Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Microsoft Releases Monthly Security Updates for July 2017
###Event: Modern Reconnaissance Phase by APTs @ Shakacon IX (Honolulu, HI)
####Date: 2017-07-10 - 2017-07-13
####Speaker: Paul Rascagneres, Threat Researcher
Description: This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users.
###Event: NIRMA 2017 Conference
####Date: 2017-08-06 - 2017-08-09
####Speaker: Edmund Brumaghin
Description: The threat landscape is constantly evolving. As new methods and solutions for combating cyber threats are developed, threat actors will continue to evolve their tactics, techniques, and procedures. This is one of the many reasons that solid threat intelligence is such an essential part of a sound cyber security strategy. There are constantly new threats being faced by organizations globally across virtually every industry. This presentation will provide an overview of the threat landscape, a description of the common types of attacks that are used to compromise organizations, as well as a discussion of the potential impact these attacks can have on business operations. Ransomware, exploit kits, and malicious/phishing email campaigns will be discussed with specific examples provided in an attempt to provide an inside look at what is currently occurring within the threat landscape.
####Reference: https://www.nirma.org/wp-content/uploads/2017/07/2017-NIRMA-Schedule.pdf
###Title: Microsoft Releases Monthly Security Updates for July 2017
Description: Microsoft has release their monthly set of security updates for July 2017. This month’s release addresses 54 vulnerabilities with 19 of them rated critical, 32 rated important, and 3 rated moderate. Impacted products include Edge, .NET Framework, Internet Explorer, Office, and Windows.
####Reference: https://portal.msrc.microsoft.com/en-us/security-guidance
####Snort SID: 42753, 42755-42756, 43460-43463, 43465-43466, 43469-43474, 43490-43493, 43521-43522
####ClamAV: N/A
###Title: Sliding right into disaster: Left-to-right sliding windows leak
Description: Researchers publish details of vulnerability in Libgcrypt that results in the break of RSA-1024 bit keys.
####Reference: https://eprint.iacr.org/2017/627.pdf
####Snort SID: N/A
####ClamAV: N/A
###Title: Talos Discloses Iceni Infix PDF Editor Memory Corruption
Description: Talos has disclosed a memory corruption vulnerability in Iceni Infix PDF editor.
####Reference: http://blog.talosintelligence.com/2017/07/iceni-infix-pdf.html
####Snort SID: 43212-43213
####ClamAV: N/A
The MeDoc Connection
http://blog.talosintelligence.com/2017/07/the-medoc-connection.html
The Clever Phishing Trick Used by Hackers Targeting the US Energy Sector
https://www.bleepingcomputer.com/news/security/the-clever-phishing-trick-used-by-hackers-targeting-the-us-energy-sector/
Decryption Key to Original Petya Ransomware Released
https://threatpost.com/decryption-key-to-original-petya-ransomware-released/126705/
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://virustotal.com/en/file/C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F/analysis/
- Typical Filename: tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.C3E530CC00-95.SBX.TG
- SHA 256: e5a874a0282f2952db3300e9c09d77063cab7b2c408a05321d82994b56cfa0e9
- MD5: b004ff361b22d4dd4734c6acee088356
- VirusTotal: https://virustotal.com/en/file/E5A874A0282F2952DB3300E9C09D77063CAB7B2C408A05321D82994B56CFA0E9/analysis/
- Typical Filename: MailRuUpdater.exe
- Claimed Product: MailRuUpdater
- Detection Name: W32.E5A874A028-95.SBX.TG
- SHA 256: 981528cbeafd245f003c838e0db3fb55d755b447631b0472fd2c164de72dcaee
- MD5: c3f2bdec751c91036a982bd5aaff3327
- VirusTotal: https://virustotal.com/en/file/981528CBEAFD245F003C838E0DB3FB55D755B447631B0472FD2C164DE72DCAEE/analysis/
- Typical Filename: lsmo.exe
- Claimed Product: N/A
- Detection Name: W32.981528CBEA-95.SBX.TG
- SHA 256: b98d862e2ff6d0fd9185548b3becb5032720531b066afc41e7e57764a6b58583
- MD5: fd20a8d69dba9ead569e32979f26c8b9
- VirusTotal: https://virustotal.com/en/file/B98D862E2FF6D0FD9185548B3BECB5032720531B066AFC41E7E57764A6B58583/analysis/
- Typical Filename: Mpeg.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.20hq.1201
- SHA 256: 119e578472a931294eebc26d0b7c45cf32f6ba20456b8139a458283c55d71b0e
- MD5: 7ac49e8aad3c5fc0efb472b4505186ba
- VirusTotal: https://virustotal.com/en/file/119E578472A931294EEBC26D0B7C45CF32F6BA20456B8139A458283C55D71B0E/analysis/
- Typical Filename: CompAttr.exe
- Claimed Product: N/A
- Detection Name: W32.119E578472-95.SBX.TG