August 08, 2017

TOP VULNERABILITY THIS WEEK:

Microsoft Releases Monthly Set of Security Updates for August 2017

UPCOMING PUBLIC ENGAGEMENTS WITH TALOS

###Event: Fileless Malware - The New “Cyber” @ DerbyCon 7.0 (Louisville, KY) ####Date: 2017-09-20 - 2017-09-24 ####Speaker: Edmund Brumaghin, Threat Researcher; Colin Grady, Research Engineer

Synopsis: Buzzwords are the bane of the infosec community. Whether it’s “cyber” or “APT”, these terms are often used as nothing more than a way to generate clicks or by marketing teams to push more blinky lights to customers. “Fileless malware” is the latest example of this. Attacks leveraging malware that have been dubbed “fileless malware attacks” have been generating significant media coverage recently leading many to wonder what impact these attacks may have on their organizations or whether they are adequately protected against them. In many cases these attacks are not truly fileless and result in various artifacts being written to targeted systems. In this presentation we will provide a brief history of in-memory malware as well as walk through some specific examples of malware that makes use of this approach to infecting systems. We will also cover why most malware is not actually “fileless”, along with specific examples of threats that make use of interesting persistence mechanisms that do not resemble what many have grown accustomed to seeing from malware. ####Reference: https://www.derbycon.com/

###Event: Exploit Kits - What Happens When Kits Disappear @ LeetCon (Hanover, Germany) ####Date: 2017-10-18 - 2017-10-19 ####Speaker: Nick Biasini, Threat Researcher

Synopsis: What happens when the biggest players in a market just get up and quit? That’s exactly what has happened to the exploit kit landscape over the last year. Now that Angler, Neutrino, and Nuclear are gone, we’re left to pick up the pieces. What’s been created is a vacuum with Rig, Sundown, and others jockeying for position, but none have taken the lead. We’ve observed adversaries changing kits frequently and gates switching from one kit to the next. Just like any other threat, adversaries are going to evolve and change. Oddly the kits don’t appear to have evolved much, but looks can be deceiving. Previously unreleased details on several high profile exploit kits will be disclosed. This talk will discuss the state of exploit kits today. There will also be a section related to how exploit kits will evolve in the future and the impacts it may potentially have on the threat landscape overall. ####Reference: https://www.leetcon.de/

###Event: Modern Reconnaissance Phase by APTs @ Ruxcon (Melbourne, Australlia) ####Date: 2017-10-21 - 2017-10-22 ####Speaker: Paul Rascagneres, Threat Researcher; Warren Mercer, Threat Researcher

Synopsis: This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users. ####Reference: https://ruxcon.org.au/

NOTABLE RECENT SECURITY ISSUES

###Title: Microsoft Releases Monthly Set of Security Updates for August 2017 Description: Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 48 new vulnerabilities with 25 of them rated critical, 21 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Remote Desktop Protocol, Sharepoint, SQL Server, the Windows Subsystem for Linux, and more. In addition, Microsoft is also releasing an update for Adobe Flash Player embedded in Edge and Internet Explorer. ####Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/summary ####Snort SID: 43847-43848, 43851-43852

###Title: Adobe Releases Security Updates for Flash Player, Acrobat/Reader, and more Description: Adobe has released security updates for Flash Player, Acrobat/Reader, Experience Manager, and Digital Editions. This month’s Flash security update is fairly small with two vulnerabilities addressed that could result in remote code execution if exploited. The Adobe Acrobat/Reader update however is fairly significant with 67 different vulnerabilities addressed. Most of these vulnerabilities could be exploited to execute arbitrary code on affected systems. ####Reference: - https://helpx.adobe.com/security/products/flash-player/apsb17-23.html - https://helpx.adobe.com/security/products/acrobat/apsb17-24.html - https://helpx.adobe.com/security/products/experience-manager/apsb17-26.html - https://helpx.adobe.com/security/products/Digital-Editions/apsb17-27.html ####Snort SID: Detection pending

###Title: Android Releases Monthly Security Update August 2017 Description: Android has released its monthly security roll-up to address vulnerabilities that have been identified in the mobile OS. This month’s release sees 10 critical vulnerabilities with all of them affecting Mediaserver. The most severe vulnerability could “enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.” 15 other vulnerabilities have a high severity and 15 are deemed moderate severity. AOSP partners have been notified and updates should be forthcoming for various handsets. ####Reference: https://source.android.com/security/bulletin/2017-08-01 ####Snort SID: Detection pending release of vulnerability information

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

WannaCry Hero Arrested, One of Two Charged with Distribution of Kronos Malware
https://threatpost.com/wannacry-hero-arrested-one-of-two-charged-with-distribution-of-kronos-malware/127186/

Senators Introduce Bipartisan Legislation to Improve Cybersecurity of “Internet-of-Things” (IoT) Devices
https://www.warner.senate.gov/public/index.cfm/pressreleases?id=06A5E941-FBC3-4A63-B9B4-523E18DADB36

Modern Alchemy: Turning XSS into RCE in Electron
https://blog.doyensec.com/2017/08/03/electron-framework-security.html

Microsoft to remove WoSign and StartCom certificates in Windows 10
https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/

Taking the FIRST look at Crypt0l0cker
http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html?f_l=s

MOST PREVALENT MALWARE FILES 2017-08-01 - 2017-08-08:

- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
- Typical Filename: tempmf582901854.exe
- Claimed Product: (unknown)
- Detection Name: W32.C3E530CC00-95.SBX.TG

- SHA 256: e5a874a0282f2952db3300e9c09d77063cab7b2c408a05321d82994b56cfa0e9
- MD5: b004ff361b22d4dd4734c6acee088356
- VirusTotal: https://www.virustotal.com/file/e5a874a0282f2952db3300e9c09d77063cab7b2c408a05321d82994b56cfa0e9/analysis/#additional-info
- Typical Filename: MailRuUpdater.exe
- Claimed Product: MailRuUpdater
- Detection Name: W32.E5A874A028-95.SBX.TG

- SHA 256: d3dbe14033ad25a5e4ffe1e2b559e53ee1d1799eb54eedbd7a689d6a88fd7137
- MD5: f4be84934734b03d7f11e22b4de7fd0a
- VirusTotal: https://www.virustotal.com/file/d3dbe14033ad25a5e4ffe1e2b559e53ee1d1799eb54eedbd7a689d6a88fd7137/analysis/#additional-info
- Typical Filename: Injector
- Claimed Product: Pirrit
- Detection Name: OSX.MAC:Malwaregen.19hh.1201

- SHA 256: fc8dabab488cd4490879ef3bc33871972450175773debc14e97c07b94404d197
- MD5: be626af5fc81be57e912abd52f3cee57
- VirusTotal: https://www.virustotal.com/file/fc8dabab488cd4490879ef3bc33871972450175773debc14e97c07b94404d197/analysis/#additional-info
- Typical Filename: 404.html
- Claimed Product: N/A
- Detection Name: W32.FC8DABAB48-95.SBX.TG

- SHA 256: 8931083b11b6cfcf641926d56fa5fe05cf3e19a32db1400b05e522114e584739
- MD5: d027dadada2c18a546523243800c8292
- VirusTotal: https://www.virustotal.com/file/8931083b11b6cfcf641926d56fa5fe05cf3e19a32db1400b05e522114e584739/analysis/#additional-info
- Typical Filename: phbkk.exe
- Claimed Product: (none)
- Detection Name: W32.Malware:Asprox.20im.1201

SPAM STATS FOR 2017-08-01 - 2017-08-08

####TOP SPAM SUBJECTS OBSERVED

“Service-PayPal”
“PayPal Notice of Policy Updates”
“PayPal Identity Verification”
“PayPal Verification”
“PayPal Identity Veridication”

####MOST FREQUENTLY USED ASNs FOR SENDING SPAM

8075 Microsoft Corporation
16276 OVH SAS
4760 PCCW Limited
8100 QuadraNet, Inc
60392 Grupo Panaglobal 15 S.A

Vulnerability Information

Reputation Center

Support

Podcasts

Talos Threat Source Newsletters

August 08, 2017

TOP VULNERABILITY THIS WEEK:

UPCOMING PUBLIC ENGAGEMENTS WITH TALOS

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

MOST PREVALENT MALWARE FILES 2017-08-01 - 2017-08-08:

SPAM STATS FOR 2017-08-01 - 2017-08-08

Recent Newsletters

Newsletter Archives

2019

October (4)

September (4)

August (5)

July (3)

June (4)

May (5)

April (2)

March (4)

February (4)

January (4)

2018

December (3)

November (5)

October (4)

September (4)

August (5)

July (4)

June (4)

May (5)

April (1)

March (3)

February (4)

January (5)

2017

December (3)

November (3)

October (5)

September (4)

August (5)

July (4)

June (4)

May (5)

April (4)

March (4)

February (4)

January (5)

2016

December (3)

November (5)

October (5)

September (3)

August (5)

July (2)

June (4)

May (5)

April (4)

March (6)

February (3)