Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Apple Releases Security Updates for iOS, macOS; Addresses KRACK Vulnerabilities in Various Platforms
###Event: [BRKSEC-2010] Talos Insights: The State of Cyber Security @ Cisco Live Cancun 2017
####Date: 2017-11-08
####Speaker: Craig Williams, Global Outreach Manager
Synopsis: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.ciscolive.com/latam/learn/sessions/session-catalog/?search=BRKSEC-2010
###Event: Let’s Play With WinDBG & .NET @ BlackAlps17 (Y-Parc, Yverdon-Les-Bains, Switzerland)
####Date: 2017-11-15 - 2017-11-16
####Speaker: Paul Rascagneres, Research Engineer
Synopsis: .NET is an increasingly important component of the Microsoft ecosystem providing a shared framework. Many Microsoft tools, such as PowerShell, rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform. During the presentation, I will explain how to automate .NET analysis with WinDBG the Microsoft debugger. To illustrate my talk, I will show how to analyse PowerShell scripts with WinDBG and how to automatically unpack a .NET packer family discovered recently. The presentation includes several live demo on WinDBG usage in this specific context. ####Reference: https://www.blackalps.ch/2017talks.php
###Event: Malware, Penny Stocks and Pharma Spam – Necurs Delivers @ BotConf 2017 (Montpellier, France)
####Date: 2017-12-06
####Speaker: Warren Mercer, Technical Leader
Synopsis: Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe. Enter Necurs. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email. ####Reference: https://www.botconf.eu/2017/malware-penny-stocks-and-pharma-spam-necurs-delivers/
###Title: Apple Releases Security Updates for iOS, macOS; Addresses KRACK Vulnerabilities in Various Platforms
Description: Apple has released security updates for iOS, macOS, tvOS, watchOS, Safari, iTunes, and iCloud for Windows. The update for macOS addresses 148 vulnerabilities while the update for iOS addresses 20 vulnerabilities. Note that the Key Reinstallation Attack (KRACK) vulnerabilities that were previous disclosed were addressed across all applicable platforms in these updates.
####Reference: https://support.apple.com/en-us/HT201222
####Snort SID: Detecting pending release of vulnerability information
###Title: Oracle Releases Emergency Out of Band Patch for Oracle Identity Manager
Description: Oracle has released an emergency out-of-band security update for Oracle Identity Manager. This update resolves CVE-2017-10151, a severe vulnerability that could “result in complete compromise of Oracle Identity Manager.” Oracle has advised customers that due to the nature and severity vulnerability, this update should be applied “without delay.”
####Reference: http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html
####Snort SID: Detection pending release of vulnerability information
Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs
https://www.n00py.io/2017/10/detecting-crackmapexec-cme-with-bro-sysmon-and-powershell-logs/
Defeating Google’s audio reCaptcha with 85% accuracy
https://github.com/ecthros/uncaptcha
Messing with the Google Buganizer System for $15,600 in Bounties
https://medium.freecodecamp.org/messing-with-the-google-buganizer-system-for-15-600-in-bounties-58f86cc9f9a5
WannaCry ransomware: Hospitals were warned to patch system to protect against cyber-attack - but didn’t
http://www.zdnet.com/article/wannacry-ransomware-hospitals-were-warned-to-patch-system-to-protect-against-cyber-attack-but-didnt/#ftag=RSSbaffb68
Slack SAML authentication bypass
http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html
- SHA 256: 226c8142b93522070386c69f0999a9acc10fd11709303e75a6253ba58423d409
- MD5: 71696430ccefb1446e2a894fde1b7e29
- VirusTotal: https://www.virustotal.com/file/226c8142b93522070386c69f0999a9acc10fd11709303e75a6253ba58423d409/analysis/#additional-info
- Typical Filename: Invoice 492381408 10.31.2017.doc
- Claimed Product: N/A
- Detection Name: W32.226C8142B9-100.SBX.TG
- SHA 256: 81b264cfd5ef6de817d4f1b31e5c887f384ede6eefe7ca628fdcde880a159332
- MD5: f9172ba91024667819c39a829374e1a8
- VirusTotal: https://www.virustotal.com/file/81b264cfd5ef6de817d4f1b31e5c887f384ede6eefe7ca628fdcde880a159332/analysis/#additional-info
- Typical Filename: filename-8.doc
- Claimed Product: N/A
- Detection Name: W32.81B264CFD5-100.SBX.TG
- SHA 256: 7a81c498fa2c4bead2792bfa636d2c32f9f630b92c0aa1cceacfb5403aeb0909
- MD5: b5a4adcd6bfbfe4e2691ac3490a41252
- VirusTotal: https://www.virustotal.com/file/7a81c498fa2c4bead2792bfa636d2c32f9f630b92c0aa1cceacfb5403aeb0909/analysis/#additional-info
- Typical Filename: Invoice 040080054 10.30.2017.doc
- Claimed Product: N/A
- Detection Name: W32.7A81C498FA-100.SBX.TG
- SHA 256: d7d6c97d20d8bb7032dfc62e7b411e4967dc94949d7c9aeda3db5055e4f439e4
- MD5: 82a1abfaec07df57de426d9ecfff07c6
- VirusTotal: https://www.virustotal.com/file/d7d6c97d20d8bb7032dfc62e7b411e4967dc94949d7c9aeda3db5055e4f439e4/analysis/#additional-info
- Typical Filename: Invoice 588385935 10.30.2017.doc
- Claimed Product: N/A
- Detection Name: DOCX.Auto:d7d6c97d20.in05.Talos
- SHA 256: 66c1be89ca96319d92600aefeecade28ecf312682d94846032ad8fa3635a1575
- MD5: f3b0d821b2d34c48b81cd4feceafecb3
- VirusTotal: https://www.virustotal.com/file/66c1be89ca96319d92600aefeecade28ecf312682d94846032ad8fa3635a1575/analysis/#additional-info
- Typical Filename: Invoice 730684908 10.31.2017.doc
- Claimed Product: N/A
- Detection Name: W32.66C1BE89CA-95.SBX.TG
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM