Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Two Zero-Day Vulnerabilities In Foxit Reader and PhantomPDF Disclosed; Foxit Developing Patches
###Event: Fileless Malware - The New “Cyber” @ DerbyCon 7.0 (Louisville, KY)
####Date: 2017-09-20 - 2017-09-24
####Speaker: Edmund Brumaghin, Threat Researcher; Colin Grady, Research Engineer
Synopsis: Buzzwords are the bane of the infosec community. Whether it’s “cyber” or “APT”, these terms are often used as nothing more than a way to generate clicks or by marketing teams to push more blinky lights to customers. “Fileless malware” is the latest example of this. Attacks leveraging malware that have been dubbed “fileless malware attacks” have been generating significant media coverage recently leading many to wonder what impact these attacks may have on their organizations or whether they are adequately protected against them. In many cases these attacks are not truly fileless and result in various artifacts being written to targeted systems. In this presentation we will provide a brief history of in-memory malware as well as walk through some specific examples of malware that makes use of this approach to infecting systems. We will also cover why most malware is not actually “fileless”, along with specific examples of threats that make use of interesting persistence mechanisms that do not resemble what many have grown accustomed to seeing from malware. ####Reference: https://www.derbycon.com/
###Event: Exploit Kits - What Happens When Kits Disappear @ LeetCon (Hanover, Germany)
####Date: 2017-10-18 - 2017-10-19
####Speaker: Nick Biasini, Threat Researcher
Synopsis: What happens when the biggest players in a market just get up and quit? That’s exactly what has happened to the exploit kit landscape over the last year. Now that Angler, Neutrino, and Nuclear are gone, we’re left to pick up the pieces. What’s been created is a vacuum with Rig, Sundown, and others jockeying for position, but none have taken the lead. We’ve observed adversaries changing kits frequently and gates switching from one kit to the next. Just like any other threat, adversaries are going to evolve and change. Oddly the kits don’t appear to have evolved much, but looks can be deceiving. Previously unreleased details on several high profile exploit kits will be disclosed. This talk will discuss the state of exploit kits today. There will also be a section related to how exploit kits will evolve in the future and the impacts it may potentially have on the threat landscape overall. ####Reference: https://www.leetcon.de/
###Event: Modern Reconnaissance Phase by APTs @ Ruxcon (Melbourne, Australlia)
####Date: 2017-10-21 - 2017-10-22
####Speaker: Paul Rascagneres, Threat Researcher; Warren Mercer, Threat Researcher
Synopsis: This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users. ####Reference: https://ruxcon.org.au/
###Title: Two Zero-Day Vulnerabilities In Foxit Reader and PhantomPDF Disclosed; Foxit Developing Patches
Description: The Zero Day Initiative has disclosed a pair of vulnerabilities in Foxit Reader and PhantomPDF that could be used to execute arbitrary code on vulnerable systems. These flaws, identified as CVE-2017-10951 and CVE-2017-10952, manifest due to insufficient validation of user-supplied data, resulting in command injection and file write conditions respectively. Foxit has acknowledged these vulnerabilities and has indicated that are developing patches for both flaws despite initially disregarding them due to miscommunication.
####Reference: https://www.thezdi.com/blog/2017/8/17/busting-myths-in-foxit-reader
####Snort SID: Detection pending
###Title: Drupal Releases Maintenance Update, Fixes 3 Vulnerabilities
Description: Drupal has released a maintenance update containing fixes for three access bypass vulnerabilities. Two of the vulnerabilities (CVE-2017-6923, CVE-2017-6924) are “moderately critical” and affect Views and the REST API. The remaining vulnerability (CVE-2017-6925) is “critical” and affects the entity access system which “could allow unwanted access to view, create, update, or delete entities.” The three vulnerabilities are addressed in Drupal 8.3.7.
####Reference: https://www.drupal.org/SA-CORE-2017-004
####Snort SID: Detection pending release of vulnerability information
###Title: Cisco Releases Security Advisory for Application Policy Infrastructure Controller (APIC)
Description: Cisco has released a security advisory for its Application Policy Infrastructure Controller (APIC) to address CVE-2017-6767. CVE-2017-6767 is a privilege escalation vulnerability which manifests as a limitation in how the Role-Based Access Control (RBAC) “grants privileges to remotely authenticated users when login occurs via SSH directly to the local management interface.” As a result, a remote, authenticated attacker could elevate their privileges to that of the user who last logged in. Note that the attacker cannot obtain root privileges. Cisco has released a software update that addresses this vulnerability.
####Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170816-apic1
Hacker Publishes iOS Secure Enclave Firmware Decryption Key
https://threatpost.com/hacker-publishes-ios-secure-enclave-firmware-decryption-key/127524/
Solving a Danish Defense Intelligence Puzzle
https://safiire.github.io/blog/2017/08/19/solving-danish-defense-intelligence-puzzle/
Login bypass in Ubiquiti airMAX/airOS before 8.0.2, 7.2.5, 6.0.2, 5.6.15 if airControl web-UI was used (Patched 2017-03-28)
http://www.nicksherlock.com/2017/08/login-bypass-in-ubiquiti-airmax-airos-if-aircontrol-web-ui-was-used/
How I Accidentally Framed Myself for a Hacking Frenzy
http://blog.portswigger.net/2017/08/how-i-accidentally-framed-myself-for.html
Booters with Chinese Characteristics: The Rise of Chinese Online DDoS Platforms
http://blog.talosintelligence.com/2017/08/chinese-online-ddos-platforms.html?f_l=s
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
- Typical Filename: Tempmf582901854.exe
- Claimed Product:
- Detection Name: W32.C3E530CC00-95.SBX.TG
- SHA 256: 87afd627b678da78d879dfe11c147b10f5db6e07cd16e5728ca33579e73bf89f
- MD5: 515ea84f7ca8f59f7bb4fb5714913a72
- VirusTotal: https://www.virustotal.com/file/87afd627b678da78d879dfe11c147b10f5db6e07cd16e5728ca33579e73bf89f/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.87AFD627B6-95.SBX.TG
- SHA 256: f13e2c5ae7e3f949a575856fb0b5d285eae746c7b77cf6272a6e11e99fcec9e6
- MD5: 63cbfc8979b6a615ff49b2b32054ac29
- VirusTotal: https://www.virustotal.com/file/f13e2c5ae7e3f949a575856fb0b5d285eae746c7b77cf6272a6e11e99fcec9e6/analysis/#additional-info
- Typical Filename: Invoice 6848.doc
- Claimed Product: N/A
- Detection Name: W32.F13E2C5AE7-100.SBX.TG
- SHA 256: 275349b37867e433784b0df2dc97622ea23009ce0ca90e1313db94029fa620ad
- MD5: 2416f49b0e091c3076c9453b98dde8e0
- VirusTotal: https://www.virustotal.com/file/275349b37867e433784b0df2dc97622ea23009ce0ca90e1313db94029fa620ad/analysis/#additional-info
- Typical Filename: 7oslD.wsf
- Claimed Product: (unknown)
- Detection Name: Banker:EPACK-tpd
- SHA 256: b286cc38f2db6b5576974a552a341a2498dbaadb47b956956f6c437ac95f35a6
- MD5: 2e5c090a41c23b7a28ac4b39b29f4e3b
- VirusTotal: https://www.virustotal.com/file/b286cc38f2db6b5576974a552a341a2498dbaadb47b956956f6c437ac95f35a6/analysis/#additional-info
- Typical Filename: 9915224735260.doc
- Claimed Product: N/A
- Detection Name: W32.B286CC38F2-95.SBX.TG
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM