Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
New Ransomware Variant "BadRabbit" Targets Systems in Ukraine and Russia
Synopsis: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Synopsis: .NET is an increasingly important component of the Microsoft ecosystem providing a shared framework. Many Microsoft tools, such as PowerShell, rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform. During the presentation, I will explain how to automate .NET analysis with WinDBG the Microsoft debugger. To illustrate my talk, I will show how to analyse PowerShell scripts with WinDBG and how to automatically unpack a .NET packer family discovered recently. The presentation includes several live demo on WinDBG usage in this specific context.
Synopsis: Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe. Enter Necurs. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.
Description: A new ransomware variant has emerged primarily targeting audiences in Ukraine and Russia. This latest variant dubbed "BadRabbit" appears to be initially delivered via a drive-by download attacked designed to appear as a "Flash Player" update. Once systems are compromised, the malware appears to move laterally and propagate using a combination of an included list of weak credentials and a version of mimikatz, similar to what was used in NotPetya/Petrwrap/Nyetya. As this threat is still under investigation, details will be forthcoming.
Description: Researchers have disclosed a vulnerability in the ANSI X9.31 Random Number Generator (RNG) that could allow an attacker to passively decrypt traffic that is encrypted using keys generated by X9.31 RNG. This vulnerability manifests if ANSI X9.31 RNG is used in conjunction with a hard-coded seed key, "output from the RNG is directly used to generate cryptographic keys", and some of the random numbers used to make the keys are transmitted unencrypted. Fortinet devices running FortiOS 4.3.0 to FortiOS 4.3.18 are known to be susceptible to this attack. Fortinet has released a software update to address the issue.
Canada's Communications Security Establishment Releases "Assemblyline", a malware detection and analysis tool
https://www.cse-cst.gc.ca/en/assemblyline
Let’s Enhance! How we found @rogerkver’s $1,000 wallet obfuscated private key
https://medium.freecodecamp.org/lets-enhance-how-we-found-rogerkver-s-1000-wallet-obfuscated-private-key-8514e74a5433
"Cyber Conflict" Decoy Document Used In Real Cyber Conflict
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html?f_l=s
Dell Lost Control of Key Customer Support Domain for a Month in 2017
https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/?
Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/