Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Flaws in Honeywell XL Web II Controller Patched and Disclosed
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Exploit Kits - What Happens When Kits Disappear Date: 2017-02-15 Speaker: Nick Biasini, Threat Researcher Description: What happens when the biggest players in a market just get up and quit? That's exactly what has happened to the exploit kit landscape over the last year. Now that Angler, Neutrino, and Nuclear are gone, we're left to pick up the pieces. What's been created is a vacuum with Rig and Sundown jockeying for position, but none have taken the lead. We've observed adversaries changing kits frequently and gates switching from one kit to the next. Just like any other threat, adversaries are going to evolve and change. Oddly, the kits don't appear to have evolved much, but looks can be deceiving. This talk will discuss the state of exploit kits today. There will also be a section related to how exploit kits will evolve in the future and the impact it may potentially have on the threat landscape overall. Reference: https://www.it-defense.de/en/it-defense-2017/program/?no_cache=1
Event: Talos Insights: The State of Cyber Security @ Cisco Live EMER (Berlin, Germany) Date: 2017-02-20 - 2017-02-24 Speaker: Craig Williams, Global Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/emea/learn/sessions/content-catalog/?search=BRKSEC-2010
Event: Talos Winter Security Threat Briefing (Free Webinar) Date: 2017-02-28 13:00 ET (10:00 PT) Speaker: Earl Carter, Technical Leader Description: Cyberthreats will never disappear. Adversaries are only getting smarter and more adept at evading security measures. The security experts at Talos invite you to their quarterly threat briefing, where they will share their insights into recent attacks that exemplify the latest trends within the security industry. By discussing these new and emerging threats, the Talos team will help you understand new protection strategies and build better defenses. Reference: https://security-mktg.cisco.com/CiscoSecurityWebinarSeries/Social?webinar=ME5484A1
Event: Emerging Threats: The State of Cybersecurity @ Cisco Live Melbourne 2017 (Melbourne, Australia) Date: 2017-03-07 - 2017-03-10 Speaker: Earl Carter, Technical Leader Description: Cisco's Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/anz/
Event: Driving Attacker Innovation: A Tale of Three Ransomware Variants Date: 2017-03-14 Speaker: Earl Carter, Technical Leader Description: Ransomware has become a constant threat to users. Innovation is the key to staying ahead of threat defenders and earning the most money. During this talk I will examine how three separate ransomware variants (TeslaCrypt, Cryptowall, & Locky) have demonstrated totally different innovation paths with varying results. TeslaCrypt demonstrates a failed attempt at innovation that could not overcome the constant examination by threat defenders. Cryptowall evolved from a simple phishing attack into an advanced piece of malware delivered by exploit kits earning millions of dollars annually. Finally Locky has evolved into a significant spam based email threat driven by an affiliate model that has enabled the ransomware authors to separate themselves from the actual malware distribution. Reference: http://acsc2017.com.au/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Flaws in Honeywell XL Web II Controller Patched and Disclosed Description: A security advisory for Honeywell XL Web II controllers has been issued by ICS-CERT in response to several vulnerabilities that have been responsibly disclosed. The most severe flaws that were identified are the the plaintext storage of passwords (CVE-2017-5140) and the ability to disclose a password by navigating to a specific URL (CVE-2017-5139). Honeywell has responded by addressing these issues and releasing version 3.04.05.05 to fix these vulnerabilities. Reference: https://ics-cert.us-cert.gov/advisories/ICSA-17-033-01 Snort SID: Detection pending release of vulnerability information
Title: McAfee Releases Security Bulletin for ePolicy Orchestrator Vulnerability Description: McAfee has released a security bulletin for CVE-2016-8027, a SQL injection vulnerability within ePolicy Orchestrator that was identified. The flaw, which exists in ePO 5.3.2, 5.1.3, and earlier versions, could be exploited via a specifically crafted HTTP post that alters a SQL query, resulting information disclosure or impersonation of an agent. McAfee has released a hotfix which addresses this flaw. Reference: https://kc.mcafee.com/corporate/index?page=content&id=SB10187 Snort SID: 41410
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
InterContinental Confirms Breach at 12 Hotels https://krebsonsecurity.com/2017/02/intercontinental-confirms-breach-at-12-hotels/
How Google fought back against a crippling IoT-powered botnet and won https://arstechnica.com/security/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won/
Improved scripts in .lnk files now deliver Kovter in addition to Locky https://blogs.technet.microsoft.com/mmpc/2017/02/02/improved-scripts-in-lnk-files-now-deliver-kovter-in-addition-to-locky/
Password managers: attacks and defenses https://blog.acolyer.org/2017/02/06/password-managers-attacks-and-defenses/
When A Pony Walks Out Of A Pub http://blog.talosintel.com/2017/02/pony-pub-files.html
=========================================================
MOST PREVALENT MALWARE FILES 2017-01-31 - 2017-02-07: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739 MD5: fa1f769475516b03881602d0824cae12 VirusTotal: https://www.virustotal.com/file/ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739/analysis/#additional-info Typical Filename: PrinterInstallerClientUpdater.exe Claimed Product: Printer Client Updater Detection Name: W32.AE7327F36A-95.SBX.TG
SHA 256: 2a3c6020418ba65020feffc50d30ad77aa6f87bb97e831f9d19585c5c0fbf439 MD5: 220a227048a34c7145aa3af9b29a39c5 VirusTotal: https://www.virustotal.com/file/2a3c6020418ba65020feffc50d30ad77aa6f87bb97e831f9d19585c5c0fbf439/analysis/#additional-info Typical Filename: mfon.zip Claimed Product: Mac File Opener Detection Name: W32.Auto.2a3c60.201455.in01
SHA 256: 9e7e3351a484ddd743a508b579e2a0c00fe2e29380d016966b51d006c8fe954a MD5: 1f76c24b775175b49f82dafe7fb3a369 VirusTotal: https://www.virustotal.com/file/9e7e3351a484ddd743a508b579e2a0c00fe2e29380d016966b51d006c8fe954a/analysis/#additional-info Typical Filename: 20170207071121.775637-DDelivery-Details.zip Claimed Product: N/A Detection Name: W32.Auto:9e7e3351a4.in05.Talos
SHA 256: f9b8f7f285f811ee720cce7bccd98a421a26fb90dd7b022118d4b4e1f340036b MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/f9b8f7f285f811ee720cce7bccd98a421a26fb90dd7b022118d4b4e1f340036b/analysis/#additional-info Typical Filename: wingqvaqb.exe Claimed Product: (none) Detection Name: W32.AgentWDCR:Malwaregen.20c4.1201
SHA 256: abcb1fe46082db37edd34527f00be99cc1a3dda008c8f7810c5a1c8e4c3b59ff MD5: 311b7684b4eb185ba9962947c8223769 VirusTotal: https://www.virustotal.com/file/abcb1fe46082db37edd34527f00be99cc1a3dda008c8f7810c5a1c8e4c3b59ff/analysis/#additional-info Typical Filename: fattura 3918399.exe Claimed Product: (none) Detection Name: W32.ABCB1FE460-100.SBX.TG
============================================================
SPAM STATS FOR 2017-01-31 - 2017-02-07
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM