Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Microsoft Released Security Updates for November 2017
###Event: Malware, Penny Stocks and Pharma Spam – Necurs Delivers @ BotConf 2017 (Montpellier, France)
####Date: 2017-12-06
####Speaker: Warren Mercer, Technical Leader
Synopsis: Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe. Enter Necurs. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email. ####Reference: https://www.botconf.eu/2017/malware-penny-stocks-and-pharma-spam-necurs-delivers/
###Title: Microsoft Released Security Updates for November 2017
Description: Microsoft has released its monthly set of security updates to address vulnerabilities that have been identified in Windows, Office, and other supported software. This month’s release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.
####Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/summary
####Snort SID: 44809-44834, 44838-44839, 44843-44846
###Title: Adobe Releases Security Updates for Flash Player, Reader, and more
Description: Adobe has released security updates for Flash Player, Shockwave Player, Acrobat, Reader, Photoshop, and more. This month’s Flash Player update address five critical vulnerabilities that could be exploited by an attacker to achieve remote code execution. The Acrobat and Reader security update addressed 62 vulnerabilities with the vast majority of them being critical arbitrary code execution vulnerabilities.
####Reference: https://helpx.adobe.com/security.html
####Snort SID: 43120-43121; Detection pending for other vulnerabilities
Guidance on Mitigating Microsoft Office DDE Attacks
https://technet.microsoft.com/en-us/library/security/4053440
A penetration tester’s guide to sub-domain enumeration
https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6
2017 ACM Conference on Computer and Communications Security - Accepted Papers
https://acmccs.github.io/papers/
Apple iPhone X Face ID Fooled by a Mask
https://threatpost.com/apple-iphone-x-face-id-fooled-by-a-mask/128865/
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
- SHA 256: 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4
- MD5: bea381c0fbd24f1503018b3b9089e358
- VirusTotal: https://www.virustotal.com/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/#additional-info
- Typical Filename: InvoiceED3539939.doc
- Claimed Product: N/A
- Detection Name: W32.323CB1D2F3-95.SBX.TG
- SHA 256: 6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd
- MD5: 71aad93dfbd1c4b2854a697405675c51
- VirusTotal: https://www.virustotal.com/file/6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd/analysis/#additional-info
- Typical Filename: InvoiceMP8820239.doc
- Claimed Product: N/A
- Detection Name: W32.6B7B11077B-95.SBX.TG
- SHA 256: 8d9c2dd4e7941453d61b490144ad1875e935b88a00231b885c839c43346aa5ab
- MD5: 628272a0cc32eb514dc58572d761684a
- VirusTotal: https://www.virustotal.com/file/8d9c2dd4e7941453d61b490144ad1875e935b88a00231b885c839c43346aa5ab/analysis/#additional-info
- Typical Filename: InvoiceMC4260854.doc
- Claimed Product: N/A
- Detection Name: W32.8D9C2DD4E7-95.SBX.TG
- SHA 256: 131d8ad5cbddb8edd6800788d138eda1ace570c1a0c97afd71cc7f03c1bb2d07
- MD5: 9c7fc4c27fd3eb3dfe96db99bcabb00f
- VirusTotal: https://www.virustotal.com/file/131d8ad5cbddb8edd6800788d138eda1ace570c1a0c97afd71cc7f03c1bb2d07/analysis/#additional-info
- Typical Filename: InvoiceYS6763243.doc
- Claimed Product: N/A
- Detection Name: W32.131D8AD5CB-95.SBX.TG
- SHA 256: 23d5dbfaaf5258aaac2ccc4159027885cf6f48b692d0b3617610858c21cc7f58
- MD5: c2e98913d325dbd42dc56c5bef0601e0
- VirusTotal: https://www.virustotal.com/file/23d5dbfaaf5258aaac2ccc4159027885cf6f48b692d0b3617610858c21cc7f58/analysis/#additional-info
- Typical Filename: c2e98913d325dbd42dc56c5bef0601e0.doc
- Claimed Product: N/A
- Detection Name: W32.23D5DBFAAF-95.SBX.TG
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM