Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Drupal Releases Advisory for Critical Vulnerability in Drupal Core
Description: Over 90% of malware makes use of the Domain Name System. While many organizations implement strict security protections as it pertains to web traffic, email, etc., they typically have less stringent controls in place to protect against DNS-based threats. Attackers have recognized this fact and are using the DNS for data exfiltration, establishing bi-directional command & control channels, and obtaining bulletproof domain hosting. In this presentation we will discuss creative ways that cyber criminals abuse the DNS along with countermeasures defenders can use to help protect their networks.
Subject: Talos is no stranger to APT attacks. During recent research, we observed how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. During the presentation, we will not speak about a specific malware actor but we will use various different cases to illustrate how the reconnaissance phase is becoming more important and more complex. This talk will mainly focus on the usage of malicious documents (Microsoft Office and Hangul Word Processor) and watering hole attacks designed to establish if the target is the intended one. We will mention campaigns against political or military organizations targeting USA, Europa and Asia.
Subject: The Internet of Things creates many new opportunities for our personal and professional lives. It also creates new opportunities for criminals to make illicit gain, and for the disaffected to wreak havoc. Recognising that IoT systems will inevitably have vulnerabilities, and will be attacked allows organisations to design systems to be resilient from the beginning rather than to repeat past mistakes and attempt to bolt on security at a later date. In this session, by referring to a simple IoT architecture, we will discuss examples of how attackers have previously attacked systems, and show how good practices can be applied to protect systems.
Subject: Invented by an insane criminal in 1989, ransomware has evolved into a major illicit activity. For the criminal, ransomware presents many advantages over trying to make money from selling stolen data, but also presents a number of challenges. In this presentation, I will start by presenting Talos (our activities, organisation and telemetry). Then, I will present how ransomware has developed over the past 28 years, the techniques used by current malware variants and how criminals seek to overcome the difficulties that they face. And finally, and how we can expect ransomware to develop in the near future.
Date: 2017-06-07 - 2017-06-08
Description: Cisco's Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Description: Drupal has released a security advisory to address CVE-2017-6919, a critical vulnerability in Drupal Core. CVE-2017-6919 is a critical access bypass vulnerability that manifests if the site has the RESTful web services module enabled, the site permits PATCH requests, and if an attacker has control of a user account on the targeted site. Drupal has released a software update for both the 8.2.x and 8.3.x branches of the software to address this issue.
Description: Adobe has released a security bulletin to address vulnerabilities in ColdFusion 10, 11, and the 2016 release. One of the vulnerabilities is a input validation flaw that could lead to a cross-site scripting (XSS) attack. The other is an update to the Apache BlazeDS library that addresses a Java deserialization vulnerability. Software updates are available for both of these vulnerabilities.
Description: Researchers have identified a arbitrary code execution vulnerability in SquirrelMail, a PHP-based webmail package. This flaw manifests due to "insufficient escaping of user-supplied data" if SquirrelMail has been configured to use Sendmail as the main transport. As a result, attackers could exploit this flaw to achieve arbitrary command execution on the targeted system. This issue has been identified by two separate researchers, one independent, and one from Legal Hackers. No official software update for this issue is currently available. Administrators who rely on SquirrelMail should consider switching to SMTP-based transport instead of Sendmail.
============================================================
Hipchat resets user passwords after possible breach
http://www.pcworld.com/article/3192228/security/hipchat-resets-user-passwords-after-possible-breach.html
Webroot Antivirus mistakenly flags Windows system files as malware, Facebook as phishing site
http://www.zdnet.com/article/webroot-antivirus-mistakenly-flags-windows-system-files-as-malware/
Combating a spate of Java malware with machine learning in real-time
https://blogs.technet.microsoft.com/mmpc/2017/04/20/combating-a-wave-of-java-malware-with-machine-learning-in-real-time/
Exception-oriented exploitation on iOS
https://googleprojectzero.blogspot.com/2017/04/exception-oriented-exploitation-on-ios.html
Mighty Morphin Malware Purveyors: Locky Returns Via Necurs
http://blog.talosintelligence.com/2017/04/locky-returns-necurs.html?
Analysis of DOUBLEPULSAR Initial SMB Backdoor Ring 0 Shellcode
https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html
Top 10 Developer Crypto Mistakes
https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/
Detection Name: W32.AE7327F36A-95.SBX.TG
SHA 256: c19fd401e01738676c11c84c5c3d4c0d33761d2bdd5babbb499696b6a24c10e4
Detection Name: W32.Ransom.20fx.1201
SHA 256: 061cbc0bd6409cb7e385f1a67a8b169a211fb96aff3f7ec15087ef0a2b8ccdd3
Detection Name: Application:ADWARE-tpd
SHA 256: 87b3ec6edc502fa2a015a31e4c5dc7b8542a2c01c3ef68fb3f35df40117a9cf4
Detection Name: PDF.Auto:87b3ec6edc.in05.Talos
SHA 256: d3dbe14033ad25a5e4ffe1e2b559e53ee1d1799eb54eedbd7a689d6a88fd7137