Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Cisco Releases Critical Security Advisory For IOS and IOS XE 0-day Found in “Vault 7” Info Dump
####Date: 2017-03-29 - 2017-03-30 ####Speaker: William Largent, Technical Leader
Description: Cisco’s Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
####Reference: http://www.cisco.com/c/m/digital/usc/securityweek/index.html#~NYC
###Event: Ransomware, Banking Trojans and Floki Bot: A Threat Trifecta (Free Online Webinar)
####Date: 2017-03-30 17:00 UTC / 13:00 EDT / 10:00 PDT /
####Speaker: Edmund Brumaghin, Technical Leader
Description: Malware seems to be the Swiss Army knife in an attacker’s toolkit; some threats like ransomware target the users data. Others, such as banking trojans seek to exfiltrate sensitive data. Join our live webinar lead by Talos Threat Researcher Edmund Brumaghin as he covers the recent evolutions in malware and offers a detailed analysis of one of the newest banking Trojans, Floki Bot. ####Reference: https://security-mktg.cisco.com/CiscoSecurityWebinarSeries/Cybrary/AmericasWebinarSeries/registration-page-190OL-4925TP.html
####SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cisco Releases Critical Security Advisory For IOS and IOS XE 0-day Found in “Vault 7” Info Dump
Description: Cisco has released a critical security advisory in response to CVE-2017-3881, a 0-day vulnerability that was identified in the “Vault 7” information dump. CVE-2017-3881 is a remote code execution vulnerability that manifests in the Cisco Cluster Management Protocol (CMP) processing functionality of IOS and IOS XE. A remote, unauthenticated attacker who transmits malformed CMP-specific Telnet options to a vulnerable device could exploit this flaw and execute arbitrary code with elevated privileges. Note that the vulnerable device must be configured to accept Telnet connections. Cisco is currently developing software updates that will address this vulnerability.
####Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
####Snort SID: 41909-41910
Title: Various JSON Library Patched to Address Invalid Curve Crypto Attack
Description: Several JSON libraries have been patched to address a flaw in the implementation of JSON Web Encryption (JWE). Specifically, libraries that implement JWE for encryption with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) were found to be vulnerable to an Invalid Curve Attack. This means that recovery of the private key could be possible. In response to this flaw being identified, go-jose, jose2go, Nimbus JOSE+WT, node-jose, and jose4 JSON libraries were all patched.
####Reference: http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html
Talos Blog: Necurs Diversifies Its Portfolio http://blog.talosintelligence.com/2017/03/necurs-diversifies.html
GitHub Enterprise Remote Code Execution http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html
VM Escape Earns Hackers $105K at Pwn2Own https://threatpost.com/vm-escape-earns-hackers-105k-at-pwn2own/124397/
Samsung Leaking Customer Information https://hackernoon.com/samsung-leaking-customer-information-9b7e2dcb006d?gi=18e80d0d0e11
How Common and How Reliable Are Randomized Mac Addresses https://packetmozart.com/2017/03/21/how-common-and-how-reliable-are-randomized-mac-addresses/
0-day or Feature? Privilege Escalation/Session Hijacking Using RDP in Windows http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
LastPass: websiteConnector.js content script allows proxying internal RPC commands https://bugs.chromium.org/p/project-zero/issues/detail?id=1209
####COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
- SHA 256: 24a4cffbe3b0c9394fa95cd2e8437210cd00b940f29884265134d0b53387e4c9
- MD5: 335889e42e25203c77e9553e3987b6ae
- VirusTotal: https://www.virustotal.com/file/24a4cffbe3b0c9394fa95cd2e8437210cd00b940f29884265134d0b53387e4c9/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.Trojan.NM
Detection Name: W32.8897F94710-95.SBX.TG
Detection Name: W32.F4AE1A3D61-95.SBX.TG
Detection Name: W32.Trojan.NM
####TOP SPAM SUBJECTS OBSERVED
“Account Deactivation”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM