Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Microsoft Releases Monthly Security Bulletins for October 2016
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos EMER Security Threat Briefing - Free Webinar Date: 2016-10-18 @ 10:00 CET Speaker: Martin Lee, Technical Leader Security Research Description: There is no such thing as a new crime. Adversaries are adept at adapting and refining criminal business models and applying them to modern technology. The security experts at Talos invite you to their EMEAR threat briefing, where they will share their insights into recent attacks and present the implications of these attacks for future trends. Reference: https://grs.cisco.com/grsx/cust/grsEventSite.html?EventCode=14711&LanguageId=1&KeyCode=001324753
Event: Talos - Cisco’s Key to Understanding the Threat Landscape @ Cisco On The Road - King of Prussia, PA Date: 2016-11-15 Speaker: Earl Carter, Technical Leader Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://demand.cisco.com/CiscoOnTheRoad
Event: Talos - Cisco’s Key to Understanding the Threat Landscape @ Cisco Security Week - Minneapolis Date: 2016-11-15 - 2016-11-16 Speaker: William Largent, Threat Researcher Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Minneapolis
Event: Talos - Cisco’s Key to Understanding the Threat Landscape @ Cisco Security Week - Seattle Date: 2016-12-13 - 2016-12-14 Speaker: Earl Carter, Technical Leader Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Seattle
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft Releases Monthly Security Bulletins for October 2016 Description: Microsoft has released 10 bulletins for October to address 37 newly disclosed security flaws. Five bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API. Reference: https://technet.microsoft.com/en-us/library/security/ms16-oct.aspx Snort SID: 40364-40381, 40383-40405, 40408-40412, 40418-40428
Title: Adobe Releases Security Bulletin for Flash Player, PDF Reader, and Acrobat Description: Adobe has released security bulletins for Flash Player, PDF Reader, and Acrobat to address a multitude of vulnerabilities. The Flash Player bulletin remediates 12 vulnerabilities that could be used to achieve remote code execution. The PDF Reader and Acrobat security bulletin remediates 71 vulnerabilities that could be also be used to achieve arbitrary code execution or bypass security features or restrictions. The vast majority of the vulnerabilities addressed in Flash Player, PDF Reader, and Acrobat are memory corruption flaws, use-after-free flaws, heap buffer overflow flaws, and type confusion flaws. Users who have Flash Player installed should consider uninstalling it if it’s not business critical. All users should otherwise immediately patch Flash Player, PDF Reader, and Acrobat if they are installed. Reference: - https://helpx.adobe.com/content/help/en/security/products/flash-player/apsb16-32.html - https://helpx.adobe.com/security/products/acrobat/apsb16-33.html Snort SID: Detection pending release of vulnerability information
Title: Cisco Releases Critical Security Advisories for Nexus Family of Products Description: Cisco has released two critical security advisories for its Nexus family of products that could be exploited to achieve code execution or bypass security restrictions on the targeted device. The first advisory addresses CVE-2016-1453, a buffer overflow vulnerability that manifests due to “incomplete input validation performed on the size of OTV packet header parameters.” The other advisory addresses CVE-2015-0721, a security feature bypass vulnerability that manifests as a failure to enforce “authentication, authorization, and accounting restrictions,” potentially allowing an authenticated adversary to “execute commands on the device command-line interface (CLI) that should be restricted to a different privileged user role.” Cisco has released a software update that corrects these issues. Reference: - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-otv - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-nxaaa
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Say Cheese: a snapshot of the massive DDoS attacks coming from IoT cameras https://blog.cloudflare.com/say-cheese-a-snapshot-of-the-massive-ddos-attacks-coming-from-iot-cameras/
IAEA chief: Nuclear power plant was disrupted by cyber attack http://www.reuters.com/article/us-nuclear-cyber-idUSKCN12A1OC
Remsec driver analysis http://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html
Teaching Machines Security: Identifying Botnet Panels https://blog.cylance.com/teaching-machines-security-identifying-botnet-panels
Nymaim: Deep Technical Dive - Adventures in Evasive Malware http://www.seculert.com/blogs/nymaim-deep-technical-dive-adventures-in-evasive-malware
US NIST Submits Mobile Threat Catalogue for Comment by Public https://pages.nist.gov/mobile-threat-catalogue/
=========================================================
MOST PREVALENT MALWARE FILES 2016-10-04 - 2016-10-11: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: d33560fd760bb1dad9988f7e1e5c7fa19b5d4dbbc2f585125f0d4d788a8f7f85 MD5: 632e4213f00a23820ce4e0606abd1873 VirusTotal: https://www.virustotal.com/file/d33560fd760bb1dad9988f7e1e5c7fa19b5d4dbbc2f585125f0d4d788a8f7f85/analysis/#additional-info Typical Filename: d33560fd760bb1dad9988f7e1e5c7fa19b5d4dbbc2f585125f0d4d788a8f7f85 Claimed Product: (none) Detection Name: OSX.MAC:Malwaregen.19j3.1201
SHA 256: 9888d4da14d97a9458e0c86080d700b511ae65e84b3d563b87ad79a226c19de1 MD5: 5fda936952048f707a93d76b947d58fb VirusTotal: https://www.virustotal.com/file/9888d4da14d97a9458e0c86080d700b511ae65e84b3d563b87ad79a226c19de1/analysis/#additional-info Typical Filename: invoice_217322.doc Claimed Product: N/A Detection Name: W32.9888D4DA14-100.SBX.TG
SHA 256: f9b8f7f285f811ee720cce7bccd98a421a26fb90dd7b022118d4b4e1f340036b MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/f9b8f7f285f811ee720cce7bccd98a421a26fb90dd7b022118d4b4e1f340036b/analysis/#additional-info Typical Filename: winltdl.exe Claimed Product: (none) Detection Name: W32.Malware:Pramro.19it.1201
SHA 256: 93e1023abc8018b9b85abeca7c74222f2a38d019bf98a2e91cc3e58dbd24775d MD5: 8f83d9d18b9cf346da44f7df322afa41 VirusTotal: https://www.virustotal.com/file/93e1023abc8018b9b85abeca7c74222f2a38d019bf98a2e91cc3e58dbd24775d/analysis/#additional-info Typical Filename: seupdater.dll Claimed Product: (none) Detection Name: W32.93E1023ABC-100.SBX.VIOC
SHA 256: c0e294414b361ccfda88a569c0275978001b0c419122c0684eea91669884f6f1 MD5: 1515ee5dee1152b4af7e1cbeb13edc39 VirusTotal: https://www.virustotal.com/file/c0e294414b361ccfda88a569c0275978001b0c419122c0684eea91669884f6f1/analysis/#additional-info Typical Filename: SogouCloud.exe Claimed Product: “???????” Detection Name: W32.C0E294414B-100.SBX.VIOC
============================================================
SPAM STATS FOR 2016-10-04 - 2016-10-11
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM