Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Apple Releases Security Update for “Text Bomb” Flaw in iOS and macOS
###Event: [BRKSEC-2777] Talos Insights: The State of Cyber Security @ Cisco Live Melbourne
####Date: 2018-03-06 - 2018-03-09
####Speaker: Nick Biasini, Threat Researcher
Synopsis: Cisco’s Talos team specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.ciscolive.com/anz/learn/sessions/session-catalog/?search=BRKSEC-2777
###Event: Surprise, Supplies! @ OPCDE (Dubai, UAE)
####Date: 2018-04-06 - 2018-04-07
####Speaker: Paul Rascagneres
Synopsis: Supply chain attacks are often long thought about and often overlooked in terms of how well a business prepares itself for any associated compromise or breach. 2017 has truly marked itself as ‘The Year Of The Supply Chain Attack’ and marked a turning point concerning supply chain attacks. Talos was involved in two major campaigns: MeDoc compromise that paralyzed the Ukraine and CCleaner compromise that impacted a reported 2.27M consumers. In this presentation we will firstly present these two cases. In both cases, we will present how the attackers modified a legitimate application and what was the result of the modification. We will explain the purpose of the attackers and the malware used against the victims. For the MeDoc compromise, we were directly involved in the incident response and we will provide a timeline of the events to give an idea of the before, during and after picture associated with Nyetya and MeDoc. Concerning the CCleaner compromise, we will provide some data and statistics from the attacker’s database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will remember that it’s not the first time in the history that this kind of attacks occurred and we will finally open the discussion on the future of this attacks. ####Reference: https://www.opcde.com/
###Event: PyREBox: Making Dynamic Instrumentation Great Again @ HITB Security Conference 2018 Amsterdam
####Date: 2018-04-13 14:00 - 15:00
####Speaker: Xabier Ugarte-Pedrero
Synopsis: PyREBox is an open-source tool focused on reverse engineering that provides instrumentation and debugging capabilities on top of the QEMU emulator. It allows you to inspect a running QEMU VM, modify its memory or registers, and instrument its execution with simple Python scripts. It combines whole-system-emulation (QEMU) with Virtual Machine Introspection (Volatility). One of the possible applications of this tool is malware analysis. It allows you to debug any process running on the system and also to instrument the execution of the VM with simple Python scripts to automate common tasks. In this talk, we will present an overview of PyREBox, how it works internally, and how it compares to other tools. We will explain some of the challenges found in implementing Python-based fine-grained instrumentation and how PyREBox tries to solve them. Finally, we will show you how to take advantage of PyREBox for malware analysis by releasing a set of open-source scripts for PyREBox and IDA Pro. ####Reference: https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-pyrebox-making-dynamic-instrumentation-great-again/
###Title: Apple Releases Security Update for “Text Bomb” Flaw in iOS and macOS
Description: Apple has released a supplemental security update in response to the “text bomb” denial of service flaw in iOS, macOS, watchOS, and tvOS. The “text bomb” vulnerability, identified as CVE-2018-4124, is a flaw in how certain characters are handled and rendered by the operating system and could result in application and system crashes. Users are advised to update their devices as people triggering this flaw has been observed.
####Reference: https://support.apple.com/en-us/HT208534
###Title: Dell EMC Releases Security Advisory for Flaws in VMAX Virtual Appliance Manager
Description: Dell EMC has released a security advisory for two vulnerabilities that have been identified in VMAX Virtual Appliance (vApp) Manager. These vulnerabilities, assigned CVE-2018-1215 and CVE-2018-1216, are severe and have been assessed CVSSv3 scores of 8.8 and 9.8 respectively. CVE-2018-1215 is an arbitrary file upload vulnerability while CVE-2018-1216 is a hard-coded credential vulnerability. Dell EMC has released a software update that addresses these vulnerabilities.
####Reference: http://seclists.org/fulldisclosure/2018/Feb/41
####Snort SID: Detection pending release of vulnerability information
Encryption 101: a malware analyst’s primer
https://blog.malwarebytes.com/threat-analysis/2018/02/encryption-101-malware-analysts-primer/
PcapXray - A Network Forensics Tool to visualize a packet capture offline as a Network Diagram
https://github.com/Srinivas11789/PcapXray
Expanding Intel’s Bug Bounty Program: New Side Channel Program, Increased Awards
https://newsroom.intel.com/news/expanding-intels-bug-bounty-program/
Multi-Stage Email Word Attack Without Macros
https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/
- SHA 256: 9a51195e1515e0a405f5c251297b3b8888ca625d93052e3af97dd3f248b837b3
- MD5: a354b0d4cc6f0d15bd838e259f4d8b0d
- VirusTotal: https://www.virustotal.com/file/9a51195e1515e0a405f5c251297b3b8888ca625d93052e3af97dd3f248b837b3/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: Auto.9A51195E15.Sbmt.tht.Talos
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf
- VirusTotal: https://www.virustotal.com/file/be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394/analysis/#additional-info
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21dr.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/analysis/#additional-info
- Typical Filename: mf2016341595.exe
- Claimed Product: (none)
- Detection Name: W32.Generic:Gen.21cp.1201
- SHA 256: b74d0ecd4aa14647beae8f92df09d52965e6a8bc3aaa7356d879fe7f9d2e6876
- MD5: e6a2596eaae19e111de1c4ba5ae7a8ca
- VirusTotal: https://www.virustotal.com/file/b74d0ecd4aa14647beae8f92df09d52965e6a8bc3aaa7356d879fe7f9d2e6876/analysis/#additional-info
- Typical Filename: lsmosee.exe
- Claimed Product: (none)
- Detection Name: W32.Variant:Gen.21dp.1201
- SHA 256: 8c2998f78b42fb10e872ea13bea124de0de41549c5a8dd2d4477c0d69936429f
- MD5: d1d9c5859144b56884fe7b4982cf4671
- VirusTotal: https://www.virustotal.com/file/8c2998f78b42fb10e872ea13bea124de0de41549c5a8dd2d4477c0d69936429f/analysis/#additional-info
- Typical Filename: BloombergUILoader.dot
- Claimed Product: N/A
- Detection Name: DOC.8C2998F78B.malicious.tht.Talos
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM