Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
New Petya Ransomware Variant "Nyetya" Compromises Systems Worldwide
Synopsis: Cisco's Talos Group specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Description: A new ransomware variant has surfaced that compromise systems by encrypting files and the master boot record (MBR). Preliminary analysis suggests that this new malware moves laterally within a network by leveraging EternalBlue as well as WMI and PsExec. This malware was initially believed to be a variant of Petya. However it's now believed that this is an entirely new variant of ransomware/malware. Active research into this threat is ongoing and will continue.
Description: Microsoft has released an update for its Malware Protection Engine following a vulnerability being identified and reported by Google Project Zero. This particular vulnerability, CVE-2017-8558, manifests as a heap corruption flaw in the x86 emulator that is embedded in the engine. An attacker wishing to exploit this vulnerability could craft a specially written application that, when scanned by by the Malware Protection Engine, would result in arbitrary code execution. Microsoft has released an update for this vulnerability that should automatically be applied to all Windows systems.
Description: Drupal has released a maintenance update for Drupal 8.3. and 7.5. This update addresses three vulnerabilities with the most critical being CVE-2017-6920, a arbitrary code execution bug. CVE-2017-6920 is a bug in the PECL YAML parser and manifests due to improperly handling PHP objects. CVE-2017-6921 is another vulnerability that is addressed and is a input validation flaw with file REST resources. The final vulnerability addressed is CVE-2017-6922, an access bypass vulnerability for private files uploaded by anonymous users.
Understanding the true size of “Fireball”
Following the Trail of BlackTech’s Cyber Espionage Campaigns
The OpenVPN post-audit bug bonanza
Microsoft bringing EMET back as a built-in part of Windows 10