Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Software and Firmware Updates Continue to Roll Out In Response to ‘Meltdown’ and ‘Spectre’
###Event: [BRKSEC-2010] Talos Insights: The State of Cyber Security @ Cisco Live Barcelona
####Date: 2018-01-29 - 2018-02-02
####Speaker: Warren Mercer, Technical Leader
Synopsis: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.ciscolive.com/emea/learn/sessions/content-catalog/?search=BRKSEC-2010
###Event: Talos Insights: The State of Cyber Security @ Novosco Cyber Security and GDPR Seminar
####Date: 2018-02-22
####Speaker: Warren Mercer, Technical Leader
Synopsis: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.novosco.com/cyber-security-gdpr-belfast
###Event: [BRKSEC-2777] Talos Insights: The State of Cyber Security @ Cisco Live Melbourne
####Date: 2018-03-06 - 2018-03-09
####Speaker: Nick Biasini, Threat Researcher
Synopsis: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.ciscolive.com/anz/learn/sessions/session-catalog/?search=BRKSEC-2777
###Event: Surprise, Supplies! @ OPCDE (Dubai, UAE)
####Date: 2018-04-06 - 2018-04-07
####Speaker: Paul Rascagneres
Synopsis: Supply chain attacks are often long thought about and often overlooked in terms of how well a business prepares itself for any associated compromise or breach. 2017 has truly marked itself as ‘The Year Of The Supply Chain Attack’ and marked a turning point concerning supply chain attacks. Talos was involved in two major campaigns: MeDoc compromise that paralyzed the Ukraine and CCleaner compromise that impacted a reported 2.27M consumers. In this presentation we will firstly present these two cases. In both cases, we will present how the attackers modified a legitimate application and what was the result of the modification. We will explain the purpose of the attackers and the malware used against the victims. For the MeDoc compromise, we were directly involved in the incident response and we will provide a timeline of the events to give an idea of the before, during and after picture associated with Nyetya and MeDoc. Concerning the CCleaner compromise, we will provide some data and statistics from the attacker’s database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will remember that it’s not the first time in the history that this kind of attacks occurred and we will finally open the discussion on the future of this attacks. ####Reference: https://www.opcde.com/
###Title: Security Issue with Misconfigured Intel AMT-enabled Systems Identified
Description: Researchers at F-Secure have identified a security issue with Intel-based system who have Active Management Technology (AMT) enabled. This issue manifests in misconfigured systems not correctly securing AMT and allowing an attacker to potentially gain control of the system. Intel has responded to the issue noting that organizations who utilize AMT should follow basic security guidelines they have laid out.
####Reference: https://business.f-secure.com/intel-amt-security-issue
###Title: Two XSS Vulnerabilities in Ruby Rails Gems Identified and Patched
Description: Researchers have identified two cross-site scripting vulnerabilities (XSS) vulnerabilities in Ruby Rails Gems. These two vulnerabilities manifest due to improper sanitization and handling of URLs. Software updates that address these vulnerabilities have been released.
####Reference: http://blog.talosintelligence.com/2018/01/vulnerability-spotlight-ruby-rails-gem.html
####Snort SID: 44380, 44381
New Python-based Crypto-miner Botnet Flying Under The Radar
https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar
Korea In The Crosshairs
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html?f_l=s
A password for the Hawaii emergency agency was hiding in a public photo, written on a Post-it note
http://www.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1
CTF Challenge n3ph4ck Writeup (Spoilers)
https://medium.com/@m4f1a/ctf-challenge-n3ph4ck-writeup-b355f512977b
How I exploited ACME TLS-SNI-01 issuing Let’s Encrypt SSL-certs for any domain using shared hosting
https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/
- SHA 256: 275349b37867e433784b0df2dc97622ea23009ce0ca90e1313db94029fa620ad
- MD5: 2416f49b0e091c3076c9453b98dde8e0
- VirusTotal: https://www.virustotal.com/file/275349b37867e433784b0df2dc97622ea23009ce0ca90e1313db94029fa620ad/analysis/#additional-info
- Typical Filename: 7oslD.wsf
- Claimed Product: N/A
- Detection Name: Banker:EPACK-tpd
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/analysis/#additional-info
- Typical Filename: mf2016341595.exe
- Claimed Product: (none)
- Detection Name: W32.Generic:Gen.21ci.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
- Typical Filename: Tempmf582901854.exe
- Claimed Product: (none)
- Detection Name: W32.C3E530CC00-95.SBX.TG
- SHA 256: 7c8e2fa9c2e79093834cb0dd04d41a9a0022ada60920c1ee5423a967f30acff8
- MD5: 5d60516dc6b946a3f0074839003a64a4
- VirusTotal: https://www.virustotal.com/file/7c8e2fa9c2e79093834cb0dd04d41a9a0022ada60920c1ee5423a967f30acff8/analysis/#additional-info
- Typical Filename: 5d60516dc6b946a3f0074839003a64a471a5d38f886a617e053f3efc809029f3701c6036160091.dll
- Claimed Product: (none)
- Detection Name: W32.Worm:Malwaregen.20mi.1201
- SHA 256: 2d72c8fee62f7b1724b4fdc4a3e171058da25dda3c06d378d658a7eb7683eabe
- MD5: dfc19e649dc1cd32904926085d337670
- VirusTotal: https://www.virustotal.com/file/2d72c8fee62f7b1724b4fdc4a3e171058da25dda3c06d378d658a7eb7683eabe/analysis/#additional-info
- Typical Filename: Texts2Audio3.exe
- Claimed Product: Texts2Audio3
- Detection Name: W32.Emotet:FileRepMalware.21co.1201
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM