Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: LastPass Addresses Security Flaw Identified by Researcher Tavis Ormandy
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Black Hat USA 2016 Date: 2016-08-03 - 2016-08-04 Description: Talos will be at Black Hat USA 2016! Join us on August 4th in Business Hall Theater B at 13:20 to hear Craig Williams and Matt Olney discuss Talos’ interdiction efforts against major threat actors and the lessons we’ve learned disrupting and degrading actor capability before they affect our customers. Talos will also be at the Cisco booth on the vendor floor where we will have ongoing lightning talks on our threat research capabilities. Reference: https://www.blackhat.com/us-16/sponsored-sessions.html#driving-global-interdiction-against-major-threat-actors
Event: Talos - Cisco’s Key to Understanding the Threat Landscape @ Cisco Security Week - Montreal, Canada Date: 2016-09-21 - 2016-09-22 Speaker: Nick Biasini, Threat Researcher Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Montreal
Event: The Continuing Evolution of Ransomware - Cisco Connect, Sweden Date: 2016-09-21 Speaker: Martin Lee, Technical Lead Description: Selling personal data on dark market forums is passé. Ransomware is the new profitable business model for cyber crime. Discover how ransomware has evolved, the latest strategies used by cyber criminals, and how the next generation of ransomware will pose new threats to organisations. In this session, Talos will present how ransomware has evolved, the advantages of ransomware as a criminal business model, and how we can expect ransomware to develop in the near future. Reference: http://ciscoconnect.se
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: LastPass Addresses Security Flaw Identified by Researcher Tavis Ormandy Description: LastPass has addressed a security flaw within the LastPass Firefox plugin, which was identified by Google Project Zero’s Tavis Ormandy. Per the Project Zero bug, the LastPass Firefox plugin injects styling and event handlers into the web page “to create a privileged iframe.” An attacker could have exploited this flaw to insert their own handler in a web page to “modify legitimate messages.” LastPass has addressed the issue and pushed out an update for the Firefox plugin. Users can also manually update their plugins to ensure the patch is applied. Reference: - https://blog.lastpass.com/2016/07/lastpass-security-updates.html/ - https://bugs.chromium.org/p/project-zero/issues/detail?id=884
Title: Google Releases Monthly Android Security Bulletin Description: Google has released their monthly Android security bulletin to address vulnerabilities within the mobile OS. This month’s bulletin is divided into two patch levels to “provide Android partners with the flexibility” to address common Android components shared across all Android devices. In total, 102 vulnerabilities were addressed across both patch levels with 3 of them being Critical Mediaserver bugs that could allow arbitrary code execution. Another 3 dozen or so vulnerabilities within Qualcomm components were also addressed in the 2015-08-05 patch level. Reference: https://source.android.com/security/bulletin/2016-08-01.html Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
AdGholas Malvertising Campaigns Use Steganography and File Whitelisting to Hide in Plain Sight https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight
Protecting Android with more Linux kernel defenses http://android-developers.blogspot.com/2016/07/protecting-android-with-more-linux.html
Advanced Man In The Middle Framework: Xerosploit https://n0where.net/advanced-man-in-the-middle-framework-xerosploit/
Macro Intruders: Sneaking Past Office Defenses http://blog.talosintel.com/2016/08/macro-intruders-sneaking-past-office.html
How to steal $2,999.99 in less than 2 minutes with Venmo and Siri http://www.martinvigo.com/steal-2999-99-minute-venmo-siri/
=========================================================
MOST PREVALENT MALWARE FILES 2016-07-26 - 2016-08-02 COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: winudad.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19it.1201
SHA 256: 53C7C527A0B32FB5CF6595ED38998C8CAA9E58479F9D488DB42A9B68A43DF256 MD5: 63f960169c42435dc2c14d27940823b4 VirusTotal: https://www.virustotal.com/file/53C7C527A0B32FB5CF6595ED38998C8CAA9E58479F9D488DB42A9B68A43DF256/analysis/#additional-info Typical Filename: debit_request_184841.doc Claimed Product: N/A Detection Name: W32.53C7C527A0-100.SBX.TG
SHA 256: A94C270CF628545811D23971D0870D542C24BCEEF85C0D25F35BF4DAF248DBBB MD5: 163bcafa5b24717417828e0f002ada5e VirusTotal: https://www.virustotal.com/file/A94C270CF628545811D23971D0870D542C24BCEEF85C0D25F35BF4DAF248DBBB/analysis/#additional-info Typical Filename: debit_request_102481.doc Claimed Product: N/A Detection Name: W32.A94C270CF6-100.SBX.TG
SHA 256: F4CE531223B5108624AD9AB2EF48611D687B5366DB586F92276E04B53A4BA384 MD5: ba3689a320c8707196f1287d122bdd25 VirusTotal: https://www.virustotal.com/file/F4CE531223B5108624AD9AB2EF48611D687B5366DB586F92276E04B53A4BA384/analysis/#additional-info Typical Filename: SGDownload.exe Claimed Product: “???????” Detection Name: W32.F4CE531223-100.SBX.VIOC
SHA 256: 6F6F7B10AA9BA70F3D4A1B4F75136F3351293DE78B29FE175B971EF127B1E07C MD5: c1480b553be76792084adf1d7dae8e15 VirusTotal: https://www.virustotal.com/file/CE9F82CCAD9C1C59C3A2688717E6830A48CBA07FD1C4603B4BD3A07FB0967DEE/analysis/#additional-info Typical Filename: seupgrade1613.exe Claimed Product: (none) Detection Name: W32.6F6F7B10AA-100.SBX.VIOC
============================================================
SPAM STATS FOR 2016-07-26 - 2016-08-02:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM