Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Microsoft Releases Monthly Security Bulletins for August 2016
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos - Cisco’s Key to Understanding the Threat Landscape @ Cisco Security Week - Montreal, Canada Date: 2016-09-21 - 2016-09-22 Speaker: Nick Biasini, Threat Researcher Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Montreal
Event: The Continuing Evolution of Ransomware - Cisco Connect, Sweden Date: 2016-09-21 Speaker: Martin Lee, Technical Lead Description: Selling personal data on dark market forums is passé. Ransomware is the new profitable business model for cyber crime. Discover how ransomware has evolved, the latest strategies used by cyber criminals, and how the next generation of ransomware will pose new threats to organisations. In this session, Talos will present how ransomware has evolved, the advantages of ransomware as a criminal business model, and how we can expect ransomware to develop in the near future. Reference: http://ciscoconnect.se
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft Releases Monthly Security Bulletins for August 2016 Description: This month’s release contains 9 bulletins addressing 28 vulnerabilities. Five bulletins are rated Critical and address vulnerabilities in Internet Explorer, Edge, Windows Graphics Component, Microsoft Office, and the Windows PDF library. The remaining four bulletins are rated Important and address flaws in Windows Kernel-Mode Drivers, Secure Boot, Windows Authentication Methods, and ActiveSyncProvider. Reference: https://technet.microsoft.com/en-us/library/security/ms16-aug Snort SID: 39808-39829, 39831-39844
Title: Apple Released Critical Security Update for iOS Devices Description: Apple has released a critical security update for iOS devices addressing CVE-2016-4654, a arbitrary code execution flaw in IOMobileFrameBuffer. Exploiting CVE-2016-4654 could allow an application to execute “arbitrary code with kernel privileges” and manifests due to improper handling of objects in memory. Users are advised to update their iOS devices as soon as possible. Reference: https://support.apple.com/en-us/HT207026 Snort SID: Detection pending release of vulnerability information
Title: Hancom Patches Multiple Code Execution Flaws in Hangul Office Description: Hancom has released a security update to address various arbitrary code execution flaws researchers at Cisco Talos have identified. Multiple vulnerabilities exist within Hancom Office Hcell and Hshow that can be exploited if a user opens a specifically crafted Hshow file (.hpt) or Hcell (.cell) file. Reference: http://blog.talosintel.com/2016/08/hancom-office-vulnerabilities.html Snort SID: 38856-38859, 38868-38869, 39049-39050, 39110-39111, 39757-39762
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Research Papers and Presentations from Black Hat USA 2016 https://www.blackhat.com/us-16/briefings.html
Slides from DEF CON 2014 Presentations https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/
Data Breach At Oracle’s MICROS Point-of-Sale Division http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-division/
DARPA Cyber Grand Challenge Ends With Mayhem http://www.eweek.com/security/darpa-cyber-grand-challenge-ends-with-mayhem.html
A Sneak Peek at Pokemon Go Application Forensics http://digital-forensics.sans.org/blog/2016/08/09/a-sneak-peek-at-pokemon-go-application-forensics
=========================================================
MOST PREVALENT MALWARE FILES 2016-08-02 2016-08-09: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: BCFFDA040C93B743BCA1A67128EC1F60595DC0B14655AFD7949B6C779E0E997F MD5: 2dbf779808d2ec3f5121891be9f4b1cf VirusTotal: https://www.virustotal.com/file/BCFFDA040C93B743BCA1A67128EC1F60595DC0B14655AFD7949B6C779E0E997F/analysis/#additional-info Typical Filename: helperamc Claimed Product: (none) Detection Name: OSX.Variant:AMCZ.19if.1201
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: winllvnh.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19it.1201
SHA 256: 35364EEC4A1BCED57F333E09B63FBBC0D6FC2B3B624C519CC011E0C551D1EF9B MD5: 898ab98f937478a42b3516119cc655fc VirusTotal: https://www.virustotal.com/file/35364EEC4A1BCED57F333E09B63FBBC0D6FC2B3B624C519CC011E0C551D1EF9B/analysis/#additional-info Typical Filename: UPS_invoice-08083JJA.docx Claimed Product: N/A Detection Name: W32.35364EEC4A-100.SBX.TG
SHA 256: CFBE18C008E3D281CF57B5520C32B5DDD121F1BDEAA5DA2916848B1B49CF1BFC MD5: 2679e3e2dd6d2aa6fc669640d9e973f4 VirusTotal: https://www.virustotal.com/file/CFBE18C008E3D281CF57B5520C32B5DDD121F1BDEAA5DA2916848B1B49CF1BFC/analysis/#additional-info Typical Filename: invoice_428421.doc Claimed Product: N/A Detection Name: W32.CFBE18C008-100.SBX.TG
SHA 256: 8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A MD5: cc9e1075db0645f1032f8c4b4412deba VirusTotal: https://www.virustotal.com/file/8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A/analysis/#additional-info Typical Filename: trfawd.exe Claimed Product: (none) Detection Name: W32.Crypt:Rootkitgen.19iu.1201
============================================================
SPAM STATS FOR 2016-08-02 - 2016-08-09
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM