TOP VULNERABILITY THIS WEEK:
Microsoft Releases Security Advisories for December 2017
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: [BRKSEC-2010] Talos Insights: The State of Cyber Security @ Cisco Live Barcelona
Date: 2018-01-29 - 2018-02-02
Speaker: Warren Mercer, Technical Leader
Synopsis: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Reference: https://www.ciscolive.com/emea/learn/sessions/content-catalog/?search=BRKSEC-2010
NOTABLE RECENT SECURITY ISSUES
Title: Microsoft Releases Security Advisories for December 2017
Description: Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified in currently supported products. This month's release sees a total of 32 vulnerabilities patched with 19 vulnerabilities rated "critical" and 13 rated "important." This month's release also sees the release of a security advisory aimed at reducing the attack surface in Office by disabling DDE.
Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/c383fa60-b852-e711-80dd-000d3a32f9b6
Snort SID: 37283-37284, 45121-45124, 45128-45133, 45138-45153, 45155-45156
Title: Intel Releases Critical Update for Management Engine
Description: Intel has released a critical security advisory for the Management Engine, Trusted Execution Engine, and Server Platform Services in response to a vulnerability being identified. "Systems using Intel ME Firmware versions 8.x-10.x and 11.0.0 -11.7.0, SPS Firmware version 4.0, and TXE version 3.0 are impacted." These effects firmware version on certain processors, such as 6th, 7th, and 8th generation Core Processors, Xeon E3-1200 v5 and v6 series, and others.
Reference: https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
Snort SID: Detection pending release of vulnerability information
Title: Apple Releases Security Updates for macOS, iTunes, and Safari
Description: Apple has released security updates for macOS, iTunes, and Safari. The macOS security update addresses 22 vulnerabilities impacting various components such as OpenSSL, IOKit, Intel Graphics Drivers, Directory Utility, and more. The macOS update also re-addresses CVE-2017-13872, the privilege escalation vulnerability that was previously patched in an out-of-band security update.
Reference: https://support.apple.com/en-us/HT208331
Snort SID: Detection pending release of vulnerability information
Title: Adobe Releases Flash Player Security Bulletin
Description: Adobe has released a Flash Player security bulletin addressing a vulnerability that has been identified. This vulnerability, CVE-2017-11305, is a business logic error that could result in the unintended reset of the global settings preference file. Adobe has released a software update addressing this issue.
Reference: https://helpx.adobe.com/security/products/flash-player/apsb17-42.html
Snort SID: Detection pending
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Sysinternals Sysmon suspicious activity guide
https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/
Phishers Are Upping Their Game. So Should You.
https://krebsonsecurity.com/2017/12/phishers-are-upping-their-game-so-should-you/
The Mutiny Fuzzing Framework and Decept Proxy
http://blog.talosintelligence.com/2017/12/mutiny-decept.html
x86-64 Windows shellcode that recreates the Jurassic Park hacking scene
https://github.com/zznop/pop-nedry
Deep dive on the HP keylogger fixed in November
https://zwclose.github.io/HP-keylogger/
MOST PREVALENT MALWARE FILES 2017-12-05 - 2017-12-12:
-
SHA 256: 99550ea419a3f49ee1154c9d5ae99b7f925a783028f87286584a0c9fe7bab4f0
-
MD5: 5bafb135e1d7ba0a5acd0fbbeb2a93e1
-
VirusTotal: https://www.virustotal.com/file/99550ea419a3f49ee1154c9d5ae99b7f925a783028f87286584a0c9fe7bab4f0/analysis/#additional-info
-
Typical Filename: helperamc.zip
-
Claimed Product: Advanced Mac Cleaner
-
Detection Name: W32.99550EA419-95.SBX.TG
-
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
-
MD5: 799b30f47060ca05d80ece53866e01cc
-
VirusTotal: https://www.virustotal.com/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/analysis/#additional-info
-
Typical Filename: mf2016341595.exe
-
Claimed Product: (unknown)
-
Detection Name: W32.Generic:Gen.20l1.1201
-
SHA 256: 7ceaa325d27f178732b0fecceee3a2eda1de7f49970424d39ebdde93c077aa0f
-
MD5: 8a0a9252ba0f7d46e7b02337ebdad2be
-
VirusTotal: https://www.virustotal.com/file/7ceaa325d27f178732b0fecceee3a2eda1de7f49970424d39ebdde93c077aa0f/analysis/#additional-info
-
Typical Filename: PCMHelper_u.rar
-
Claimed Product: (unknown)
-
Detection Name: W32.7CEAA325D2-100.SBX.VIOC
-
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
-
MD5: e2ea315d9a83e7577053f52c974f6a5a
-
VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
-
Typical Filename: Tempmf582901854.exe
-
Claimed Product: (unknown)
-
Detection Name: W32.C3E530CC00-95.SBX.TG
-
SHA 256: 24eadaa94a1ce95065e0a9b6456e918a4b5af1e12671f53762e6f3716a40787f
-
MD5: edb8ce07bc64bff9df7cfadc500a660d
-
VirusTotal: https://www.virustotal.com/file/24eadaa94a1ce95065e0a9b6456e918a4b5af1e12671f53762e6f3716a40787f/analysis/#additional-info
-
Typical Filename: 26kuroda.n.xls
-
Claimed Product: N/A
-
Detection Name: W32.24EADAA94A-100.SBX.TG
SPAM STATS FOR 2017-12-05 - 2017-12-12
TOP SPAM SUBJECTS OBSERVED
- "Unauthorized Access"
- "RE: Tokyo visit Dec. 2017"
- "A document has been shared on DropBox with you"
- "Your Premiere Global Services Invoice 1989710 is now available"
- Digital Transformation: Strategies
MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 27357 Rackspace Ltd.
- 8075 Microsoft Corporation
- 4760 PCCW Limited
- 7545 TPG Telecom Limited
- 16276 OVH SAS