Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Cisco Releases Critical Security Advisory For IOS and IOS XE 0-day Found in "Vault 7" Info Dump
Description: Cisco's Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Description: Malware seems to be the Swiss Army knife in an attacker’s toolkit; some threats like ransomware target the users data. Others, such as banking trojans seek to exfiltrate sensitive data. Join our live webinar lead by Talos Threat Researcher Edmund Brumaghin as he covers the recent evolutions in malware and offers a detailed analysis of one of the newest banking Trojans, Floki Bot.
Title: Cisco Releases Critical Security Advisory For IOS and IOS XE 0-day Found in "Vault 7" Info Dump Description: Cisco has released a critical security advisory in response to CVE-2017-3881, a 0-day vulnerability that was identified in the "Vault 7" information dump. CVE-2017-3881 is a remote code execution vulnerability that manifests in the Cisco Cluster Management Protocol (CMP) processing functionality of IOS and IOS XE. A remote, unauthenticated attacker who transmits malformed CMP-specific Telnet options to a vulnerable device could exploit this flaw and execute arbitrary code with elevated privileges. Note that the vulnerable device must be configured to accept Telnet connections. Cisco is currently developing software updates that will address this vulnerability.
Title: Various JSON Library Patched to Address Invalid Curve Crypto Attack Description: Several JSON libraries have been patched to address a flaw in the implementation of JSON Web Encryption (JWE). Specifically, libraries that implement JWE for encryption with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) were found to be vulnerable to an Invalid Curve Attack. This means that recovery of the private key could be possible. In response to this flaw being identified, go-jose, jose2go, Nimbus JOSE+WT, node-jose, and jose4 JSON libraries were all patched.
Talos Blog: Necurs Diversifies Its Portfolio http://blog.talosintelligence.com/2017/03/necurs-diversifies.html
GitHub Enterprise Remote Code Execution http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html
VM Escape Earns Hackers $105K at Pwn2Own https://threatpost.com/vm-escape-earns-hackers-105k-at-pwn2own/124397/
Samsung Leaking Customer Information https://hackernoon.com/samsung-leaking-customer-information-9b7e2dcb006d?gi=18e80d0d0e11
How Common and How Reliable Are Randomized Mac Addresses https://packetmozart.com/2017/03/21/how-common-and-how-reliable-are-randomized-mac-addresses/
0-day or Feature? Privilege Escalation/Session Hijacking Using RDP in Windows http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
LastPass: websiteConnector.js content script allows proxying internal RPC commands https://bugs.chromium.org/p/project-zero/issues/detail?id=1209
Detection Name: W32.Trojan.NM
SHA 256: 8897f94710f3ca65af0e52f6e2b76e6319dd5fb0dd6ad0968f8acc0d25ee783a
Detection Name: W32.8897F94710-95.SBX.TG
SHA 256: f4ae1a3d610a57547f014215a5d7aaed8572cd36aa77a9567c183f11430a6b55
Detection Name: W32.F4AE1A3D61-95.SBX.TG
SHA 256: e8f80d0b97ecb8ccb06741e99e04eb5c843c0d76c6ba40047b917033f0510386
Detection Name: W32.Trojan.NM
SHA 256: aa44a8dd4563c03ac65650622cb3af81f52e8ea2e1df663f68e0061b8bcac3ce