Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Microsoft Releases Security Updates for October 2017; 63 Vulnerabilities Addressed
###Event: Under the Radar: Strategies to Defeat AI Cyber Detection @ NIAS 17 (Lotto Mons Expo, Belgium)
####Date: 2017-10-17 - 2017-10-19
####Speaker: Martin Lee, Technical Lead
Synopsis: The threat environment is in constant flux as defenders adopt improved techniques and attackers adapt their tools, techniques and procedures to counteract these. Sophisticated attackers are already altering their behaviour in order to make their attacks less visible and more likely to blend into the ‘background noise’ of network traffic. From using a genuine government website for command and control traffic, to using software update systems to distribute malicious executables, to ensure that payloads are only delivered to the intended target, threat actors are trying as much as possible to fly under the radar. ####Reference: http://nias2017.com/
###Event: Exploit Kits - What Happens When Kits Disappear @ LeetCon (Hanover, Germany)
####Date: 2017-10-18 - 2017-10-19
####Speaker: Nick Biasini, Threat Researcher
Synopsis: What happens when the biggest players in a market just get up and quit? That’s exactly what has happened to the exploit kit landscape over the last year. Now that Angler, Neutrino, and Nuclear are gone, we’re left to pick up the pieces. What’s been created is a vacuum with Rig, Sundown, and others jockeying for position, but none have taken the lead. We’ve observed adversaries changing kits frequently and gates switching from one kit to the next. Just like any other threat, adversaries are going to evolve and change. Oddly the kits don’t appear to have evolved much, but looks can be deceiving. Previously unreleased details on several high profile exploit kits will be disclosed. This talk will discuss the state of exploit kits today. There will also be a section related to how exploit kits will evolve in the future and the impacts it may potentially have on the threat landscape overall. ####Reference: https://www.leetcon.de/
###Event: Talos Fall Threat Briefing (Free Webinar)
####Date: 2017-10-19 13:00 EDT (10:00 PDT)
####Speaker: Vanja Svajcer, Talos Technical Leader
Synopsis: The threat landscape constantly evolves and changes. Keeping up with what’s new and what’s evolved can be a challenge. Join us for this free webinar to hear about the latest innovations in threat intelligence from Talos Threat Researchers. After the the presentation, the floor will be opened up for a live Q&A based on questions asked by our audience. ####Reference: https://security-mktg.cisco.com/CiscoSecurityWebinarSeries/Cisco?webinar=wbrsc002274
###Event: Modern Reconnaissance Phase by APTs @ Ruxcon (Melbourne, Australia)
####Date: 2017-10-21 - 2017-10-22
####Speaker: Paul Rascagneres, Threat Researcher; Warren Mercer, Threat Researcher
Synopsis: This presentation will show how APT actors are evolving and how the reconnaissance phase is changing to protect their valuable 0-day exploit or malware frameworks. This talk will mainly focus on the usage of Office documents and watering hole attacks designed to establish if the target is the intended one (we will mention campaigns against political or military organizations). The techniques and the obfuscation put in place by these actors will be described in detail (techniques based on Macro, JavaScript, PowerShell, Flash or Python). At the end of the presentation, we will show different mitigations to help attendees protect their users. ####Reference: https://ruxcon.org.au/
###Title: Microsoft Releases Security Updates for October 2017; 63 Vulnerabilities Addressed
Description: Microsoft has released its monthly security updates for supported products. This month’s set of security updates addresses 63 vulnerabilities with 28 rated “critical” and 35 rated “important.” These updates address vulnerabilities in Edge, Internet Explorer, Office, Sharepoint, Windows Graphic Display Interface, Windows Kernel Mode Drivers, and more.
####Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/summary
####Snort SID: 44333-44334, 44508-44519, 44526-44529, 44532-44533
###Title: Apple Releases Out of Band Supplemental Update for macOS High Sierra
Description: Apple has released an emergency out-of-band supplemental update for macOS High Sierra following the general availability of the operating system. This releases addresses the two major vulnerabilities that had been widely reported in the way encrypted volume password hints were stored and how password could be extracted from the keychain.
####Reference: https://support.apple.com/en-us/HT208165
####Snort SID: Detection pending release and analysis of vulnerability information
###Title: Android Releases Its Monthly Security Updates for October 2017
Description: Android has released its monthly set of security advisories addressing 14 vulnerabilities across both the 2017-10-01 and 2017-10-05 patch levels. The most severe vulnerabilities in the 2017-10-01 patch level are in Mediaserver and could “enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.” The most severe vulnerabilities in the 2017-10-05 patch level are in Qualcomm component and “could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”
####Reference: https://source.android.com/security/bulletin/2017-10-01
####Snort SID: Detection pending release of vulnerability information
A Bug Has No Name: Multiple Heap Buffer Overflows In the Windows DNS Client
https://www.bishopfox.com/blog/2017/10/a-bug-has-no-name-multiple-heap-buffer-overflows-in-the-windows-dns-client/
Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs
https://googleprojectzero.blogspot.com/2017/10/using-binary-diffing-to-discover.html
Beware of sketchy iOS popups that want your Apple ID
https://arstechnica.com/information-technology/2017/10/beware-of-sketchy-ios-popups-that-want-your-apple-id/
Bypassing Intel Boot Guard
https://embedi.com/blog/bypassing-intel-boot-guard
The Absurdly Underestimated Dangers of CSV Injection
http://georgemauer.net/2017/10/07/csv-injection.html
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.C3E530CC00-95.SBX.TG
- SHA 256: 7b4adcc734ea6297bad6f57abc18e063631ed5f9c01005cb720da6c02ae5ed53
- MD5: 8ca81bfa399e4eada60c5d3fdb425b33
- VirusTotal: https://www.virustotal.com/file/7b4adcc734ea6297bad6f57abc18e063631ed5f9c01005cb720da6c02ae5ed53/analysis/#additional-info
- Typical Filename: davclnt.dll
- Claimed Product: Microsoft® Windows® Operating System Wab DAV Client DLL
- Detection Name: W32.Variant:Gen.20lh.1201
- SHA 256: a56a2e5f4040ece0d6d966ea88ec3423f3a6a5b83dd567dbd93068fe66f87a80
- MD5: b9d6f35def92aa7bdd32a91fc2120064
- VirusTotal: https://www.virustotal.com/file/a56a2e5f4040ece0d6d966ea88ec3423f3a6a5b83dd567dbd93068fe66f87a80/analysis/#additional-info
- Typical Filename: paypal156754563-4577.doc
- Claimed Product: N/A
- Detection Name: W32.A56A2E5F40-100.SBX.TG
- SHA 256: 87afd627b678da78d879dfe11c147b10f5db6e07cd16e5728ca33579e73bf89f
- MD5: 515ea84f7ca8f59f7bb4fb5714913a72
- VirusTotal: https://www.virustotal.com/file/87afd627b678da78d879dfe11c147b10f5db6e07cd16e5728ca33579e73bf89f/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.87AFD627B6-95.SBX.TG
- SHA 256: 36e16ccf64472ba4c01a388dfdd67a59915388b268655a9dadfd1d533849f7b6
- MD5: a5652657138b0a8340165fcf06fe0bed
- VirusTotal: https://www.virustotal.com/file/36e16ccf64472ba4c01a388dfdd67a59915388b268655a9dadfd1d533849f7b6/analysis/#additional-info
- Typical Filename: lsmosee.exe
- Claimed Product: (unknown)
- Detection Name: W32.36E16CCF64-95.SBX.TG
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM