Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: New Method "SandJacking" Potentially Allows Attackers to Install Malicious iOS Apps
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: The Continuing Evolution of Ransomware @ InfoSec Europe, London Date: 2016-06-07 @ 11:20 Speaker: Martin Lee, Technical Leader Description: Cyber criminals are adept at maximising their profit from compromised machines. Criminals have developed botnets to monetise compromised devices, developed DDoS as a form of extortion racket, and created dark markets to trade stolen personal data. Ransomware allows criminals to bypass fluctuating levels of supply and demand in underground markets and to set a price for compromised data with the person who values it most, the victim. In this session, Martin will share how ransomware has evolved, the advantages of ransomware as a criminal business model, and how we can expect ransomware to develop in the near future. Reference: http://www.infosecurityeurope.com/en/Sessions/27345/The-Continuing-Evolution-of-Ransomware
Event: Cisco's Secret Weapon "Talos" and the Evolving Threat Landscape @ InfoSec Belgium, Brussels Date: 2016-06-15 Speaker: Holger Unterbrink, Technical Lead Description: Talos is Cisco's Threat Research group. Today's IT organizations need security solutions relying on leading threat intelligence to effectively safeguard their extended networks. Creating leading threat intelligence is the focus of the Cisco Talos Security Intelligence and Research Group. In this session, you will learn what is Talos, learn about the scale and severity of the current threat landscape, discover how attackers target specific organizations and users, and understand changes in attack behavior, Reference: http://www.infosecurity.be/
Event: Emerging Threats - The State of Cyber Security @ Cisco Security Week, Boston Date: 2016-06-22 and 2016-06-23 Speaker: Craig Williams, Security Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Boston
Event: Emerging Threats - The State of Cyber Security @ Cisco Live USA, Las Vegas Date: 2016-07-10 and 2016-07-14 Speaker: Craig Williams, Security Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/us/learn/sessions/session-catalog/?search=BRKSEC-2010
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: New Method "SandJacking" Potentially Allows Attackers to Install Malicious iOS Apps Description: Chilik Tamir of mobile security firm Mi3 disclosed a previously unknown way of installing malicious iOS apps at Hack in the Box - Amsterdam. Tamir previously released a proof-of-concept tool call "Su-A-Cyder" that could be used to replace legitimate apps with malicious ones on an iOS device. Since then, he has identified a new technique called "SandJacking" that leverages the "Su-A-Cyder" method which works on the latest iOS devices. The newest method leverages the restore process. This issue has been reported to Apple, but a patch for this has not yet been released. Reference: https://conference.hitb.org/hitbsecconf2016ams/materials/D1T2%20-%20Chilik%20Tamir%20-%20Profiting%20from%20iOS%20Malware.pdf
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Research Spotlight: ROPMEMU - A Framework for the Analysis of Complex Code Reuse Attacks http://blog.talosintel.com/2016/06/ropmemu.html?f_l=s
Inside The Million-Machine Clickfraud Botnet https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botnet/
Dridex Poses as Fake Certificate in Latest Spam Run http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-poses-as-fake-certificate/?
DDoS Attacks via TFTP Protocol Become a Reality After Research Goes Public http://news.softpedia.com/news/ddos-attacks-via-tftp-protocol-become-a-reality-after-research-goes-public-504713.shtml
SWIFT attackers’ malware linked to more financial attacks http://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks
=========================================================
MOST PREVALENT MALWARE FILES 2016-05-24 - 2016-05-31: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 671F56304C53B1C54736ED760C65A99955258D18A5EFA2C39989FFB62F4F9D97 MD5: 971d031e0468644ccbadbf22270f5b6c VirusTotal: https://www.virustotal.com/file/671F56304C53B1C54736ED760C65A99955258D18A5EFA2C39989FFB62F4F9D97/analysis/#additional-info Typical Filename: le2438.zip Claimed Product: N/A Detection Name: W32.671F56304C-100.SBX.VIOC
SHA 256: 848F73D2A209B00283A244C764E990E22DDD4F999B0AE4D3E37A21824569C8DF MD5: 9197b4fa7e0004c3738e04eecc5acb71 VirusTotal: https://www.virustotal.com/file/848F73D2A209B00283A244C764E990E22DDD4F999B0AE4D3E37A21824569C8DF/analysis/#additional-info Typical Filename: 5668190953.doc Claimed Product: N/A Detection Name: W32.848F73D2A2-100.SBX.TG
SHA 256: D6F0900270940398C4C0673D4AF77B9158A24F69E8DCB39F9EBB6F949E59D9A6 MD5: 371fa4d720b241cc1b21c80970e3262a VirusTotal: https://www.virustotal.com/file/D6F0900270940398C4C0673D4AF77B9158A24F69E8DCB39F9EBB6F949E59D9A6/analysis/#additional-info Typical Filename: contract_3101747.doc Claimed Product: N/A Detection Name: W32.D6F0900270-100.SBX.TG
SHA 256: 25D0963F8E33FA800F9E0A1700FE15A441D6E04B18D522DED18672A044569BCA MD5: 2d0e3c6a1ca54a92250317eeeec0df18 VirusTotal: https://www.virustotal.com/file/25D0963F8E33FA800F9E0A1700FE15A441D6E04B18D522DED18672A044569BCA/analysis/#additional-info Typical Filename: sogouexe.exe Claimed Product: "???????" Detection Name: W32.25D0963F8E-100.SBX.VIOC
SHA 256: 93E434C5554AED4C0770D4F58F1AD56EB7208109A84473FE39CBB6BC4E8E85F7 MD5: 16e9736ea3577e7844d67f96b738faf2 VirusTotal: https://www.virustotal.com/file/93E434C5554AED4C0770D4F58F1AD56EB7208109A84473FE39CBB6BC4E8E85F7/analysis/#additional-info Typical Filename: 6013190921.doc Claimed Product: N/A Detection Name: W32.93E434C555-100.SBX.TG
============================================================
SPAM STATS FOR 2016-05-24 - 2016-05-31:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM