Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Apple Releases Security Updates for iOS, macOS, tvOS, watchOS, and more
####Date: 2017-03-29 - 2017-03-30 ####Speaker: William Largent, Technical Leader
Description: Cisco’s Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
####Reference: http://www.cisco.com/c/m/digital/usc/securityweek/index.html#~NYC
####Date: 2017-03-30 17:00 UTC / 13:00 EDT / 10:00 PDT ####Speaker: Edmund Brumaghin, Threat Researcher
Description: Malware seems to be the Swiss Army knife in an attacker’s toolkit; some threats like ransomware target the users data. Others, such as banking trojans seek to exfiltrate sensitive data. Join our live webinar lead by Talos Threat Researcher Edmund Brumaghin as he covers the recent evolutions in malware and offers a detailed analysis of one of the newest banking Trojans, Floki Bot.
####Reference: https://security-mktg.cisco.com/CiscoSecurityWebinarSeries/Cybrary/AmericasWebinarSeries/registration-page-190OL-4925TP.html
####Date: 2017-05-14 - 2017-05-15 ####Speaker: Jaeson Schultz, Technical Leader
Description: Over 90% of malware makes use of the Domain Name System. While many organizations implement strict security protections as it pertains to web traffic, email, etc., they typically have less stringent controls in place to protect against DNS-based threats. Attackers have recognized this fact and are using the DNS for data exfiltration, establishing bi-directional command & control channels, and obtaining bulletproof domain hosting. In this presentation we will discuss creative ways that cyber criminals abuse the DNS along with countermeasures defenders can use to help protect their networks.
####Reference: https://indico.dns-oarc.net/event/26/
####Date: 2017-05-15 - 2017-05-21 ####Speaker: Paul Rascagneres, Threat Researcher
Subject: Talos is no stranger to APT attacks. During recent research, we observed how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. During the presentation, we will not speak about a specific malware actor but we will use various different cases to illustrate how the reconnaissance phase is becoming more important and more complex. This talk will mainly focus on the usage of malicious documents (Microsoft Office and Hangul Word Processor) and watering hole attacks designed to establish if the target is the intended one. We will mention campaigns against political or military organizations targeting USA, Europa and Asia.
####Reference: https://www.nsec.io/speakers/
####Date: 2017-05-24 - 2017-05-25 ####Speaker: Paul Rascagneres, Threat Researcher Subject: Invented by an insane criminal in 1989, ransomware has evolved into a major illicit activity. For the criminal, ransomware presents many advantages over trying to make money from selling stolen data, but also presents a number of challenges. In this presentation, I will start by presenting Talos (our activities, organisation and telemetry). Then, I will present how ransomware has developed over the past 28 years, the techniques used by current malware variants and how criminals seek to overcome the difficulties that they face. And finally, and how we can expect ransomware to develop in the near future. ####Reference: https://tate.cz/en/is2
####SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Description: Apple has release a security updates for a number of supported products such as iOS, macOS, tvOS, watchOS, iWork, Safari, and macOS Server. These updates addresses numerous vulnerabilities, several of which are severe. One particular vulnerability that should be noted is CVE-2017-2485, a remote code execution vulnerability manifesting as a input validation error when parsing X.509 certificates. Exploitation of this vulnerability is possible if a user visits a website that serves the client a malicious certificate. Patches for CVE-2017-2485 and other flaws are available for download and installation.
####Reference: https://support.apple.com/en-us/HT201222
####Snort SID: 41999; Additional detection pending release of vulnerability information
###Title: LastPass Releases Security Updates Addressing 3 Vulnerabilities
Description: LastPass has released security updates to address 3 vulnerabilities within its password manager browser extensions that were responsibly disclosed by Tavis Ormandy of Google’s Project Zero. One of the vulnerabilities is a password theft flaw that affects LastPass 3.3.2 for Firefox. The second is a remote code execution flaw via proxying internal RPC commands in LastPass. The third vulnerability is a cross-site scripting bug in the LastPass extension for Firefox. All three vulnerabilities have been patched and LastPass has pushed updated browser extensions for Firefox, Chrome and other browsers.
####Reference:
- https://blog.lastpass.com/2017/03/important-security-updates-for-our-users.html
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1188
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1209
###Title: Cisco Releases Semi-annual Security Updates for IOS and IOS XE
Description: Cisco has released its semi-annual security advisory bundle for IOS and IOS XE. In total, five vulnerabilities were addressed with four of them being denial of service flaws and one being an HTTP command injection vulnerability. The denial of service flaws manifest in various parts such as DHCP, L2TP, Zero Touch Provisioning, and the HTTP interface for IOS XE. The HTTP command injection vulnerability carries with it a “high” severity rating, but is only exploitable if an attacker is authenticated via the HTTP interface. Software updates that address these flaws are available.
####Reference: https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-60851
####Snort SID: 42060-42061, 42069-42071
Microsoft Word File Spreads Malware Targeting Both Apple Mac OS X and Microsoft Windows
http://blog.fortinet.com/2017/03/22/microsoft-word-file-spreads-malware-targeting-both-apple-mac-os-x-and-microsoft-windows
Google to gradually distrust Symantec’s CA for mis-issuing 30,000 HTTPS certs
https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/
PoC || GTFO 0x14 Released!
https://www.alchemistowl.org/pocorgtfo/pocorgtfo14.pdf
Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/
eBay Asks Users to Downgrade Security
https://krebsonsecurity.com/2017/03/ebay-asks-users-to-downgrade-security
####COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
####TOP SPAM SUBJECTS OBSERVED
“Mail Faculty & Staff”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM