Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
WannaCry Ransomware Compromises Hosts Around The World Via Worm-like Activity
###Event: The Modern Reconnaissance Phase by APT – Protection Layer @ nsec
####Date: 2017-05-15 - 2017-05-21
####Speaker: Paul Rascagneres, Threat Researcher
Synopsis: Talos is no stranger to APT attacks. During recent research, we observed how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. During the presentation, we will not speak about a specific malware actor but we will use various different cases to illustrate how the reconnaissance phase is becoming more important and more complex. This talk will mainly focus on the usage of malicious documents (Microsoft Office and Hangul Word Processor) and watering hole attacks designed to establish if the target is the intended one. We will mention campaigns against political or military organizations targeting USA, Europa and Asia. ####Reference: https://www.nsec.io/speakers/
###Event: The Security of the Internet of Things @ IoT World Forums (London, UK)
####Date: 2017-05-22 - 2017-05-24
####Speaker: Martin Lee, Technical Leader
Synopsis: The Internet of Things creates many new opportunities for our personal and professional lives. It also creates new opportunities for criminals to make illicit gain, and for the disaffected to wreak havoc. Recognising that IoT systems will inevitably have vulnerabilities, and will be attacked allows organisations to design systems to be resilient from the beginning rather than to repeat past mistakes and attempt to bolt on security at a later date. In this session, by referring to a simple IoT architecture, we will discuss examples of how attackers have previously attacked systems, and show how good practices can be applied to protect systems. ####Reference: https://www.iotwf.com/
###Event: The History of Ransomware @ TATE IS2 (Prague)
####Date: 2017-05-24 - 2017-05-25
####Speaker: Paul Rascagneres, Threat Researcher
Subject: Invented by an insane criminal in 1989, ransomware has evolved into a major illicit activity. For the criminal, ransomware presents many advantages over trying to make money from selling stolen data, but also presents a number of challenges. In this presentation, I will start by presenting Talos (our activities, organisation and telemetry). Then, I will present how ransomware has developed over the past 28 years, the techniques used by current malware variants and how criminals seek to overcome the difficulties that they face. And finally, and how we can expect ransomware to develop in the near future.
####Reference: https://tate.cz/en/is2
###Event: Talos - Cisco’s Key Into Understanding the Evolving Threat Landscape @ Cisco Security Week (Raleigh, NC)
####Date: 2017-06-07 - 2017-06-08
####Speaker: Alex Chiu, Threat Researcher
Synopsis: Cisco’s Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk/webinar, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: http://www.cisco.com/c/m/digital/usc/securityweek/index.html
###Title: WannaCry Ransomware Compromises Hosts Around The World Via Worm-like Activity
Description: A major ransomware variant known as ‘WannaCry’ has compromised a large number of hosts around the world in a worm-like manner. WannaCry leverages tools and exploits leaked by the Shadow Brokers to exploit SMBv1 vulnerabilities patched by MS17-010. Damage appears to have been mitigated due to a “kill switch” domain being registered and thus, causing the malware to limit self propagation. Organizations should patch any vulnerable systems as well as block all inbound SMB traffic.
####Reference: http://blog.talosintelligence.com/2017/05/wannacry.html?f_l=s
####Snort SID: 41978, 42329-42332
###Title: Apple Releases Security Updates; Addresses Flaws Demoed at Pwn2Own
Description: Apple has releases security updates for macOS, iOS, watchOS, tvOS, as well as Safari, iTunes, and iCloud for Windows. These updates resolve 66 vulnerabilities, many of which were demonstrated at the annual Pwn2Own hacking contest. Eleven of the vulnerabilities addressed in iOS could have led to arbitrary code execution via various methods.
####Reference: https://support.apple.com/en-us/HT201222
####Snort SID: Detection pending release of vulnerability information
Microsoft Releases Security Updates for Out-of-Support Windows XP, Server 2003, and 8 in Response to WannaCry
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
ShadowBrokers Planning Monthly Exploit, Data Dump Service
https://threatpost.com/shadowbrokers-planning-monthly-exploit-data-dump-service/125710/
OpenVPN 2.4 Evaluation Summary and Report
https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-evaluation-summary-report/
Breach at DocuSign Led to Targeted Email Malware Campaign
https://krebsonsecurity.com/2017/05/breach-at-docusign-led-to-targeted-email-malware-campaign/
Exploiting the Linux kernel via packet sockets
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
- SHA 256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
- MD5: db349b97c37d22f5ea1d1841e3c89eb4
- VirusTotal: http://example.com/
- Typical Filename: mssecsvc.exe
- Claimed Product: Microsoft® Disk Defragmenter
- Detection Name: W32.GenericKD:TrojanRansom.20gp.1201
- SHA 256: ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739
- MD5: fa1f769475516b03881602d0824cae12
- VirusTotal: https://www.virustotal.com/file/ae7327f36a659d01a85d4071a4570458ec03a05a6ce7d2f6d092fb46aff3e739/analysis/#additional-info
- Typical Filename: printerinstallerclientupdater.exe
- Claimed Product: Printer Updater Client
- Detection Name: W32.AE7327F36A-95.SBX.TG
- SHA 256: e95ada7eaa47b78e069cd2b78560d4e85b5ddfd27278234d9d38e6015a8734a8
- MD5: 8723896b67bad4423ff1173bebd52e13
- VirusTotal: https://www.virustotal.com/file/e95ada7eaa47b78e069cd2b78560d4e85b5ddfd27278234d9d38e6015a8734a8/analysis/#additional-info
- Typical Filename: 20170512269031.pdf
- Claimed Product: N/A
- Detection Name: W32.E95ADA7EAA-100.SBX.TG
- SHA 256: 6e2b4a15d133a62c95c1633d5cbf8a25fb165eb2bd38ffbcd049d0db14d0c33c
- MD5: 3dad64eb956856a790d16014d5f3f4f6
- VirusTotal: https://www.virustotal.com/file/6e2b4a15d133a62c95c1633d5cbf8a25fb165eb2bd38ffbcd049d0db14d0c33c/analysis/#additional-info
- Typical Filename: 20170512376438.pdf
- Claimed Product: N/A
- Detection Name: W32.6E2B4A15D1-100.SBX.TG
- SHA 256: 22d3b97d929c8639f6ea265f2c30e6db1bb5b8d3b54ff6466790f9fef35b4789
- MD5: 424364553644a7d897b87632da4a130a
- VirusTotal: https://www.virustotal.com/file/22d3b97d929c8639f6ea265f2c30e6db1bb5b8d3b54ff6466790f9fef35b4789/analysis/#additional-info
- Typical Filename: 20170511746985.pdf
- Claimed Product: N/A
- Detection Name: W32.22D3B97D92-100.SBX.TG
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM