Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Arbitrary Code Execution Flaw in Ubuntu Desktop Crash Reporter Identified and Patched
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Emerging Threats: The State of Cybersecurity @ Cisco Live Melbourne 2017 (Melbourne, Australia) Date: 2017-03-07 - 2017-03-10 Speaker: Earl Carter, Technical Leader Description: Cisco's Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/anz/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Arbitrary Code Execution Flaw in Ubuntu Desktop Crash Reporter Identified and Patched Description: An arbitrary code execution flaw in the Ubuntu Desktop crash reporter has been identified by an independent security researcher. These bugs, identified as CVE-2016-9949 and CVE-2016-9950, manifest as a result of Ubuntu attempting to determine the file type of a crash report to open the crash report handler application. A user who opens a specifically formatted crash report file could allow an attacker to achieve arbitrary code execution on the targeted system. Ubuntu versions 12.10 and later are known to be affected. Ubuntu has addressed the vulnerability by releasing an update. Reference: https://donncha.is/2016/12/compromising-ubuntu-desktop/
Title: Command Injection Vulnerability in Nagios Core Identified and Fixed Description: A command injection vulnerability in Nagios Core has been identified by a researcher at Legal Hackers. This particular vulnerability, identified as CVE-2016-9565, manifests in the front-end RSS feed reader component MagpieRSS. This flaw could be exploited if the Nagios server attempts to load an RSS feed from a server impersonating the feed server. Golunski, the researcher who identified this flaw, notes that this vulnerability is notable as Nagios server installations tend to have visibility into many aspects of an organization and could allow an attacker to gain visibility and more laterally within a network. Nagios has released an update, version 4.2.4, which addresses the flaw. Reference: https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/
Cisco Umbrella 1 Million https://blog.opendns.com/2016/12/14/cisco-umbrella-1-million/
Alice: A Lightweight, Compact, No-Nonsense ATM Malware http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/
Practical Reverse Engineering Part 5 - Digging Through the Firmware http://jcjc-dev.com/2016/12/14/reversing-huawei-5-reversing-firmware/
Vulnerabiity Spotlight: Tarantool Denial of Service Vulnerabilities http://blog.talosintel.com/2016/12/tarantool-DoS.html
Project Wycheproof - Google Security Blog https://security.googleblog.com/2016/12/project-wycheproof.html
Wassenaar Renegotiation Will Be in Trump Administration’s Hands https://threatpost.com/wassenaar-renegotiation-will-be-in-trump-administrations-hands/122653/
IEC60870-5-104 Protocol Detection Rules http://blog.snort.org/2016/12/iec60870-5-104-protocol-detection-rules.html
=========================================================
MOST PREVALENT MALWARE FILES 2016-12-13 - 2016-12-20: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 0f2f6501745df720946c0152a46c8afa3a98b78b0d54905c590125755c67ba4c MD5: 192d988a3a3228c5d8770fe4d2ac7aa6 VirusTotal: https://www.virustotal.com/file/0f2f6501745df720946c0152a46c8afa3a98b78b0d54905c590125755c67ba4c/analysis/#additional-info Typical Filename: ATOGov_18122016.doc Claimed Product: N/A Detection Name: W32.0F2F650174-100.SBX.TG
SHA 256: ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739 MD5: fa1f769475516b03881602d0824cae12 VirusTotal: https://www.virustotal.com/file/ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739/analysis/#additional-info Typical Filename: PrinterInstallerClientUpdater.exe Claimed Product: Printer Client Updater Detection Name: W32.AE7327F36A-95.SBX.TG
SHA 256: 76bfca49c7953827efac0936923ed5dd016c14962292045a99f7f2b21878d3a6 MD5: 647a0cfb3b7d0f3dc617f7c05cd64562 VirusTotal: https://www.virustotal.com/file/76bfca49c7953827efac0936923ed5dd016c14962292045a99f7f2b21878d3a6/analysis/#additional-info Typical Filename: mfon.zip Claimed Product: Mac File Opener Detection Name: W32.Trojan.NM
SHA 256: cb5eee6e2a3ce2c696031b853b24a3db1e9bc41556f9d57add1c076fc01493dd MD5: 6973808a44f23b4703f8273fe0f57593 VirusTotal: https://www.virustotal.com/file/cb5eee6e2a3ce2c696031b853b24a3db1e9bc41556f9d57add1c076fc01493dd/analysis/#additional-info Typical Filename: PayslipDec2016_179786.doc Claimed Product: N/A Detection Name: DOCX.Auto:cb5eee6e2a.in05.Talos
SHA 256: cc5588b516e920f70afe1949709ef2d439b0b765f42a1be7b585679de7026331 MD5: b480b7efe5e822bd3c3c90d818502068 VirusTotal: https://www.virustotal.com/file/cc5588b516e920f70afe1949709ef2d439b0b765f42a1be7b585679de7026331/analysis/#additional-info Typical Filename: ID201NLD0012192016.doc Claimed Product: N/A Detection Name: W32.CC5588B516-99.SBX.VIOC
============================================================
SPAM STATS FOR 2016-12-06 - 2016-12-13
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM