Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Microsoft Releases Monthly Security Updates for September 2017
###Event: Fileless Malware - The New “Cyber” @ DerbyCon 7.0 (Louisville, KY)
####Date: 2017-09-20 - 2017-09-24
####Speaker: Edmund Brumaghin, Threat Researcher; Colin Grady, Research Engineer
Synopsis: Buzzwords are the bane of the infosec community. Whether it’s “cyber” or “APT”, these terms are often used as nothing more than a way to generate clicks or by marketing teams to push more blinky lights to customers. “Fileless malware” is the latest example of this. Attacks leveraging malware that have been dubbed “fileless malware attacks” have been generating significant media coverage recently leading many to wonder what impact these attacks may have on their organizations or whether they are adequately protected against them. In many cases these attacks are not truly fileless and result in various artifacts being written to targeted systems. In this presentation we will provide a brief history of in-memory malware as well as walk through some specific examples of malware that makes use of this approach to infecting systems. We will also cover why most malware is not actually “fileless”, along with specific examples of threats that make use of interesting persistence mechanisms that do not resemble what many have grown accustomed to seeing from malware. ####Reference: https://www.derbycon.com/
###Event: Under the Radar: Strategies to Defeat AI Cyber Detection @ NIAS 17 (Lotto Mons Expo, Belgium)
####Date: 2017-10-17 - 2017-10-19
####Speaker: Martin Lee, Technical Lead
Synopsis: The threat environment is in constant flux as defenders adopt improved techniques and attackers adapt their tools, techniques and procedures to counteract these. Sophisticated attackers are already altering their behaviour in order to make their attacks less visible and more likely to blend into the ‘background noise’ of network traffic. From using a genuine government website for command and control traffic, to using software update systems to distribute malicious executables, to ensure that payloads are only delivered to the intended target, threat actors are trying as much as possible to fly under the radar. ####Reference: http://nias2017.com/
###Event: Exploit Kits - What Happens When Kits Disappear @ LeetCon (Hanover, Germany)
####Date: 2017-10-18 - 2017-10-19
####Speaker: Nick Biasini, Threat Researcher
Synopsis: What happens when the biggest players in a market just get up and quit? That’s exactly what has happened to the exploit kit landscape over the last year. Now that Angler, Neutrino, and Nuclear are gone, we’re left to pick up the pieces. What’s been created is a vacuum with Rig, Sundown, and others jockeying for position, but none have taken the lead. We’ve observed adversaries changing kits frequently and gates switching from one kit to the next. Just like any other threat, adversaries are going to evolve and change. Oddly the kits don’t appear to have evolved much, but looks can be deceiving. Previously unreleased details on several high profile exploit kits will be disclosed. This talk will discuss the state of exploit kits today. There will also be a section related to how exploit kits will evolve in the future and the impacts it may potentially have on the threat landscape overall. ####Reference: https://www.leetcon.de/
###Event: Talos Fall Threat Briefing (Free Webinar)
####Date: 2017-10-19 13:00 EDT (10:00 PDT)
####Speaker: Vanja Svajcer, Talos Technical Leader
Synopsis: The threat landscape constantly evolves and changes. Keeping up with what’s new and what’s evolved can be a challenge. Join us for this free webinar to hear about the latest innovations in threat intelligence from Talos Threat Researchers. After the the presentation, the floor will be opened up for a live Q&A based on questions asked by our audience. ####Reference: https://security-mktg.cisco.com/CiscoSecurityWebinarSeries/Cisco?webinar=wbrsc002274
###Event: Modern Reconnaissance Phase by APTs @ Ruxcon (Melbourne, Australia)
####Date: 2017-10-21 - 2017-10-22
####Speaker: Paul Rascagneres, Threat Researcher; Warren Mercer, Threat Researcher
Synopsis: This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users. ####Reference: https://ruxcon.org.au/
###Title: Microsoft Releases Monthly Security Updates for September 2017
Description: Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 81 new vulnerabilities with 27 of them rated critical, 52 rated important, and 2 rated moderate. These vulnerabilities impact Edge, Hyper-V, Internet Explorer, Office, Remote Desktop Protocol, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more. Note that the Bluetooth vulnerabilities known as “BlueBorne” that affected Windows have been patched in this latest release. For more information, please refer to CVE-2017-8628.
####Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/summary
####Snort SID: 42285-42286, 42311-42312, 42749-42750, 44331-44336, 44338-44343, 44349-44350, 44353-44357,
###Title: Adobe Releases Security Updates for Flash Player, ColdFusion, and RoboHelp
Description: Adobe has released security bulletins for Flash Player, ColdFusion, and RoboHelp addressing a total of eight vulnerabilities. The Flash Player bulletin addresses two memory corruption vulnerabilities, while the ColdFusion bulletin addresses four vulnerabilities. Two of the ColdFusion flaws are information disclosure bugs while the other two are remote code execution bugs that manifests due to deserialization of untrusted data. The two RoboHelp bugs fixed consist of a DOM-based XSS bug and an open redirect flaw.
####Reference:
- https://helpx.adobe.com/security/products/flash-player/apsb17-28.html
- https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
- https://helpx.adobe.com/security/products/robohelp/apsb17-25.html
####Snort SID: Detection pending
###Title: Researchers Disclose Bluetooth Vulnerabilities Affecting Billions of Devices
Description: Researchers have disclosed several major vulnerabilities in the implementation of Bluetooth stacks across various device platforms. In total, 8 vulnerabilities were disclosed which researchers have dubbed “BlueBorne.” The severity of these vulnerabilities ranges from information leaks in Linux to full remote code execution on Apple devices. Patches for each of these vulnerabilities have been developed and are being released or already have been for each of the affected platforms.
####Reference: http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf
Vulnerability Spotlight: TALOS-2017-0430/0431: Multiple Vulnerabilities in FreeXL Library
http://blog.talosintelligence.com/2017/09/vulnerability-spotlight-talos-2017.html
Equifax Hack Exposes Regulatory Gaps, Leaving Consumers Vulnerable
https://www.nytimes.com/2017/09/08/business/equifax.html
FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
Introduction to Windows Kernel Driver Exploitation (Pt. 2) - Stack Buffer Overflow to System Shell
https://glennmcgui.re/introduction-to-windows-kernel-driver-exploitation-pt-2/
Reverse Engineering & Exploitation of a “Connected Alarm Clock”
https://courk.fr/index.php/2017/09/10/reverse-engineering-exploitation-connected-clock/
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
- Typical Filename: Tempmf582901854.exe
- Claimed Product: (unknown)
- Detection Name: W32.C3E530CC00-95.SBX.TG
- SHA 256: 87afd627b678da78d879dfe11c147b10f5db6e07cd16e5728ca33579e73bf89f
- MD5: 515ea84f7ca8f59f7bb4fb5714913a72
- VirusTotal: https://www.virustotal.com/file/87afd627b678da78d879dfe11c147b10f5db6e07cd16e5728ca33579e73bf89f/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.87AFD627B6-95.SBX.TG
- SHA 256: b0178e88e65560e99e07ecb9b70776f45a6ef825b3c0d866c45d0f2035b10295
- MD5: 42a6f4d8decbc73fba6c41c730ee2bb2
- VirusTotal: https://www.virustotal.com/file/b0178e88e65560e99e07ecb9b70776f45a6ef825b3c0d866c45d0f2035b10295/analysis/#additional-info
- Typical Filename: MKCleanService
- Claimed Product: MacKeeper
- Detection Name: OSX.Variant.20jv.1201
- SHA 256: 776cb4ad45dbf96d532a8bb142bc0d5446fd63994f039bcf22263a9e32c70958
- MD5: 43cebda7f432f89b5ca6e9bd1c1a93b6
- VirusTotal: https://www.virustotal.com/file/776cb4ad45dbf96d532a8bb142bc0d5446fd63994f039bcf22263a9e32c70958/analysis/#additional-info
- Typical Filename: radio-int.gif
- Claimed Product: N/A
- Detection Name: Auto.776CB4AD45.in04.Talos
- SHA 256: dbf3890b782ac04136c3336814eef97e3c0f4133f9592e882c131c179161b27b
- MD5: 0c694193ceac8bfb016491ffb534eb7c
- VirusTotal: https://www.virustotal.com/file/dbf3890b782ac04136c3336814eef97e3c0f4133f9592e882c131c179161b27b/analysis/#additional-info
- Typical Filename: mssecsvc.exe
- Claimed Product: (none)
- Detection Name: W32.Ransom:TrojanRansom.20kg.1201
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM