Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Cisco Discloses Remote Code Execution Vulnerability in SSL VPN Functionality of ASAs
###Event: Talos Insights: The State of Cyber Security @ Novosco Cyber Security and GDPR Seminar
####Date: 2018-02-22
####Speaker: Warren Mercer, Technical Leader
Synopsis: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.novosco.com/cyber-security-gdpr-belfast
###Event: [BRKSEC-2777] Talos Insights: The State of Cyber Security @ Cisco Live Melbourne
####Date: 2018-03-06 - 2018-03-09
####Speaker: Nick Biasini, Threat Researcher
Synopsis: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.ciscolive.com/anz/learn/sessions/session-catalog/?search=BRKSEC-2777
###Event: Surprise, Supplies! @ OPCDE (Dubai, UAE)
####Date: 2018-04-06 - 2018-04-07
####Speaker: Paul Rascagneres
Synopsis: Supply chain attacks are often long thought about and often overlooked in terms of how well a business prepares itself for any associated compromise or breach. 2017 has truly marked itself as ‘The Year Of The Supply Chain Attack’ and marked a turning point concerning supply chain attacks. Talos was involved in two major campaigns: MeDoc compromise that paralyzed the Ukraine and CCleaner compromise that impacted a reported 2.27M consumers. In this presentation we will firstly present these two cases. In both cases, we will present how the attackers modified a legitimate application and what was the result of the modification. We will explain the purpose of the attackers and the malware used against the victims. For the MeDoc compromise, we were directly involved in the incident response and we will provide a timeline of the events to give an idea of the before, during and after picture associated with Nyetya and MeDoc. Concerning the CCleaner compromise, we will provide some data and statistics from the attacker’s database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will remember that it’s not the first time in the history that this kind of attacks occurred and we will finally open the discussion on the future of this attacks. ####Reference: https://www.opcde.com/
###Title: Cisco Discloses Remote Code Execution Vulnerability in SSL VPN Functionality of ASAs
Description: Cisco has released a security advisory to address CVE-2018-0101, a remote code execution vulnerability identified in the SSL VPN functionality of Cisco Adaptive Security Appliances (ASAs). The vulnerability, identified by Cedric Halbronn from the NCC Group, manifests as a double-free condition that can be triggered when the SSL VPN improperly handles XML packets. Cisco has released free software updates that address this vulnerability.
####Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
###Title: Lenovo Releases Security Advisory for Fingerprint Manager Pro Vulnerability on Lenovo Laptops
Description: Lenovo has released a security advisory, addressing a vulnerability that has been identified in Fingerprint Manager Pro. This vulnerability, assigned CVE-2017-3762, impacts systems where sensitive data stored by Fingerprint Manager Pro is “encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.” Lenovo notes that this vulnerability only affects Windows 7, Windows 8, and Windows 8.1 systems. Windows 10 systems are not vulnerable. Lenovo has released a software update addressing these issues for affected systems.
####Reference: https://support.lenovo.com/us/en/product_security/len-15999
Microsoft to classify software containing coercive messaging as unwanted software
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/30/protecting-customers-from-being-intimidated-into-making-an-unnecessary-purchase/
How to Hack a Turned-off Computer, or Running Unsigned Code in Intel ME
http://blog.ptsecurity.com/2018/01/running-unsigned-code-in-intel-me.html
A Deep Dive Analysis of Microsoft’s Kernel Virtual Address Shadow Feature
https://blog.fortinet.com/2018/01/25/a-deep-dive-analysis-of-microsoft-s-kernel-virtual-address-shadow-feature
Malware Reversing - Burpsuite Keygen
https://0x00sec.org/t/malware-reversing-burpsuite-keygen/5167
Strava Fitness App Can Reveal Military Sites, Analysts Say
https://www.nytimes.com/2018/01/29/world/middleeast/strava-heat-map.html
Talos Blog: Vulnerability Spotlight: Walt Disney Per-Face Texture Mapping faceInfoSize Code Execution Vulnerability
http://blog.talosintelligence.com/2018/01/ptex-rce-vuln.html
Talos Blog: 2017 in Snort Signatures
http://blog.talosintelligence.com/2018/01/2017-in-snort-signatures.html
- SHA 256: fbe9c7f03f06b055de21ab0df6237c13df74e0b44a5c178ed7d0463d76069350
- MD5: 51d17f4d17dfb0cefaaf6aa236d011a6
- VirusTotal: https://www.virustotal.com/file/fbe9c7f03f06b055de21ab0df6237c13df74e0b44a5c178ed7d0463d76069350/analysis/#additional-info
- Typical Filename: Uninstall.exe
- Claimed Product: Sophos Standalone Engine uninstaller tool
- Detection Name: W32.Auto.fbe9c7.MASH.RT.SBX.VIOC
- SHA 256: 3f5961a80d3aa7cb06520fd8e89558170936a1a4a3fe16e9fc84c379518c0759
- MD5: 608e7d9ac275bdaadd0fa021f1c6694a
- VirusTotal: https://www.virustotal.com/file/3f5961a80d3aa7cb06520fd8e89558170936a1a4a3fe16e9fc84c379518c0759/analysis/#additional-info
- Typical Filename: cryptonight.wasm
- Claimed Product: N/A
- Detection Name: W32.3F5961A80D-100.SBX.VIOC
- SHA 256: dbf3890b782ac04136c3336814eef97e3c0f4133f9592e882c131c179161b27b
- MD5: 0c694193ceac8bfb016491ffb534eb7c
- VirusTotal: https://www.virustotal.com/file/dbf3890b782ac04136c3336814eef97e3c0f4133f9592e882c131c179161b27b/analysis/#additional-info
- Typical Filename: mssecsvc.exe
- Claimed Product: (none)
- Detection Name: W32.Ransom:TrojanRansom.21ck.1201
- SHA 256: 99550ea419a3f49ee1154c9d5ae99b7f925a783028f87286584a0c9fe7bab4f0
- MD5: 5bafb135e1d7ba0a5acd0fbbeb2a93e1
- VirusTotal: https://www.virustotal.com/file/99550ea419a3f49ee1154c9d5ae99b7f925a783028f87286584a0c9fe7bab4f0/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.99550EA419-95.SBX.TG
- SHA 256: 0478ce64dd7a27d849e9ca32bc95f6f89330ce9c7f5ab3fedd70726c9d9e5c6c
- MD5: ba9ed23ee65094f4a8686b7088d1153a
- VirusTotal: https://www.virustotal.com/file/0478ce64dd7a27d849e9ca32bc95f6f89330ce9c7f5ab3fedd70726c9d9e5c6c/analysis/#additional-info
- Typical Filename: SafeDrv.exe
- Claimed Product: (none)
- Detection Name: Suspicious_F:Trojan-tpd
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM