Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Microsoft Releases Monthly Security Updates for June 2017
###Event: Talos - Cisco’s Key Into Understanding the Evolving Threat Landscape @ Cisco Security Week (Detroit, MI)
####Date: 2017-06-21 - 2017-06-22
####Speaker: Nick Biasini, Threat Researcher
Synopsis: People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: http://www.cisco.com/c/m/digital/usc/securityweek/index.html
###Event: Talos Insights: The State of Cyber Security @ Cisco Live US 2017 (Las Vegas, NV)
####Date: 2017-06-29
####Speaker: Craig Williams, Global Outreach Manager
Synopsis: Cisco’s Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.ciscolive.com/us/learn/sessions/session-catalog/?search=BRKSEC-2010
###Event: Modern Reconnaissance Phase by APTs @ Shakacon IX (Honolulu, HI)
####Date: 2017-07-10 - 2017-07-13
####Speaker: Paul Rascagneres, Threat Researcher
Synopsis: This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users. ####Reference: https://www.shakacon.org/modern-reconnaissance-phase-on-apt-protection-layer-by-paul-rascagneres/
###Title: Microsoft Releases Monthly Security Updates for June 2017
Description: Microsoft has released its monthly set of security updates designed to address vulnerabilities that have been identified in various products. This month’s release resolves 92 vulnerabilities with 17 of them rated critical and 75 rated important. Impacted products include Edge, Internet Explorer, Office, Sharepoint, Skype for Business, Lync, and Windows.
####Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/summary
####Snort SID: 17042, 24500, 43155-43166, 43169-43176
###Title: Adobe Releases Security Updates for Flash Player, Shockwave Player, Captivate, and Digital Editions
Description: Adobe has released a security updates for Flash Player, Shockwave Player, Captivate, and Digital Editions. The security updates for Flash Player and Shockwave Player collectively address 10 vulnerabilities with four of them being use-after-free vulnerabilities and six being memory corruption vulnerabilities. All 10 vulnerabilities, if exploited, could lead to remote code execution.
####Reference:
- https://helpx.adobe.com/security/products/shockwave/apsb17-18.html
- https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
####Snort SID: Detection pending release of vulnerability information
###Title: Cisco Releases Security Advisory for Code Execution Flaw in Prime Data Center Network Manager
Description: Cisco has released a security advisory for CVE-2017-6639, an arbitrary code execution vulnerability in Prime Data Center Network Manager. CVE-2017-6639 manifests in the role-based access control functionality of Cisco Prime Data Center Network Manager and “is due to the lack of authentication and authorization mechanisms for a debugging tool” inadvertently enabled. Cisco has released a software update addressing this vulnerability.
####Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm1
####Snort SID: 31302
PLATINUM continues to evolve, find ways to maintain invisibility
https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/
Following the Money Hobbled vDOS Attack-for-Hire Service
https://krebsonsecurity.com/2017/06/following-the-money-hobbled-vdos-attack-for-hire-service/
Making the Internet safer and faster: Introducing reCAPTCHA Android API
https://security.googleblog.com/2017/06/making-internet-safer-and-faster.html
MacSpy: OS X RAT as a Service
https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service
Pwn2Own: Safari sandbox part 1 – Mount yourself a root shell
https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
- SHA 256: a82024fbe5d6be2049d9d36c050202cac59078808f531d161419fee46cdab017
- MD5: 72ccb030291a59611ee9f85cfa258e9a
- VirusTotal: https://www.virustotal.com/file/a82024fbe5d6be2049d9d36c050202cac59078808f531d161419fee46cdab017/analysis/#additional-info
- Typical Filename: の請求書2.xls
- Claimed Product: N/A
- Detection Name: W32.A82024FBE5-100.SBX.TG
- SHA 256: cbe2f8e05a4f40c3c342bcad76d05b4a0c856a804d9da0cd3ca6a473bf390ecf
- MD5: d345fee1e394eaa36a71fab784ec6373
- VirusTotal: https://www.virustotal.com/file/cbe2f8e05a4f40c3c342bcad76d05b4a0c856a804d9da0cd3ca6a473bf390ecf/analysis/#additional-info
- Typical Filename: SKMBT_C284e17012315230.pdf
- Claimed Product: N/A
- Detection Name: PDF.CBE2F8E05A.Phishing.EE.e01.Talos
- SHA 256: 2e8ac22c28f828ce98b21427d06795c4ed73ba25b21224384431acba5367920d
- MD5: 2c59311169af5854f1c1ecfccb11e493
- VirusTotal: https://www.virustotal.com/file/2e8ac22c28f828ce98b21427d06795c4ed73ba25b21224384431acba5367920d/analysis/#additional-info
- Typical Filename: 6TPLDGWV5S.doc
- Claimed Product: N/A
- Detection Name: W32.2E8AC22C28-95.SBX.TG
- SHA 256: 8897f94710f3ca65af0e52f6e2b76e6319dd5fb0dd6ad0968f8acc0d25ee783a
- MD5: cc9e1075db0645f1032f8c4b4412deba
- VirusTotal: https://www.virustotal.com/file/8897f94710f3ca65af0e52f6e2b76e6319dd5fb0dd6ad0968f8acc0d25ee783a/analysis/#additional-info
- Typical Filename: winlxoy.exe
- Claimed Product: (unknown)
- Detection Name: W32.Crypt:Rootkitgen.20gq.1201
- SHA 256: f4ae1a3d610a57547f014215a5d7aaed8572cd36aa77a9567c183f11430a6b55
- MD5: 51e63633487f9180ec8031980684bf86
- VirusTotal: https://www.virustotal.com/file/f4ae1a3d610a57547f014215a5d7aaed8572cd36aa77a9567c183f11430a6b55/analysis/#additional-info
- Typical Filename: wineagvw.exe
- Claimed Product: (none)
- Detection Name: W32.AgentWDCR:Malwaregen.20gd.1201
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM