Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Microsoft Releases Final Monthly Set of Security Bulletins for 2016
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos - Cisco’s Key to Understanding the Threat Landscape @ Cisco On The Road (Boston, MA) Date: 2016-12-15 Speaker: Nick Biasini, Threat Researcher Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://demand.cisco.com/CiscoOnTheRoad
Event: Emerging Threats: The State of Cybersecurity @ Cisco Live Melbourne 2017 (Melbourne, Australia) Date: 2017-03-07 - 2017-03-10 Speaker: Earl Carter, Technical Leader Description: Cisco’s Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/anz/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft Releases Final Monthly Set of Security Bulletins for 2016 Description: Microsoft has released its final set of security bulletins for 2016 with its December release. This month’s release sees 12 new bulletins addressing 42 unique vulnerabilities. Six bulletins are rated critical and address security flaws in Edge, Internet Explorer, Graphic Component, Office, Uniscribe, and Adobe Flash. The remaining six bulletins are rated important and address vulnerabilities in .NET, the Common Log File System Driver, and various different aspects of the Windows Kernel. Reference: https://technet.microsoft.com/library/security/ms16-dec Snort SID: 40647-40648, 40936-40990, 40992-40993
Title: Apple Releases Security Updates for its Operating Systems (iOS, macOS, tvOS, watchOS), iCloud, iTunes, and Safari Description: Apple has released security updates for its operating systems (iOS, macOS, tvOS, and watchOS) and components such as iCloud, iTunes, and Safari. Overall, 71 vulnerabilities in macOS and 64 vulnerabilities in iOS were addressed with the most severe being arbitrary code execution of the user’s choosing as well as privilege escalation flaws. Reference: https://support.apple.com/en-us/HT201222 Snort SID: Detection pending release of vulnerability information
Title: Adobe Releases Security Updates for Digital Editions, Flash Player, and other products Description: Adobe has released security updates for various products such as Digital Editions, InDesign, Experience Manager, Flash Player, and more. The Flash Player security bulletin addresses 16 vulnerabilities with one (CVE-2016-7892) being used in “limited, targeted attacks against users running Internet Explorer (32-bit) on Windows.” As with previous advisories, most of the Flash Player vulnerabilities that were fixed were user-after-free vulnerabilities, buffer overflow vulnerabilities, and memory corruption vulnerabilities. Users are advised to disable or remove Adobe Flash Player from their systems if it’s deemed unnecessary and to upgrade if it’s required. Reference: https://helpx.adobe.com/security.html Snort SID: Detection pending
Title: Various Netgear Routers Found To be Vulnerable to Arbitrary Command Injection Description: Researchers have identified that various Netgear router models contain an arbitrary command injection vulnerability. An attacker who convinces a user to visit a specifically crafted website could execute arbitrary commands on the device. Alternatively, a user who sends a specifically formatted request directly to the device can also execute arbitrary commands. Note that while there is no permanent solution to address the vulnerability currently, there is a way to “temporarily disable the vulnerable web server” using the “very vulnerabilities that exist on affected routers.” Netgear is aware of the issue and is currently in the process of developing a firmware update to address the vulnerabilities. Reference: - http://www.kb.cert.org/vuls/id/582384 - http://kb.netgear.com/000036386/CVE-2016-582384 Snort SID: Detection pending
Title: Critical Vulnerabilities in McAfee VirusScan for Linux Addressed Description: An independent researcher has identified several critical vulnerabilities in McAfee VirusScan For Linux where an attacker could achieve remote code execution as root on an affected device. Achieving remote code execution requires the attacker to combine various exploits to brute-force authentication tokens, reconfigure the service to poll a malicious update server, and force the the creation and execution of a malicious script on the vulnerable device. McAfee has released a patch to address these vulnerabilities. Reference: - https://kc.mcafee.com/corporate/index?page=content&id=SB10181 - https://nation.state.actor/mcafee.html Snort SID: Detection pending
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Floki Bot Strikes, Talos and Flashpoint Respond http://blog.talosintel.com/2016/12/flokibot-collab.html?f_l=s
The 2016 SANS Holiday Hack Challenge https://holidayhackchallenge.com/2016/
New Scheme: Spread Popcorn Time Ransomware, get chance of free Decryption Key https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/
IPv6 spoofing trickery http://c-skills.blogspot.com/2016/12/ipv6-spoofing-trickery.html
NYU Students Apply Blockchain Solution to Electronic Voting Security https://threatpost.com/nyu-students-apply-blockchain-solution-to-electronic-voting-security/122382/
=========================================================
MOST PREVALENT MALWARE FILES 2016-12-06 - 2016-12-13: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 76bfca49c7953827efac0936923ed5dd016c14962292045a99f7f2b21878d3a6 MD5: 647a0cfb3b7d0f3dc617f7c05cd64562 VirusTotal: https://www.virustotal.com/file/76bfca49c7953827efac0936923ed5dd016c14962292045a99f7f2b21878d3a6/analysis/#additional-info Typical Filename: mfon.zip Claimed Product: Mac File Opener.app Detection Name: W32.Trojan.NM
SHA 256: ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739 MD5: fa1f769475516b03881602d0824cae12 VirusTotal: https://www.virustotal.com/file/ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739/analysis/#additional-info Typical Filename: PrinterInstallerClientUpdater.exe Claimed Product: Printer Installer Client Updater Detection Name: W32.AE7327F36A-95.SBX.TG
SHA 256: 0e35cfb9b36389b67c726719eb6f9164c9bead85f41fb3a029231cf280dca014 MD5: 282786632cf3c3bfba94f55f93660fbd VirusTotal: https://www.virustotal.com/file/0e35cfb9b36389b67c726719eb6f9164c9bead85f41fb3a029231cf280dca014/analysis/#additional-info Typical Filename: 30633.doc Claimed Product: N/A Detection Name: W32.0E35CFB9B3-100.SBX.TG
SHA 256: 8d75ab8c4459c8d6b9e9fe0bf488bc14caa238fa764a8a7da1de2d1c4f56d876 MD5: a8e2b826b2a8fda8642012cc1f93bb86 VirusTotal: https://www.virustotal.com/file/8d75ab8c4459c8d6b9e9fe0bf488bc14caa238fa764a8a7da1de2d1c4f56d876/analysis/#additional-info Typical Filename: BSC_Purchase_Report-T9CUID0UQU.doc Claimed Product: N/A Detection Name: W32.8D75AB8C44-100.SBX.TG
SHA 256: bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f MD5: 2dbf779808d2ec3f5121891be9f4b1cf VirusTotal: https://www.virustotal.com/file/bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f/analysis/#additional-info Typical Filename: helperamc Claimed Product: Advanced Mac Cleaner Detection Name: OSX.Variant:AMCZ.19if.1201
============================================================
SPAM STATS FOR 2016-12-06 - 2016-12-13
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM