Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Apple Patches Trio of Vulnerabilities (AKA "Trident") in Mac OS X and Safari
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: The Continuing Evolution of Ransomware - Cisco Connect, Sweden Date: 2016-09-21 Speaker: Martin Lee, Technical Lead Description: Selling personal data on dark market forums is passé. Ransomware is the new profitable business model for cyber crime. Discover how ransomware has evolved, the latest strategies used by cyber criminals, and how the next generation of ransomware will pose new threats to organisations. In this session, Talos will present how ransomware has evolved, the advantages of ransomware as a criminal business model, and how we can expect ransomware to develop in the near future. Reference: http://ciscoconnect.se
Event: Talos - Cisco's Key to Understanding the Threat Landscape @ Cisco Security Week - Montreal, Canada Date: 2016-09-21 - 2016-09-22 Speaker: Nick Biasini, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Montreal
Event: Talos - Cisco's Key to Understanding the Threat Landscape @ Cisco Security Week - Dallas Date: 2016-10-05 - 2016-10-06 Speaker: William Largent, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Dallas
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Apple Patches Trio of Vulnerabilities (AKA "Trident") in Mac OS X and Safari Description: Apple has released two security advisories for Mac OS X and Safari to address the three iOS 0-day vulnerabilities identified by Citizen Labs and Lookout Security targeting human rights activists. The three vulnerabilities (CVE-2016-4655, CVE-2016-4656, CVE-2016-4657) were all recently patched in iOS 9.3.5, but had not yet been patched for Mac OS X and Safari. Apple's latest updates fix the same issues for Mac OS X and Safari. Users are advised to update their Macs accordingly. Reference: - https://support.apple.com/kb/HT207130 - https://support.apple.com/kb/HT207131 Snort SID: Detection pending release of vulnerability information
Title: Cisco Issues Two Critical Security Advisories for Sx 220 Series Switches and WebEx Meeting Center Description: Cisco has released a pair of critical security advisories for Cisco Small Business 220 Series Smart Plus (Sx220) Switches and WebEx Meeting Center. The flaw in Sx200 series switches, CVE-2016-1473, is an unauthorized access vulnerability in the SNMP functionality where an attackers could gain "unauthorized access to SNMP objects on an affected device." The other flaw affecting WebEx Meeting Center, CVE-2016-1464, is an arbitrary code execution flaw which manifests due to improper handling of user-supplied files. Cisco has released software and firmware updates that address both flaws. Cisco also notes that no workarounds are available for either flaw. Reference: - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-sps3 - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160831-meetings-player Snort SID: 39994, 40013-40014
Title: Google Releases Patch for Critical Memory Dumping Flaw in Nexus 5X Description: Researchers at IBM X-Force have identified a critical flaw in certain Nexus 5X bootloaders that could potentially allow an attacker to dump memory of the device. The vulnerability in question is exploitable via "physical or nonphysical attackers with Android Debug Bridge (ADB) access to the device." If an attacker issues a 'fastboot oem panic' command "via the fastboot USB interface," the device would crash and "cause the bootloader to expose a serial-over-USB connection." This "would allow an attacker to obtain a full memory dump of the device." Google has acknowledged the issue and have patched the vulnerability. Reference: https://securityintelligence.com/undocumented-patched-vulnerability-in-nexus-5x-allowed-for-memory-dumping-via-usb/
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Snagging creds from locked machines https://room362.com/post/2016/snagging-creds-from-locked-machines/
Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted http://blog.talosintel.com/2016/09/shadowgate-takedown.html?f_l=s
Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?
Creating Malicious Outlook Rules https://labs.mwrinfosecurity.com/blog/malicous-outlook-rules/
Apple, Fox News, and ACLU join Microsoft's fight against secret data demands http://www.zdnet.com/article/why-the-aclu-fox-news-and-microsoft-are-fighting-the-us-government/
=========================================================
MOST PREVALENT MALWARE FILES 2016-08-30 - 2016-09-06: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: gfhppi.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19it.1201
SHA 256: D33560FD760BB1DAD9988F7E1E5C7FA19B5D4DBBC2F585125F0D4D788A8F7F85 MD5: 632e4213f00a23820ce4e0606abd1873 VirusTotal: https://www.virustotal.com/file/D33560FD760BB1DAD9988F7E1E5C7FA19B5D4DBBC2F585125F0D4D788A8F7F85/analysis/#additional-info Typical Filename: ApplicationManager Claimed Product: (none) Detection Name: OSX.MAC:Malwaregen.19j3.1201
SHA 256: 5D90E71DED74F744E01F30A80AE938B9259B298476C919E4014EF32A392A15C7 MD5: f108b4538360491d7421fe18edc1c5e8 VirusTotal: https://www.virustotal.com/file/5D90E71DED74F744E01F30A80AE938B9259B298476C919E4014EF32A392A15C7/analysis/#additional-info Typical Filename: pinyinup.exe Claimed Product: "???????" Detection Name: W32.5D90E71DED-100.SBX.VIOC
SHA 256: 8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A MD5: cc9e1075db0645f1032f8c4b4412deba VirusTotal: https://www.virustotal.com/file/8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A/analysis/#additional-info Typical Filename: winwxwrp.exe Claimed Product: (none) Detection Name: W32.Crypt:Rootkitgen.19j1.1201
SHA 256: F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55 MD5: 51e63633487f9180ec8031980684bf86 VirusTotal: https://www.virustotal.com/file/ADE8BC9B9A13C537FF8F1B61987D4F6839C63325A4A84426EF087DA11241AF17/analysis/#additional-info Typical Filename: winxbhny.exe Claimed Product: (none) Detection Name: W32.ADE8BC9B9A-100.SBX.VIOC
============================================================
SPAM STATS FOR 2016-08-30 - 2016-09-06
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM