Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Apple Releases Security Updates Across Product Portfolio
###Event: Evolutionary Kernel Fuzzing @ Black Hat USA 2017 (Mandalay Bay, Las Vegas, NV)
####Date: Thurs. July 27, 2:30pm-3:20pm - Lagoon ABCGHI
####Speaker: Rich Johnson, Research Lead
Synopsis: The modern model of vulnerability mitigation includes robust sandboxing and usermode privilege separation to contain inevitable flaws in the design and implementation of software. As adoption of containment technology spreads to browsers and other software, we see the value of exploits continue to rise as multiple vulnerabilities must be chained together with extreme levels of binary artistry to achieve full system control. As such, there has recently been a high demand to identify kernel vulnerabilities that can bypass sandboxes and process isolation to successfully achieve full system compromise. With this heightened demand, the past few years has seen a massive first wave of kernel vulnerability discovery in the graphics layer of the Windows kernel and the peripheral drivers of the Linux kernel. This lecture will discuss methods for applying evolutionary coverage guided fuzzing to kernel system calls, IOCTLS, and other low level interfaces. ####Reference: https://www.blackhat.com/us-17/briefings/schedule/#evolutionary-kernel-fuzzing-7720
###Event: NIRMA 2017 Conference
####Date: 2017-08-06 - 2017-08-09
####Speaker: Edmund Brumaghin
Synopsis: The threat landscape is constantly evolving. As new methods and solutions for combating cyber threats are developed, threat actors will continue to evolve their tactics, techniques, and procedures. This is one of the many reasons that solid threat intelligence is such an essential part of a sound cyber security strategy. There are constantly new threats being faced by organizations globally across virtually every industry. This presentation will provide an overview of the threat landscape, a description of the common types of attacks that are used to compromise organizations, as well as a discussion of the potential impact these attacks can have on business operations. Ransomware, exploit kits, and malicious/phishing email campaigns will be discussed with specific examples provided in an attempt to provide an inside look at what is currently occurring within the threat landscape. ####Reference: https://www.nirma.org/wp-content/uploads/2017/07/2017-NIRMA-Schedule.pdf
###Event: Fileless Malware - The New “Cyber” @ DerbyCon 7.0 (Louisville, KY)
####Date: 2017-09-20 - 2017-09-24
####Speaker: Edmund Brumaghin, Threat Researcher; Colin Grady, Research Engineer
Synopsis: Buzzwords are the bane of the infosec community. Whether it’s “cyber” or “APT”, these terms are often used as nothing more than a way to generate clicks or by marketing teams to push more blinky lights to customers. “Fileless malware” is the latest example of this. Attacks leveraging malware that have been dubbed “fileless malware attacks” have been generating significant media coverage recently leading many to wonder what impact these attacks may have on their organizations or whether they are adequately protected against them. In many cases these attacks are not truly fileless and result in various artifacts being written to targeted systems. In this presentation we will provide a brief history of in-memory malware as well as walk through some specific examples of malware that makes use of this approach to infecting systems. We will also cover why most malware is not actually “fileless”, along with specific examples of threats that make use of interesting persistence mechanisms that do not resemble what many have grown accustomed to seeing from malware. ####Reference: https://www.derbycon.com/
###Title: Apple Releases Security Updates Across Product Portfolio
Description: Apple has releases security updates targeting various devices in its product portfolio such as iOS, macOS, tvOS, Safari, and more. This latest update addresses the “BroadPwn” bug where Broadcom Wi-fi chipsets contained a remote code execution vulnerability on affected devices. In addition, thirteen other arbitrary code execution vulnerabilities were also addressed.
####Reference: https://support.apple.com/en-us/HT201222
####Snort SID: Detection pending release of vulnerability information
Senator Calls For Use Of DMARC To Curb Phishing
https://threatpost.com/senator-calls-for-use-of-dmarc-to-curb-phishing/126931/
Adobe to Stop Supporting Flash Player in 2020
https://blogs.adobe.com/conversations/2017/07/adobe-flash-update.html
Remote Code Execution Bug Found in Valve’s Source SDK; Affects Games
https://oneupsecurity.com/research/remote-code-execution-in-source-games?
EnglishmansDentist Exploit (from Apr 2017 Shadow Brokers Leak) Analysis
https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/
How a Citadel Trojan Developer Got Busted
https://krebsonsecurity.com/2017/07/how-a-citadel-trojan-developer-got-busted/?
- SHA 256: fcb8aa4fa0c109b5be0f8f6336911ce5100cc7187a1ef8b196440d3037844623
- MD5: 6c055dc3d5d000bebf6cacfdbc2ab876
- VirusTotal: https://www.virustotal.com/file/fcb8aa4fa0c109b5be0f8f6336911ce5100cc7187a1ef8b196440d3037844623/analysis/#additional-info
- Typical Filename: Xzone-1414316145769-.apk
- Claimed Product: MySmsReceiver
- Detection Name: Android-tpd
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
- Typical Filename: tempmf582901854.exe
- Claimed Product: (none)
- Detection Name: W32.C3E530CC00-95.SBX.TG
- SHA 256: bfccc82aee390efca9b3f2efbe7c446b1fe91ffd1d93457f935cba24922c3467
- MD5: 3d94d045d33977b7d86dd77600f27bdb
- VirusTotal: https://www.virustotal.com/file/bfccc82aee390efca9b3f2efbe7c446b1fe91ffd1d93457f935cba24922c3467/analysis/#additional-info
- Typical Filename: PPLR507046.doc
- Claimed Product: N/A
- Detection Name: W32.BFCCC82AEE-100.SBX.TG
- SHA 256: 0b400fa86c592d6c4fa1bca00ffb4740fe38e7ae5595c344d7bb17299291de7a
- MD5: 4bcceebef727b271e745708b4dd580ab
- VirusTotal: https://www.virustotal.com/file/0b400fa86c592d6c4fa1bca00ffb4740fe38e7ae5595c344d7bb17299291de7a/analysis/#additional-info
- Typical Filename: UPS_Notice_274710.doc
- Claimed Product: N/A
- Detection Name: W32.0B400FA86C-100.SBX.TG
- SHA 256: d3dbe14033ad25a5e4ffe1e2b559e53ee1d1799eb54eedbd7a689d6a88fd7137
- MD5: f4be84934734b03d7f11e22b4de7fd0a
- VirusTotal: https://www.virustotal.com/file/d3dbe14033ad25a5e4ffe1e2b559e53ee1d1799eb54eedbd7a689d6a88fd7137/analysis/#additional-info
- Typical Filename: Danielic
- Claimed Product: Pirrit
- Detection Name: OSX.MAC:Malwaregen.19hh.1201
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM