Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Microsoft Releases Updates for Windows, Office, IE/Edge, .NET, and more
###Event: The Dark Side of DNS @ OARC 26 (Madrid)
####Date: 2017-05-14 - 2017-05-15
####Speaker: Jaeson Schultz, Technical Leader
Description: Over 90% of malware makes use of the Domain Name System. While many organizations implement strict security protections as it pertains to web traffic, email, etc., they typically have less stringent controls in place to protect against DNS-based threats. Attackers have recognized this fact and are using the DNS for data exfiltration, establishing bi-directional command & control channels, and obtaining bulletproof domain hosting. In this presentation we will discuss creative ways that cyber criminals abuse the DNS along with countermeasures defenders can use to help protect their networks.
####Reference: https://indico.dns-oarc.net/event/26/
####Date: 2017-05-15 - 2017-05-21 ####Speaker: Paul Rascagneres, Threat Researcher
Subject: Talos is no stranger to APT attacks. During recent research, we observed how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. During the presentation, we will not speak about a specific malware actor but we will use various different cases to illustrate how the reconnaissance phase is becoming more important and more complex. This talk will mainly focus on the usage of malicious documents (Microsoft Office and Hangul Word Processor) and watering hole attacks designed to establish if the target is the intended one. We will mention campaigns against political or military organizations targeting USA, Europa and Asia.
####Reference: https://www.nsec.io/speakers/
####Date: 2017-05-22 - 2017-05-24 ####Speaker: Martin Lee, Technical Leader
Subject: The Internet of Things creates many new opportunities for our personal and professional lives. It also creates new opportunities for criminals to make illicit gain, and for the disaffected to wreak havoc. Recognising that IoT systems will inevitably have vulnerabilities, and will be attacked allows organisations to design systems to be resilient from the beginning rather than to repeat past mistakes and attempt to bolt on security at a later date. In this session, by referring to a simple IoT architecture, we will discuss examples of how attackers have previously attacked systems, and show how good practices can be applied to protect systems.
####Reference: https://www.iotwf.com/
####Date: 2017-05-24 - 2017-05-25 ####Speaker: Paul Rascagneres, Threat Researcher
Subject: Invented by an insane criminal in 1989, ransomware has evolved into a major illicit activity. For the criminal, ransomware presents many advantages over trying to make money from selling stolen data, but also presents a number of challenges. In this presentation, I will start by presenting Talos (our activities, organisation and telemetry). Then, I will present how ransomware has developed over the past 28 years, the techniques used by current malware variants and how criminals seek to overcome the difficulties that they face. And finally, and how we can expect ransomware to develop in the near future. ####Reference: https://tate.cz/en/is2
###Event: Talos - Cisco’s Key Into Understanding the Evolving Threat Landscape @ Cisco Security Week (Raleigh, NC)
####Date: 2017-05-24 - 2017-05-25
####Speaker: Alex Chiu, Threat Researcher
Description: Cisco’s Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: http://www.cisco.com/c/m/digital/usc/securityweek/index.html
####SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Description: Microsoft has released security updates for Windows, Office, IE/Edge, .NET, and more. This month sees Microsoft depart from the traditional bulletin-based updates that detailed security fixes and migrate to the security update guide. Included in the latest release is a fix for CVE-2017-0199, the zero-day vulnerability affecting Microsoft Office that is actively being exploited to propagate Dridex. Microsoft also addressed a privilege escalation vulnerability in Internet Explorer (CVE-2017-0210).
####Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/42b8fa28-9d09-e711-80d9-000d3a32fc99
####Snort SID: 41962-41963, 41997-41998, 42148-42151, 42152-42168, 42173-42174, 42183-42190, 42199-42200, 42204-42205, and 42208-42211
###Title: Adobe Releases Security Updates for Flash Player and other products
Description: Adobe has released security updates for Flash Player, Acrobat Reader, Photoshop, Campaign, and Creative Cloud. This latest update for Flash Player addresses seven critical vulnerabilities that could result in remote code execution on targeted machines. The Acrobat and Reader updates addresses 47 vulnerabilities with all but two of them being arbitrary code execution flaws.
####Reference:
- https://helpx.adobe.com/security/products/flash-player/apsb17-10.html
- https://helpx.adobe.com/security.html
####Snort SID: Detection pending release of vulnerability information
ShadowBrokers Dump More Equation Group Hacks, Auction File Password
https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/
Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)
https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html
CSRF in Facebook/Dropbox - “Mallory added a file using Dropbox”
http://blog.intothesymmetry.com/2017/04/csrf-in-facebookdropbox-mallory-added.html
Alleged Spam King Pyotr Levashov Arrested
https://krebsonsecurity.com/2017/04/alleged-spam-king-pyotr-levashov-arrested/?
Samsung’s Tizen is riddled with security flaws, amateurishly written
https://arstechnica.com/gadgets/2017/04/samsungs-tizen-is-riddled-with-security-flaws-amateurishly-written/
####COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
- SHA 256: ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739
- MD5: fa1f769475516b03881602d0824cae12
- VirusTotal: https://www.virustotal.com/file/ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739/analysis/#additional-info
- Typical Filename: printerinstallerclientupdater.exe
- Claimed Product: Printer Updater Client
- Detection Name: W32.AE7327F36A-95.SBX.TG
- SHA 256: bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f
- MD5: 2dbf779808d2ec3f5121891be9f4b1cf
- VirusTotal: https://www.virustotal.com/file/bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f/analysis/#additional-info
- Typical Filename: helperamc
- Claimed Product: Advanced Mac Cleaner
- Detection Name: OSX.Variant:AMCZ.19if.1201
Detection Name: W32.Auto:d27a038683.in05.Talos
Detection Name: W32.Auto:1c65fa190b.in05.Talos
####TOP SPAM SUBJECTS OBSERVED
- “EXCHANGE DROP (Phrase block) Validate Email To Avoid Closure”
- “@urgent”
- “RE: IT Newsletter”
- “PRIZE AWARD NOTIFICATION OF WIN.”
- “ACCOUNT VERIFICATION”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 16509 Amazon.com, Inc.
- 8075 Microsoft Corporation
- 16276 OVH SAS
- 8560 1&1 Internet SE
- 12876 Online S.a.s.