other Windows components. Reference: https://technet.microsoft.com/en-us/library/security/ms16-may Snort SID: 38759-38766, 38768-38783, 38785-38788, 38797-38798, 38801-38806, 38808-38817, 38828-38829, 38839-38842
Title: Adobe Released Security Advisory for Flash Player 0-day Under Active Exploitation; Monthly Flash Bulletin Due May 12 Description: Adobe has released a security advisory, warning users of a zero-day vulnerability (CVE-2016-4117) that is under active exploitation in the wild. Users are advised to remove Flash Player from their browsers to reduce the risk of compromise. In the event that users are unable to uninstall Flash, it's recommended that users disable Flash Player or make it "click-to-play." Adobe is targeting May 12 as the release date for the bulletin to patch this and other Flash vulnerabilities. Reference: https://helpx.adobe.com/security/products/flash-player/apsa16-02.html Snort SID: Detection pending
Title: WordPress Releases Security Update to Address SOME and XSS Flaws Description: WordPress has released version 4.5.2. which is a security update to address a pair of vulnerabilities. WordPress versions 4.5.1 and earlier are affected by a Same Origin Method Execution (SOME) vulnerability within Plupload, a third-party library used by WordPress to upload files, as well as a reflected XSS flaw which manifests by using specially crafted URIs through MediaElement.js, a third-party library used for media players. MediaElement.js and Plupload have released updates fixing these issues. WordPress administrators are encouraged to update their WordPress installation immediately. Reference: https://wordpress.org/news/2016/05/wordpress-4-5-2/ Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Talos: Multiple 7-Zip Vulnerabilities Discovered http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html?f_l=s
Large Kovter digitally-signed malvertising campaign and MSRT cleanup release https://blogs.technet.microsoft.com/mmpc/2016/05/10/large-kovter-digitally-signed-malvertising-campaign-and-msrt-cleanup-release/?
Phrack - Issue 69 Published and Released to the General Public http://phrack.org/issues/69/1.html
Continued Meterpreter Development - Meterpreter Gets Powershell Extension, Reverse Port Forwarding, and Named Pipe Pivoting http://buffered.io/posts/continued-meterpreter-development/
Sneaker Bots – Stealing Your New Shoes https://blog.perimeterx.com/sneaker-bots/
Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/
=========================================================
MOST PREVALENT MALWARE FILES 2016-05-03 - 2016-05-10: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 0CBB5B8C054C7BD618F5A346F3A1943363573CA3AF19823F76D5FB53F558AC38 MD5: 8496ca93b98a8abc44a9b0bd00682394 VirusTotal: https://www.virustotal.com/file/0CBB5B8C054C7BD618F5A346F3A1943363573CA3AF19823F76D5FB53F558AC38/analysis/#additional-info Typical Filename: INVOICE44216cert.zip Claimed Product: N/A Detection Name: Auto.0CBB5B8C05.Docfile.tht.Talos
SHA 256: 7CB1EA71C373C890D7A1C2E38F57FA3A862332C14798E58A569529C49573073E MD5: 9aec216b4ec4b379de224a13ca682379 VirusTotal: https://www.virustotal.com/file/7CB1EA71C373C890D7A1C2E38F57FA3A862332C14798E58A569529C49573073E/analysis/#additional-info Typical Filename: INVOICE43102info.zip Claimed Product: N/A Detection Name: Auto.7CB1EA71C3.Docfile.tht.Talos
SHA 256: 4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76 MD5: 781a020ee3641da19fe4eba0fbab1444 VirusTotal: https://www.virustotal.com/file/4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76/analysis/#additional-info Typical Filename: nwngb.exe Claimed Product: (none) Detection Name: Trojan:Sality-tpd
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: bdpyog.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19di.1201
SHA 256: 244C5E105BF565E85962B8F137963644FDAE9D64BB55ADB34700F813A3495A75 MD5: 61395339c270735e254c8eb847cb0fbd VirusTotal: https://www.virustotal.com/file/244C5E105BF565E85962B8F137963644FDAE9D64BB55ADB34700F813A3495A75/analysis/#additional-info Typical Filename: INVOICE5101.zip Claimed Product: N/A Detection Name: Auto.244C5E105B.Docfile.tht.Talos
============================================================
SPAM STATS FOR 2016-05-03 - 2016-05-10:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM