Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Latest Adobe Flash 0-day Flaw Active Exploited in Nuclear, Neutrino, and Magnitude Exploit Kits
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: The Continuing Evolution of Ransomware @ InfoSec Europe, London Date: 2016-06-07 @ 11:20 Speaker: Martin Lee, Technical Leader Description: Cyber criminals are adept at maximising their profit from compromised machines. Criminals have developed botnets to monetise compromised devices, developed DDoS as a form of extortion racket, and created dark markets to trade stolen personal data. Ransomware allows criminals to bypass fluctuating levels of supply and demand in underground markets and to set a price for compromised data with the person who values it most, the victim. In this session, Martin will share how ransomware has evolved, the advantages of ransomware as a criminal business model, and how we can expect ransomware to develop in the near future. Reference: http://www.infosecurityeurope.com/en/Sessions/27345/The-Continuing-Evolution-of-Ransomware
Event: Cisco's Secret Weapon "Talos" and the Evolving Threat Landscape @ InfoSec Belgium, Brussels Date: 2016-06-15 Speaker: Holger Unterbrink, Technical Lead Description: Talos is Cisco's Threat Research group. Today's IT organizations need security solutions relying on leading threat intelligence to effectively safeguard their extended networks. Creating leading threat intelligence is the focus of the Cisco Talos Security Intelligence and Research Group. In this session, you will learn what is Talos, learn about the scale and severity of the current threat landscape, discover how attackers target specific organizations and users, and understand changes in attack behavior, Reference: http://www.infosecurity.be/
Event: Emerging Threats - The State of Cyber Security @ Cisco Security Week, Boston Date: 2016-06-22 and 2016-06-23 Speaker: Craig Williams, Security Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Boston
Event: Emerging Threats - The State of Cyber Security @ Cisco Live USA, Las Vegas Date: 2016-07-10 and 2016-07-14 Speaker: Craig Williams, Security Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/us/learn/sessions/session-catalog/?search=BRKSEC-2010
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Latest Adobe Flash 0-day Flaw Active Exploited in Nuclear, Neutrino, and Magnitude Exploit Kits Description: The most recent Flash zero-day vulnerability that was disclosed and and patched by Adobe is currently being actively exploited in three exploit kits. The Nuclear, Neutrino, and Magnitude exploit kits have now incorporated exploits for CVE-2016-4117, targeting vulnerable versions of Flash. As a reminder, users who do not require Flash are strongly encouraged to remove it from their systems. For users who need Flash and/or who do not have the ability to uninstall it, disabling Flash within the browser is strongly recommended to reduce the risk of compromise. Reference: http://malware.dontneedcoffee.com/2016/05/cve-2016-4117-flash-up-to-2100213-and.html Snort SID: 38874-38875
Title: Magneto Patches Several Security Flaws in Enterprise and Community Editions
Description: Magneto has patched several security flaws in its flagship eCommerce platform. The two most severe flaws addressed in the latest patch are remote code execution vulnerabilities whereby an unauthenticated attacker could either execute PHP code using REST or SOAP APIs or forcefully reinstall the application. Magneto has addressed these two critical flaws as well as four other vulnerabilities in its latest version, 2.0.6. Administrators are strongly encouraged to updated their Magneto installations to the latest version.
Reference:
- https://magento.com/security/patches/magento-206-security-update
- http://netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/
Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
TeslaCrypt Ransomware Group Pulls Plug, Releases Decrypt Key http://www.darkreading.com/endpoint/teslacrypt-ransomware-group-pulls-plug-releases-decrypt-key/d/d-id/1325616
Reverse Engineering A Mysterious UDP Stream in My Hotel http://wiki.gkbrk.com/Hotel_Music.html
Pastejacking: Using JS to override clipboard contents and tricking users into running malicious commands https://github.com/dxa4481/Pastejacking
GSM/GPRS Traffic Interception for Penetration Testing Engagements https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/may/gsmgprs-traffic-interception-for-penetration-testing-engagements/
Kernel Waiter Exploit from the Hacking Team Leak Still Being Used http://blog.trendmicro.com/trendlabs-security-intelligence/kernel-waiter-exploit-from-the-hacking-team-leak-still-being-used/
=========================================================
MOST PREVALENT MALWARE FILES 2016-05-17 - 2016-05-24: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76 MD5: 781a020ee3641da19fe4eba0fbab1444 VirusTotal: https://www.virustotal.com/file/4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76/analysis/#additional-info Typical Filename: ipvj.exe Claimed Product: (none) Detection Name: Trojan:Sality-tpd
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: winretw.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19di.1201
SHA 256: 8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A MD5: cc9e1075db0645f1032f8c4b4412deba VirusTotal: https://www.virustotal.com/file/8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A/analysis/#additional-info Typical Filename: xsatr.exe Claimed Product: (none) Detection Name: W32.Crypt:SalityGR.18i0.1201
SHA 256: F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55 MD5: 51e63633487f9180ec8031980684bf86 VirusTotal: https://www.virustotal.com/file/F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55/analysis/#additional-info Typical Filename: winkoebrc.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19fy.1201
SHA 256: 83CEC41170390E5E6D49ED7BF4FA76DDFB581C9E39D9EFE7ED9382957DE152DD MD5: c913d292a9a907799526695c9ad3bfac VirusTotal: https://www.virustotal.com/file/xx/analysis/#additional-info Typical Filename: helperamc Claimed Product: Advanced Mac Cleaner Detection Name: OSX.83CEC41170.agent.tht.Talos
============================================================
SPAM STATS FOR 2016-05-17 - 2016-05-24:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM