Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Apple Releases Security Updates for iOS, macOS; Addresses KRACK Vulnerabilities in Various Platforms
Synopsis: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Synopsis: .NET is an increasingly important component of the Microsoft ecosystem providing a shared framework. Many Microsoft tools, such as PowerShell, rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform. During the presentation, I will explain how to automate .NET analysis with WinDBG the Microsoft debugger. To illustrate my talk, I will show how to analyse PowerShell scripts with WinDBG and how to automatically unpack a .NET packer family discovered recently. The presentation includes several live demo on WinDBG usage in this specific context.
Synopsis: Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe. Enter Necurs. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.
Description: Apple has released security updates for iOS, macOS, tvOS, watchOS, Safari, iTunes, and iCloud for Windows. The update for macOS addresses 148 vulnerabilities while the update for iOS addresses 20 vulnerabilities. Note that the Key Reinstallation Attack (KRACK) vulnerabilities that were previous disclosed were addressed across all applicable platforms in these updates.
Description: Oracle has released an emergency out-of-band security update for Oracle Identity Manager. This update resolves CVE-2017-10151, a severe vulnerability that could "result in complete compromise of Oracle Identity Manager." Oracle has advised customers that due to the nature and severity vulnerability, this update should be applied "without delay."
Detecting CrackMapExec (CME) with Bro, Sysmon, and Powershell logs
https://www.n00py.io/2017/10/detecting-crackmapexec-cme-with-bro-sysmon-and-powershell-logs/
Defeating Google's audio reCaptcha with 85% accuracy
https://github.com/ecthros/uncaptcha
Messing with the Google Buganizer System for $15,600 in Bounties
https://medium.freecodecamp.org/messing-with-the-google-buganizer-system-for-15-600-in-bounties-58f86cc9f9a5
WannaCry ransomware: Hospitals were warned to patch system to protect against cyber-attack - but didn't
http://www.zdnet.com/article/wannacry-ransomware-hospitals-were-warned-to-patch-system-to-protect-against-cyber-attack-but-didnt/#ftag=RSSbaffb68
Slack SAML authentication bypass
http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html