Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: WordPress Releases Security Update
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Ain’t Nobody Got Time For That! AKA Dynamic Malware Analysis for the Overworked Analyst Date: 2017-02-04 Speaker: Edmund Brumaghin, Threat Researcher Description: Many malware analysis talks given at information security conferences focus on statically reverse engineering code constructs within a binary or determining how malware works by walking through code execution within a disassembler or debugger. But, what analyst on an incident response and/or security monitoring team has time for that? When an alert fires notifying your team of a possible incident, you are not trying to dissect a malware sample to write a dossier or whitepaper, you simply need to determine scope and what response is needed. This talk focuses on the process of determining what an unknown binary does as quickly as possible by building out a small lab environment that facilitates a rapid analysis, what tools you need to have available, and how to use them effectively to determine what an unknown binary does. Reference: https://www.bsideshuntsville.org/#Talks
Event: Exploit Kits - What Happens When Kits Disappear Date: 2017-02-15 Speaker: Nick Biasini, Threat Researcher Description: What happens when the biggest players in a market just get up and quit? That’s exactly what has happened to the exploit kit landscape over the last year. Now that Angler, Neutrino, and Nuclear are gone, we’re left to pick up the pieces. What’s been created is a vacuum with Rig and Sundown jockeying for position, but none have taken the lead. We’ve observed adversaries changing kits frequently and gates switching from one kit to the next. Just like any other threat, adversaries are going to evolve and change. Oddly, the kits don’t appear to have evolved much, but looks can be deceiving. This talk will discuss the state of exploit kits today. There will also be a section related to how exploit kits will evolve in the future and the impact it may potentially have on the threat landscape overall. Reference: https://www.it-defense.de/en/it-defense-2017/program/?no_cache=1
Event: Talos Insights: The State of Cyber Security @ Cisco Live EMER (Berlin, Germany) Date: 2017-02-20 - 2017-02-24 Speaker: Craig Williams, Global Outreach Manager Description: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/emea/learn/sessions/content-catalog/?search=BRKSEC-2010
Event: Talos Winter Security Threat Briefing (Free Webinar) Date: 2017-02-28 13:00 ET (10:00 PT) Speaker: Earl Carter, Technical Leader Description: Cyberthreats will never disappear. Adversaries are only getting smarter and more adept at evading security measures. The security experts at Talos invite you to their quarterly threat briefing, where they will share their insights into recent attacks that exemplify the latest trends within the security industry. By discussing these new and emerging threats, the Talos team will help you understand new protection strategies and build better defenses. Reference: https://security-mktg.cisco.com/CiscoSecurityWebinarSeries/Social?webinar=ME5484A1
Event: Emerging Threats: The State of Cybersecurity @ Cisco Live Melbourne 2017 (Melbourne, Australia) Date: 2017-03-07 - 2017-03-10 Speaker: Earl Carter, Technical Leader Description: Cisco’s Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/anz/
Event: Driving Attacker Innovation: A Tale of Three Ransomware Variants Date: 2017-03-14 Speaker: Earl Carter, Technical Leader Description: Ransomware has become a constant threat to users. Innovation is the key to staying ahead of threat defenders and earning the most money. During this talk I will examine how three separate ransomware variants (TeslaCrypt, Cryptowall, & Locky) have demonstrated totally different innovation paths with varying results. TeslaCrypt demonstrates a failed attempt at innovation that could not overcome the constant examination by threat defenders. Cryptowall evolved from a simple phishing attack into an advanced piece of malware delivered by exploit kits earning millions of dollars annually. Finally Locky has evolved into a significant spam based email threat driven by an affiliate model that has enabled the ransomware authors to separate themselves from the actual malware distribution. Reference: http://acsc2017.com.au/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: WordPress Releases Security Update Description: WordPress has released a security update for its blogging platform bringing the latest version up to 4.7.2. This latest update addresses three security issues with one being a SQL injection vulnerability, another being a cross-site scripting vulnerability, and the last one being a permissions enforcement error. WordPress versions 4.7.1 and earlier are affected by these three vulnerabilities. Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Snort SID: Detection pending release of vulnerability information
Title: Cisco Releases Security Update for WebEx Browser Extension Description: Cisco has released a security update for CVE-2017-3823, an arbitrary code execution flaw in the WebEx Browser Extension for Chrome, Firefox, and Internet Explorer. This flaw was previously identified by Tavis Ormandy of Google’s Project Zero and patched, but found incomplete. Cisco has released an updated version of the extension for all three browsers. Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex Snort SID: 41407-41409
Title: NETGEAR Releases Security Advisory for a Password Recovery and Exposure Vulnerability Description: NETGEAR has released a security advisory for CVE-2017-5521, a password recovery and exposure vulnerability found in various NETGEAR home and small office routers. CVE-2017-5521 manifests as a flaw in how the firmware handles login passwords when the password recovery feature is disabled and can exploited via access on the internal network, or if remote management is enabled. NETGEAR has released software updates for various affected models. Reference: - http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability - https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521–Bypassing-Authentication-on-NETGEAR-Routers/ Snort SID: Detection pending release of vulnerability information
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Averting ransomware epidemics in corporate networks with Windows Defender ATP https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/
Team Shellphish - Cyber Grand Shellphish http://phrack.org/papers/cyber_grand_shellphish.html
Gmail will block .js file attachments starting February 13, 2017 https://gsuiteupdates.googleblog.com/2017/01/gmail-will-restrict-js-file-attachments.html
Dridex Banking Trojan Returns, Leverages New UAC Bypass Method https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/
EyePyramid: An Archaeological Journey http://blog.talosintel.com/2017/01/Eye-Pyramid.html
=========================================================
MOST PREVALENT MALWARE FILES 2017-01-24 - 2017-01-31: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739 MD5: fa1f769475516b03881602d0824cae12 VirusTotal: https://www.virustotal.com/file/ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739/analysis/#additional-info Typical Filename: printerinstallerclientupdater.exe Claimed Product: Printer Updater Client Detection Name: W32.AE7327F36A-95.SBX.TG
SHA 256: bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f MD5: 2dbf779808d2ec3f5121891be9f4b1cf VirusTotal: https://www.virustotal.com/file/bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f/analysis/#additional-info Typical Filename: helperamc Claimed Product: Advanced Mac Cleaner Detection Name: OSX.Variant:AMCZ.19if.1201
SHA 256: 2a3c6020418ba65020feffc50d30ad77aa6f87bb97e831f9d19585c5c0fbf439 MD5: 220a227048a34c7145aa3af9b29a39c5 VirusTotal: https://www.virustotal.com/file/2a3c6020418ba65020feffc50d30ad77aa6f87bb97e831f9d19585c5c0fbf439/analysis/#additional-info Typical Filename: mfon.zip Claimed Product: Mac File Opener Detection Name: W32.Auto.2a3c60.201455.in01
SHA 256: f9b8f7f285f811ee720cce7bccd98a421a26fb90dd7b022118d4b4e1f340036b MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/f9b8f7f285f811ee720cce7bccd98a421a26fb90dd7b022118d4b4e1f340036b/analysis/#additional-info Typical Filename: wingqvaqb.exe Claimed Product: (none) Detection Name: W32.F9B8F7F285-95.SBX.TG
SHA 256: d3dbe14033ad25a5e4ffe1e2b559e53ee1d1799eb54eedbd7a689d6a88fd7137 MD5: f4be84934734b03d7f11e22b4de7fd0a VirusTotal: https://www.virustotal.com/file/d3dbe14033ad25a5e4ffe1e2b559e53ee1d1799eb54eedbd7a689d6a88fd7137/analysis/#additional-info Typical Filename: Danielic Claimed Product: (unknown) Detection Name: OSX.MAC:Malwaregen.19hh.1201
============================================================
SPAM STATS FOR 2017-01-24 - 2017-01-31
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM