Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Major macOS Bug Identified That Allows Root Access Without a Password
###Event: Malware, Penny Stocks and Pharma Spam – Necurs Delivers @ BotConf 2017 (Montpellier, France)
####Date: 2017-12-06
####Speaker: Warren Mercer, Technical Leader
Synopsis: Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe. Enter Necurs. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email. ####Reference: https://www.botconf.eu/2017/malware-penny-stocks-and-pharma-spam-necurs-delivers/
###Event: Talos - Cisco’s Key Into Understanding the Evolving Threat Landscape @ Cisco Connect (King of Prussia, PA)
####Date: 2017-12-12
####Speaker: Alex Chiu, Threat Researcher
Synopsis: People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers continuously evolve their techniques. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform deep analysis of recent threats Talos has observed over the past quarter and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://engage2demand.cisco.com/CiscoConnectUS
###Title: Major macOS Bug Identified That Allows Root Access Without a Password
Description: A major bug has been identified in macOS that could allow a user to elevate their privileges to that of root on affected systems. This bug manifests due to macOS allowing users to login to the root account if a password has not been set for it. This bug appears to only affect macOS High Sierra. Apple has released a statement that a software update is in the process of being developed. Apple has also released guidance on how to disable and set a root password to mitigate the issue.
####Reference:
- https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/
- https://support.apple.com/en-us/HT204012
###Title: Remote Denial-of-Service Bug in systemd Identified and Patched
Description: A remote denial-of-service vulnerability has been identified in systemd that could cause affected systems to hang if exploited. This vulnerability, assigned CVE-2017-15908, manifests in the DNS resolver within systemd. Exploitation of this vulnerability is achievable if the DNS resolver receives a specially crafted response to a DNS query. Software updates that address this vulnerability have been developed and are available for affected Linux distributions.
####Reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15908
- https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351
- http://blog.trendmicro.com/trendlabs-security-intelligence/systemd-vulnerability-leads-to-denial-of-service-on-linux/
Uber Reveals 2016 Breach of 57 Million User Accounts
https://threatpost.com/uber-reveals-breach-of-57-million-users-admits-to-covering-up-incident/128969/
Using DNS to Break Out of Isolated Networks in a AWS Cloud Environment
https://dejandayoff.com/using-dns-to-break-out-of-isolated-networks-in-a-aws-cloud-environment/
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
https://blog.xpnsec.com/windows-warbird-privesc/
Don’t Feed Them After Midnight: Reverse-Engineering the Furby Connect
https://www.contextis.com/blog/dont-feed-them-after-midnight-reverse-engineering-the-furby-connect
Using Burp Suite’s Collaborator to Find the True IP Address for a .Onion Hidden Service
http://digitalforensicstips.com/2017/11/using-burp-suites-collaborator-to-find-the-true-ip-address-for-a-onion-hidden-service/
ROKRAT Reloaded
http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html?f_l=s
- SHA 256: 99550ea419a3f49ee1154c9d5ae99b7f925a783028f87286584a0c9fe7bab4f0
- MD5: 5bafb135e1d7ba0a5acd0fbbeb2a93e1
- VirusTotal: https://www.virustotal.com/file/99550ea419a3f49ee1154c9d5ae99b7f925a783028f87286584a0c9fe7bab4f0/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.99550EA419-95.SBX.TG
- SHA 256: 238e42e887eddbb4ab164a62874e21b905665b32fe3b5d80473500d6c3f2e8c9
- MD5: 3395357300dd177727443c015bcdecfe
- VirusTotal: https://www.virustotal.com/file/238e42e887eddbb4ab164a62874e21b905665b32fe3b5d80473500d6c3f2e8c9/analysis/#additional-info
- Typical Filename: WPA_Kill.exe
- Claimed Product: Windows 2003 & XP Anti Product Activation Patch
- Detection Name: W32.238E42E887-95.SBX.TG
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
- Typical Filename: Tempmf582901854.exe
- Claimed Product: (none)
- Detection Name: W32.C3E530CC00-95.SBX.TG
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/analysis/#additional-info
- Typical Filename: mf2016341595.exe
- Claimed Product: (none)
- Detection Name: W32.Generic:Gen.20l1.1201
- SHA 256: 7ceaa325d27f178732b0fecceee3a2eda1de7f49970424d39ebdde93c077aa0f
- MD5: 8a0a9252ba0f7d46e7b02337ebdad2be
- VirusTotal: https://www.virustotal.com/file/7ceaa325d27f178732b0fecceee3a2eda1de7f49970424d39ebdde93c077aa0f/analysis/#additional-info
- Typical Filename: PCMHelper_u.rar
- Claimed Product: (none)
- Detection Name: W32.7CEAA325D2-100.SBX.VIOC
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM