Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Apple Releases Security Updates for Operating Systems, iCloud, iTunes, and Safari
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Ain't Nobody Got Time For That! AKA Dynamic Malware Analysis for the Overworked Analyst Date: 2017-02-04 Speaker: Edmund Brumaghin, Threat Researcher Description: Many malware analysis talks given at information security conferences focus on statically reverse engineering code constructs within a binary or determining how malware works by walking through code execution within a disassembler or debugger. But, what analyst on an incident response and/or security monitoring team has time for that? When an alert fires notifying your team of a possible incident, you are not trying to dissect a malware sample to write a dossier or whitepaper, you simply need to determine scope and what response is needed. This talk focuses on the process of determining what an unknown binary does as quickly as possible by building out a small lab environment that facilitates a rapid analysis, what tools you need to have available, and how to use them effectively to determine what an unknown binary does. Reference: https://www.bsideshuntsville.org/#Talks
Event: Exploit Kits - What Happens When Kits Disappear Date: 2017-02-15 Speaker: Nick Biasini, Threat Researcher Description: What happens when the biggest players in a market just get up and quit? That's exactly what has happened to the exploit kit landscape over the last year. Now that Angler, Neutrino, and Nuclear are gone, we're left to pick up the pieces. What's been created is a vacuum with Rig and Sundown jockeying for position, but none have taken the lead. We've observed adversaries changing kits frequently and gates switching from one kit to the next. Just like any other threat, adversaries are going to evolve and change. Oddly, the kits don't appear to have evolved much, but looks can be deceiving. This talk will discuss the state of exploit kits today. There will also be a section related to how exploit kits will evolve in the future and the impact it may potentially have on the threat landscape overall. Reference: https://www.it-defense.de/en/it-defense-2017/program/?no_cache=1
Event: Talos Insights: The State of Cyber Security @ Cisco Live EMER (Berlin, Germany) Date: 2017-02-20 - 2017-02-24 Speaker: Craig Williams, Global Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/emea/learn/sessions/content-catalog/?search=BRKSEC-2010
Event: Emerging Threats: The State of Cybersecurity @ Cisco Live Melbourne 2017 (Melbourne, Australia) Date: 2017-03-07 - 2017-03-10 Speaker: Earl Carter, Technical Leader Description: Cisco's Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/anz/
Event: Driving Attacker Innovation: A Tale of Three Ransomware Variants Date: 2017-03-14 Speaker: Earl Carter, Technical Leader Description: Ransomware has become a constant threat to users. Innovation is the key to staying ahead of threat defenders and earning the most money. During this talk I will examine how three separate ransomware variants (TeslaCrypt, Cryptowall, & Locky) have demonstrated totally different innovation paths with varying results. TeslaCrypt demonstrates a failed attempt at innovation that could not overcome the constant examination by threat defenders. Cryptowall evolved from a simple phishing attack into an advanced piece of malware delivered by exploit kits earning millions of dollars annually. Finally Locky has evolved into a significant spam based email threat driven by an affiliate model that has enabled the ransomware authors to separate themselves from the actual malware distribution. Reference: http://acsc2017.com.au/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Apple Releases Security Updates for Operating Systems, iCloud, iTunes, and Safari Description: Apple has released security updates for macOS, iOS, tvOS, and watchOS, as well as iCloud, iTunes, and Safari. Several of the vulnerabilities that were patched are particularly severe, such as two arbitrary code execution flaws manifesting as a buffer overflow and a use-after-free across all operating systems Apple supports. Other vulnerabilities that were fixed include ones in Safari that could exploited if a user navigates to a specifically crafted web page, and a bug that caused the Contacts manager to terminate unexpectedly in iOS. Reference: https://support.apple.com/en-us/HT201222 Snort SID: Detection pending release of vulnerability information
Title: Cisco Releases Security Update to WebEx Browser Extension Description: Cisco has released a security advisory for the WebEx Browser Extension to address CVE-2017-3823, a critical security flaw discovered by Tavis Ormandy of Google's Project Zero. CVE-2017-3823 is a arbitrary code execution flaw that could be exploited if a user navigates to a specifically crafted web page and starts a WebEx session. Note that this vulnerability affects the browser extension for Chrome, Firefox, and Internet Explorer. Cisco has begun to to release software updates that addresses the vulnerability. Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex Snort SID: 41407-41409
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Detailed look at patched SMS vulnerabilities in Samsung Galaxy phones https://www.contextis.com/resources/blog/wap-just-happened-my-samsung-galaxy/
Without Necurs, Locky Struggles http://blog.talosintel.com/2017/01/locky-struggles.html?f_l=s
Practical Docker for Security Admins https://remotephone.github.io/lab/homelab/budget/testing/2016/12/20/practical-docker.html
Trump's attorney general nominee in favor of encryption backdoors http://www.zdnet.com/article/trumps-attorney-general-nominee-is-in-favor-of-crypto-backdoors/
Spora - the Shortcut Worm that is also a Ransomware https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware
Who is Anna-Senpai, the Mirai Worm Author? https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
=========================================================
MOST PREVALENT MALWARE FILES 2017-01-17 - 2017-01-24: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739 MD5: fa1f769475516b03881602d0824cae12 VirusTotal: https://www.virustotal.com/file/ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739/analysis/#additional-info Typical Filename: printerinstallerclientupdater.exe Claimed Product: Printer Client Updater Detection Name: W32.AE7327F36A-95.SBX.TG
SHA 256: 2a3c6020418ba65020feffc50d30ad77aa6f87bb97e831f9d19585c5c0fbf439 MD5: 220a227048a34c7145aa3af9b29a39c5 VirusTotal: https://www.virustotal.com/file/2a3c6020418ba65020feffc50d30ad77aa6f87bb97e831f9d19585c5c0fbf439/analysis/#additional-info Typical Filename: mfon.zip Claimed Product: Mac File Opener Detection Name: W32.Auto.2a3c60.201455.in01
SHA 256: 8d5259dd99cc605b19cd5a176c46503f29c7a61107013f5f97180a1fc84d001e MD5: 7bf7a625c382568da910e86b7b332da1 VirusTotal: https://www.virustotal.com/file/8d5259dd99cc605b19cd5a176c46503f29c7a61107013f5f97180a1fc84d001e/analysis/#additional-info Typical Filename: information.doc Claimed Product: N/A Detection Name: W32.8D5259DD99-95.SBX.TG
SHA 256: bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f MD5: 2dbf779808d2ec3f5121891be9f4b1cf VirusTotal: https://www.virustotal.com/file/bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f/analysis/#additional-info Typical Filename: helperamc Claimed Product: Advanced Mac Cleaner Detection Name: OSX.Variant:AMCZ.19if.1201
SHA 256: d3dbe14033ad25a5e4ffe1e2b559e53ee1d1799eb54eedbd7a689d6a88fd7137 MD5: f4be84934734b03d7f11e22b4de7fd0a VirusTotal: https://www.virustotal.com/file/d3dbe14033ad25a5e4ffe1e2b559e53ee1d1799eb54eedbd7a689d6a88fd7137/analysis/#additional-info Typical Filename: Danielic Claimed Product: (unknown) Detection Name: Auto.683062.192247.in02
============================================================
SPAM STATS FOR 2017-01-17 - 2017-01-26
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM