Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: ISC Releases Security Advisory for BIND To Resolve Denial of Service Attack
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos Insights: The State of Cyber Security @ Cisco Live EMER (Berlin, Germany) Date: 2017-02-20 - 2017-02-24 Speaker: Craig Williams, Global Outreach Manager Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/emea/learn/sessions/content-catalog/?search=BRKSEC-2010
Event: Talos Winter Security Threat Briefing (Free Webinar) Date: 2017-02-28 13:00 ET (10:00 PT) Speaker: Earl Carter, Technical Leader Description: Cyberthreats will never disappear. Adversaries are only getting smarter and more adept at evading security measures. The security experts at Talos invite you to their quarterly threat briefing, where they will share their insights into recent attacks that exemplify the latest trends within the security industry. By discussing these new and emerging threats, the Talos team will help you understand new protection strategies and build better defenses. Reference: https://security-mktg.cisco.com/CiscoSecurityWebinarSeries/Social?webinar=ME5484A1
Event: Emerging Threats: The State of Cybersecurity @ Cisco Live Melbourne 2017 (Melbourne, Australia) Date: 2017-03-07 - 2017-03-10 Speaker: Earl Carter, Technical Leader Description: Cisco's Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.ciscolive.com/anz/
Event: Driving Attacker Innovation: A Tale of Three Ransomware Variants Date: 2017-03-14 Speaker: Earl Carter, Technical Leader Description: Ransomware has become a constant threat to users. Innovation is the key to staying ahead of threat defenders and earning the most money. During this talk I will examine how three separate ransomware variants (TeslaCrypt, Cryptowall, & Locky) have demonstrated totally different innovation paths with varying results. TeslaCrypt demonstrates a failed attempt at innovation that could not overcome the constant examination by threat defenders. Cryptowall evolved from a simple phishing attack into an advanced piece of malware delivered by exploit kits earning millions of dollars annually. Finally Locky has evolved into a significant spam based email threat driven by an affiliate model that has enabled the ransomware authors to separate themselves from the actual malware distribution. Reference: http://acsc2017.com.au/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: ISC Releases Security Advisory for BIND To Resolve Denial of Service Attack Description: ISC has released a security advisory for BIND to address CVE-2017-3135, a denial of service vulnerability. CVE-2017-3135 manifests under certain conditions when both DNS64 and RPZ are used to rewrite query responses. In some instances, query processing "can resume in an inconsistent state" and result in a assertion failure or NULL pointer dereference. Workarounds to avoid this vulnerability are possible, but ISC recommends BIND should be upgraded as updated that address this vulnerability have been made available. Reference: https://kb.isc.org/article/AA-01453 Snort SID: Detection pending release of vulnerability information
Title: Adobe Releases Security Bulletins for Flash Player, Digital Editions, and Campaign Description: Adobe has released three security bulletins for Flash Player, Digital Editions, and Campaign. In total, 24 vulnerabilities were resolved across the three bulletins with 13 Flash Player flaws fixed, 9 Digital Editions flaws fixed, and 2 Campaign flaws fixed. The Flash Player bulletin notes that all 13 flaws could possibly lead to remote code execution with all them being memory corruptions, heap buffer overflows, use-after-frees, integer overflows, and type confusion flaws. Reference: - https://helpx.adobe.com/security/products/flash-player/apsb17-04.html - https://helpx.adobe.com/security/products/Digital-Editions/apsb17-05.html - https://helpx.adobe.com/security/products/campaign/apsb17-06.html Snort SID: 41603-41604, 41611-41624, 41627-41632
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
New Attack, Old Tricks - Macro-based Malware Observed on macOS https://objective-see.com/blog/blog_0x17.html
How to build a 8 GPU password cracker https://www.shellntel.com/blog/2017/2/8/how-to-build-a-8-gpu-password-cracker
Go RAT, Go! AthenaGo points “TorWords” Portugal http://blog.talosintel.com/2017/02/athena-go.html?f_l=s
USB Key Cleaner: CIRCLean https://n0where.net/usb-key-cleaner-circlean/?
U.S. House of Representatives Passes Long-Sought Email Privacy Bill https://krebsonsecurity.com/2017/02/house-passes-long-sought-email-privacy-bill/?
Microsoft delays its usual Patch Tuesday updates http://www.zdnet.com/article/microsoft-delays-its-usual-patch-tuesday-updates/
=========================================================
MOST PREVALENT MALWARE FILES 2017-02-07 - 2017-02-14: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f MD5: 2dbf779808d2ec3f5121891be9f4b1cf VirusTotal: https://www.virustotal.com/file/bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f/analysis/#additional-info Typical Filename: helperamc Claimed Product: Advanced Mac Cleaner Detection Name: OSX.Variant:AMCZ.19if.1201
SHA 256: 2a3c6020418ba65020feffc50d30ad77aa6f87bb97e831f9d19585c5c0fbf439 MD5: 220a227048a34c7145aa3af9b29a39c5 VirusTotal: https://www.virustotal.com/file/2a3c6020418ba65020feffc50d30ad77aa6f87bb97e831f9d19585c5c0fbf439/analysis/#additional-info Typical Filename: mfon.zip Claimed Product: Mac File Opener Detection Name: W32.Auto.2a3c60.201455.in01
SHA 256: 280c48828f845c55a14a2930cf2105f65a220a471c0c71515c69d77aabfed054 MD5: dd0b29dbd6f54d217e75739520e090a6 VirusTotal: https://www.virustotal.com/file/280c48828f845c55a14a2930cf2105f65a220a471c0c71515c69d77aabfed054/analysis/#additional-info Typical Filename: Delivery-Details.zip Claimed Product: N/A Detection Name: W32.Auto:280c48828f.in05.Talos
SHA 256: e3a1b642e1e097ad51aaf00ac04f95a542ca532d1527897543dd46b4c4a8aa8a MD5: 96233bf468ffa3039764e39dc2e4aab4 VirusTotal: https://www.virustotal.com/file/e3a1b642e1e097ad51aaf00ac04f95a542ca532d1527897543dd46b4c4a8aa8a/analysis/#additional-info Typical Filename: 销.售.主.管该如何定位.docx Claimed Product: N/A Detection Name: DOCX.Auto:e3a1b642e1.in05.Talos
SHA 256: 09e8114c3198af5e854ca0cf863d6651313c392bbf89761cf39e9cc312a40e24 MD5: 3f9a39ce158010d21ac983311fa2e41f VirusTotal: https://www.virustotal.com/file/09e8114c3198af5e854ca0cf863d6651313c392bbf89761cf39e9cc312a40e24/analysis/#additional-info Typical Filename: 32957.doc Claimed Product: N/A Detection Name: W32.09E8114C31-100.SBX.TG
============================================================
SPAM STATS FOR 2017-02-07 - 2017-02-14
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM