Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Adobe Patches Vulnerabilities Under Active Exploitation in Monthly Flash Player Security Bulletin
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Exploit Kits: Hunting the Hunters @ 2016 HITBSecConf AMS Date: 2016-05-26 Speaker: Nick Biasini Description: Exploit kits are one of the threats that is ever present on the Internet. Indiscriminately compromising users that are simply surfing websites. As ransomware has exploded so has the proliferation of these exploit kits. This combination of ransomware, tor, and bitcoin has created a financially lucrative monster. For the last year Talos has been systematically diving into each exploit kit trying to find nuggets of gold from a sea of compromise. Thus far the results have been promising, with some extremely successful outcomes related to Angler and Rig exploit kits specifically. This talk will outline the process that was followed, what we found and how we leveraged it to inflict damage on the users of these exploit kits. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/exploit-kits-hunting-the-hunters/
Event: Go Speed Tracer: Guided Fuzzing @ 2016 HITBSecConf AMS Date: 2016-05-27 Speaker: Richard Johnson Description: The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/go-speed-tracer-guided-fuzzing/
Event: The Continuing Evolution of Ransomware @ InfoSec Europe, London Date: 2016-06-07 @ 11:20 Speaker: Martin Lee, Technical Leader Description: Cyber criminals are adept at maximising their profit from compromised machines. Criminals have developed botnets to monetise compromised devices, developed DDoS as a form of extortion racket, and created dark markets to trade stolen personal data. Ransomware allows criminals to bypass fluctuating levels of supply and demand in underground markets and to set a price for compromised data with the person who values it most, the victim. In this session, Martin will share how ransomware has evolved, the advantages of ransomware as a criminal business model, and how we can expect ransomware to develop in the near future. Reference: http://www.infosecurityeurope.com/en/Sessions/27345/The-Continuing-Evolution-of-Ransomware
Event: Emerging Threats - The State of Cyber Security @ Cisco Security Week, Boston Date: 2016-06-22 and 2016-06-23 Speaker: Craig Williams, Security Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Boston
Event: Emerging Threats - The State of Cyber Security @ Cisco Live USA, Las Vegas Date: 2016-07-10 and 2016-07-14 Speaker: Craig Williams, Security Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/us/learn/sessions/session-catalog/?search=BRKSEC-2010
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Adobe Patches Vulnerabilities Under Active Exploitation in Monthly Flash Player Security Bulletin Description: Adobe has released their monthly Flash Player security bulletin to address vulnerabilities, one of which is currently under active exploitation in the wild. CVE-2016-4117 is a type-confusion vulnerability that was originally reported to Adobe by FireEye. 24 other security vulnerabilities were also addressed in the bulletin with the the majority of them being use-after-free flaws and memory corruption flaws that could lead to arbitrary code execution. Users are advised to disable or remove Flash from their browser if it's not necessary and to otherwise patch as soon as possible if removal is not an option. Reference: https://helpx.adobe.com/security/products/flash-player/apsb16-15.html Snort SID: 38792,38793, 38824-38827, 38830-38833, 38835-38838, 38847-38848
Title: 7-Zip Vulnerabilities Leading to Arbitrary Code Execution Patched Description: Marcin Noga of the Talos Group at Cisco has identified two major vulnerabilities in 7-Zip, an open-source file archiving application which is used in various applications. One of the vulnerabilities, CVE-2016-2335, is a out-of-bounds read vulnerability which, if exploited, could lead to arbitrary code execution. The other vulnerability, CVE-2016-2334 is a heap overflow vulnerability. Igor Pavlov, the maintainer of 7-Zip, has release an updated version of 7-Zip to address these security flaws. Reference: http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html?f_l=s Snort SID: 38323-38326, 38293-38296
Title: Major Security Flaw in Symantec/Norton Antivirus Identified and Disclosed by Google Project Zero Description: Tavis Ormandy of Google Project Zero has identified a major vulnerability (CVE-2016-2208) in Symantec/Norton Antivirus that could lead to remote code execution on affected machines. CVE-2016-2208 is a heap/pool memory corruption vulnerability that manifests when the antivirus engine parses "executables packed by an early version of aspack." The vulnerability was responsibly disclosed to Symantec which in turn addressed the flaw in an Anti-Virus Engine update via LiveUpdate. Reference: https://bugs.chromium.org/p/project-zero/issues/detail?id=820 Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Academics Make Theoretical Breakthrough in Random Number Generation https://threatpost.com/academics-make-theoretical-breakthrough-in-random-number-generation/118150/
The Bank Job https://boris.in/blog/2016/the-bank-job/
Google's Chrome to block Flash this year - except for 10 top websites http://www.zdnet.com/article/googles-chrome-to-block-flash-this-year-except-for-10-top-websites/
CVE-2016-4117: Flash Zero-Day Exploited In The Wild https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html
U-Admin (Universal Admin): A Phishing(Web&Android)/Grabber/ATS/Token kit http://malware.dontneedcoffee.com/2016/05/u-admin-universal-admin-phishingweb-kit.html
=========================================================
MOST PREVALENT MALWARE FILES 2016-05-10 - 2016-05-17: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E MD5: de04a6ee625c7b8dd09ce22cd5cfb2e9 VirusTotal: https://www.virustotal.com/file/F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E/analysis/#additional-info Typical Filename: ApplicationManager Claimed Product: (none) Detection Name: OSX.Variant:SpigotD.19d2.1201
SHA 256: 4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76 MD5: 781a020ee3641da19fe4eba0fbab1444 VirusTotal: https://www.virustotal.com/file/4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76/analysis/#additional-info Typical Filename: winvjcet.exe Claimed Product: (none) Detection Name: Trojan:Sality-tpd
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: winvemoak.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19di.1201
SHA 256: 5050DABE1E37D2E2C19F8BC55C76ECABB3CBB29E33CF0AF16472963C4DDD4A52 MD5: 02b38982ab66fb77213ce181d2483893 VirusTotal: https://www.virustotal.com/file/5050DABE1E37D2E2C19F8BC55C76ECABB3CBB29E33CF0AF16472963C4DDD4A52/analysis/#additional-info Typical Filename: YOUR FILE.zip Claimed Product: N/A Detection Name: W32.5050DABE1E.MalJS.Talos
SHA 256: E081ABE8DAE14D0CB810678EC11F784B6C8FD94B07E9225C374709C40F84C0F4 MD5: a1ba1862ed87d09ddcd36f878392ca47 VirusTotal: https://www.virustotal.com/file/E081ABE8DAE14D0CB810678EC11F784B6C8FD94B07E9225C374709C40F84C0F4/analysis/#additional-info Typical Filename: AutoKMS.exe Claimed Product: AutoKMS Detection Name: W32.Auto.e081ab.191539.in01
============================================================
SPAM STATS FOR 2016-05-10 - 2016-05-17:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM