Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Apple Releases Critical Security Updates for Mac OS X, iOS, watchOS, and Other Applications
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Emerging Threats - The State of Cyber Security @ BSides Detroit, MI Date: 2016-07-16 Speaker: Tazz, Threat Researcher Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.securitybsides.com/w/page/102483046/BSidesDetroit16
Event: Black Hat USA 2016 Date: 2016-08-03 - 2016-08-04 Description: Talos will be at Black Hat USA 2016! Join us on August 4th in Business Hall Theater B at 13:20 to hear Craig Williams and Matt Olney discuss Talos’ interdiction efforts against major threat actors and the lessons we’ve learned disrupting and degrading actor capability before they affect our customers. Talos will also be at the Cisco booth on the vendor floor where we will have ongoing lightning talks on our threat research capabilities. Reference: https://www.blackhat.com/us-16/sponsored-sessions.html#driving-global-interdiction-against-major-threat-actors
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Apple Releases Critical Security Updates for Mac OS X, iOS, watchOS, and Other Applications Description: Apple has released seven security bulletins to address a variety of vulnerabilities that have been identified in various software platforms such as Mac OS X, iOS, watchOS, iTunes, and Safari. Several vulnerabilities in OS X, iOS and watchOS are deemed critical as they are remotely code execution flaws which could be exploited through a maliciously crafted image file sent via MMS. Many other critical and important vulnerabilities were also addressed in these bulletins. Users are advised to install these security updates as soon as possible. Reference: https://support.apple.com/en-us/HT201222 Snort SID: Detection pending release of vulnerability information
Title: ISC Releases Security Advisory for a Denial of Service Vulnerability in BIND Description: ISC has released a security advisory for CVE-2016-2775, a remotely exploitable vulnerability that could result in a denial of service for systems. The vulnerability manifests if lwresd is configured to accept remote client connections and a query where the query name exceeds the maximum allowable length. ISC has released an updated version of BIND to correct this issue. Reference: https://kb.isc.org/article/AA-01393 Snort SID: Detection pending release of vulnerability information
Title: Cisco, Juniper Release Security Advisories for Various Products Description: Cisco Systems and Juniper Networks have released security advisories for flaws that have been identified in IOS XR and Junos respectively. Flaws specific to IOS XR are CVE-2016-1426, which could lead to a denial of service condition due to the system leaking timer resources. Flaws affecting Junos include CVE-2016-1279, a information disclosure flaw; CVE-2016-1278, a credential bypass flaw that could allow an attacker to login as root without a password; and CVE-2016-1276, a denial of service flaw. Both Cisco and Juniper have released updated software correcting these issues. Reference: http://www.securityweek.com/cisco-juniper-patch-operating-system-flaws Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
HHS: Healthcare groups must report all ransomware attacks http://www.scmagazine.com/hhs-healthcare-groups-must-report-all-ransomware-attacks/article/509630/
Reverse engineering DUBNIUM –Stage 2 payload analysis https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/
Lucky Green abandons Tor Project over ethics, takes core node with him http://www.zdnet.com/article/lucky-green-abandons-tor-project-over-ethics-takes-nodes-with-him/
SYN Flood Mitigation with synsanity http://githubengineering.com/syn-flood-mitigation-with-synsanity/
Own a printer, own a network with point and print drive-by http://blog.vectranetworks.com/blog/microsoft-windows-printer-wateringhole-attack
=========================================================
MOST PREVALENT MALWARE FILES 2016-07-12 - 2016-07-19: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E MD5: de04a6ee625c7b8dd09ce22cd5cfb2e9 VirusTotal: https://www.virustotal.com/file/F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E/analysis/#additional-info Typical Filename: ApplicationManager Claimed Product: (none) Detection Name: OSX.Variant:SpigotD.19d2.1201
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: icqolp.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19di.1201
SHA 256: 0F24FFFB0EC8C675151EE1E211130A2062855DE46882B07DCDF8F16AD60030DF MD5: 5b7d751bd2bd34a188f62a0a9270e225 VirusTotal: https://www.virustotal.com/file/0F24FFFB0EC8C675151EE1E211130A2062855DE46882B07DCDF8F16AD60030DF/analysis/#additional-info Typical Filename: ocp264D.tmp Claimed Product: “Rec Helper” Detection Name: W32.0F24FFFB0E-95.SBX.TG
SHA 256: F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55 MD5: 51e63633487f9180ec8031980684bf86 VirusTotal: https://www.virustotal.com/file/F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55/analysis/#additional-info Typical Filename: winifue.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19fy.1201
SHA 256: 8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A MD5: cc9e1075db0645f1032f8c4b4412deba VirusTotal: https://www.virustotal.com/file/8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A/analysis/#additional-info Typical Filename: kvfmt.exe Claimed Product: Detection Name: W32.Crypt:Rootkitgen.19hf.1201
============================================================
SPAM STATS FOR 2016-07-12 - 2016-07-19:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM