Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Mirai Variant Targets Modems Used By Deutsche Telekom Customers
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos - Cisco’s Key to Understanding the Threat Landscape @ Cisco Security Week - Seattle Date: 2016-12-13 - 2016-12-14 Speaker: Earl Carter, Technical Leader Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Seattle
Event: Talos - Cisco’s Key to Understanding the Threat Landscape @ Cisco On The Road (Boston, MA) Date: 2016-12-15 Speaker: Nick Biasini, Threat Researcher Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://demand.cisco.com/CiscoOnTheRoad
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Mirai Variant Targets Modems Used By Deutsche Telekom Customers Description: Researchers have been observing what appears to be a Mirai botnet variant targeting Deutsche Telekom customers who use a certain DSL modem. The attacks appear to be exploiting a bug in the implementation of the TR-069 standard resulting in modems “hanging”, creating a denial of service for customers who are affected. Deutsche Telekom has developed a patch for the bug that is being exploited and is currently in the process of rolling it out. Reference: https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/ Snort SID: 40519-40523,40597-40601,40612
Title: Researcher Identifies Bug in Paypal’s OAuth Implementation Description: A researcher has identified a bug in Paypal’s OAuth implementation that could have resulted in tokens leaking. The flaw in questions manifests in the token request and acquisition process where the Paypal Authorization Server was also accepting localhost as a redirect_uri. The flaw in question has been fixed by Paypal. Reference: http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Abusing of Protocols to Load Local Files, bypass the HTML5 Sandbox, Open Popups and more https://www.brokenbrowser.com/abusing-of-protocols/
CyberChef - A web app for encryption, encoding, compression and data analysis https://github.com/gchq/CyberChef/
Cerber Spam: Tor All the Things! http://blog.talosintel.com/2016/11/cerber-spam-tor.html
San Francisco Rail System Hacker Hacked https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/
Uber Portal Leaked Names, Phone Numbers, Email Addresses, Unique Identifiers https://threatpost.com/uber-portal-leaked-names-phone-numbers-email-addresses-unique-identifiers/122128/
InPage zero-day exploit used to attack financial institutions in Asia https://securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/
=========================================================
MOST PREVALENT MALWARE FILES 2016-11-22 - 2016-11-29: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739 MD5: fa1f769475516b03881602d0824cae12 VirusTotal: https://www.virustotal.com/file/ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739/analysis/#additional-info Typical Filename: PrinterInstallerClientUpdater.exe Claimed Product: Printer Logic Client Updater Detection Name: W32.AE7327F36A-95.SBX.TG
SHA 256: aa2e15ad8957705b3f6116f7eb0e9ad2bc88ad607ef5adde4f34297d3be91d17 MD5: 2f2d83a6f2aabfe9e7fd93545ff3fc92 VirusTotal: https://www.virustotal.com/file/aa2e15ad8957705b3f6116f7eb0e9ad2bc88ad607ef5adde4f34297d3be91d17/analysis/#additional-info Typical Filename: Michael_Harney_Resignation.xls Claimed Product: N/A Detection Name: W32.AA2E15AD89-100.SBX.TG
SHA 256: 1ec604fddc790c1201e9e2f545083d031ad39daba164175f623e41536aec50c6 MD5: bab3f4078f4642bb9bf9cca74f992b19 VirusTotal: https://www.virustotal.com/file/1ec604fddc790c1201e9e2f545083d031ad39daba164175f623e41536aec50c6/analysis/#additional-info Typical Filename: helperamc Claimed Product: Advanced Mac Cleaner Detection Name: OSX.Variant.19lv.1201
SHA 256: a1cf9698dc5d818e442868938aa11b9f8c78b1e5fc680f4d4e26c7cb5965a5d9 MD5: 0ffd7c95519e9006cffe2084e72101a8 VirusTotal: https://www.virustotal.com/file/a1cf9698dc5d818e442868938aa11b9f8c78b1e5fc680f4d4e26c7cb5965a5d9/analysis/#additional-info Typical Filename: FedEx.doc Claimed Product: N/A Detection Name: W32.A1CF9698DC-100.SBX.TG
SHA 256: bcbe3da40fb46c6ae214a3e2b07ffeea422c9e8a937ed3caab5ac36cc0b61ba5 MD5: cfaead6efec6ed5d50bd6033a1cc6442 VirusTotal: https://www.virustotal.com/file/bcbe3da40fb46c6ae214a3e2b07ffeea422c9e8a937ed3caab5ac36cc0b61ba5/analysis/#additional-info Typical Filename: Fedex.doc Claimed Product: N/A Detection Name: W32.BCBE3DA40F-100.SBX.TG
============================================================
SPAM STATS FOR 2016-11-22 - 2016-11-29
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM