Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Multiple Vulnerabilities in Trend Micro Email Encryption Gateway Disclosed
###Event: [BRKSEC-2777] Talos Insights: The State of Cyber Security @ Cisco Live Melbourne
####Date: 2018-03-06 - 2018-03-09
####Speaker: Nick Biasini
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly changing as attackers evolve their skills. Talos advances the overall efficacy of all Cisco Security platforms by aggregating data, cooperating with teams of security experts, and applying cutting-edge big data technology to security. In this talk, we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. ####Reference: https://www.ciscolive.com/anz/learn/sessions/session-catalog/?search=BRKSEC-2777
###Event: Surprise, Supplies! @ OPCDE (Dubai, UAE)
####Date: 2018-04-06 - 2018-04-07
####Speaker: Paul Rascagneres
Synopsis: Supply chain attacks are often discussed, but overlooked in terms of how well a business prepares itself for any associated compromise or breach. Last year marked itself as “The Year Of The Supply Chain Attack” and marked a turning point concerning supply chain attacks. Talos was involved in two major campaigns: the MeDoc compromise that paralyzed the Ukraine, and CCleaner compromise that impacted a reported 2.27 million consumers. In this presentation, we will present these two cases. In both cases, we will present how the attackers modified a legitimate application, and what the result of the modification was. We will explain the attackers’ purpose, and the malware used against the victims. For the MeDoc compromise, we were directly involved in the incident response. We will provide a timeline of the events of what happened before, during and after Nyetya and MeDoc. Concerning the CCleaner compromise, we will provide some data and statistics from the attacker’s database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will discuss the history of these attacks, and we will finally open the discussion regarding the future of these attacks. ####Reference: https://www.opcde.com/
###Event: PyREBox: Making Dynamic Instrumentation Great Again @ HITB Security Conference 2018 Amsterdam
####Date: 2018-04-13 14:00 - 15:00
####Speaker: Xabier Ugarte-Pedrero
Synopsis: PyREBox is an open-source tool focused on reverse engineering, which provides instrumentation and debugging capabilities on top of the QEMU emulator. It allows you to inspect a running QEMU virtual machine (VM), modify its memory or registers, and instrument its execution with simple Python scripts. It combines whole-system-emulation (QEMU) with virtual machine introspection (Volatility). One of the possible applications of this tool is malware analysis. It allows you to debug any process running on the system, and also to instrument the execution of the VM with simple Python scripts to automate common tasks. In this talk, we will present an overview of PyREBox, how it works internally, and how it compares to other tools. We will explain some of the challenges found in implementing Python-based fine-grained instrumentation and how PyREBox tries to solve them. Finally, we will show you how to take advantage of PyREBox for malware analysis by releasing a set of open-source scripts for PyREBox and IDA Pro. ####Reference: https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-pyrebox-making-dynamic-instrumentation-great-again/
###Title: Multiple Vulnerabilities in Trend Micro Email Encryption Gateway Disclosed
Description: Researchers from Core Security have identified multiple vulnerabilities in Trend Micro Email Encryption Gateway. The most severe of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary commands as root on affected devices. Other vulnerabilities include SQL injections, insecure updates via HTTP, reflected XSS attacks, and arbitrary locations leading to command execution. Trend Micro has released a software update addressing a majority of these vulnerabilities. Two additional vulnerabilities were reported to Trend Micro but were not patched “due to the difficulties of implementing and the negative impact on critical normal product function.”
####Reference: https://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities
####Snort SID: Detection pending
###Title: Google Project Zero Discloses Unpatched Windows 10 Privilege Escalation Vulnerability
Description: Google Project Zero has disclosed a privilege escalation vulnerability in Windows 10 that has not yet been patched. Details of this vulnerability were made public on Feb. 20. Per Project Zero notes, Microsoft considers this vulnerability “Important,” as code execution is a prerequisite to exploit it, and it cannot be exploited remotely by itself. Patches for this vulnerability are anticipated the following Patch Tuesday.
####Reference: https://bugs.chromium.org/p/project-zero/issues/detail?id=1428
####Snort SID: Detection pending
Who Wasn’t Responsible for Olympic Destroyer?
http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html?f_l=s
Chrome extension and Express server that exploits keylogging abilities of CSS
https://github.com/maxchehab/CSS-Keylogging
“Pwned Passwords” v2 Launched; Half a Billion Passwords for Download
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
mitmproxy v3.0 Released
https://mitmproxy.org/posts/releases/mitmproxy3/
Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign
https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign
- SHA 256: 41ee9b1251b490a4619e24b2a25b194ddfd42fdb492deea67620f9ec54761abc
- MD5: ad73fa217be65de47a4012af0216880b
- VirusTotal: https://www.virustotal.com/file/41ee9b1251b490a4619e24b2a25b194ddfd42fdb492deea67620f9ec54761abc/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.Auto:41ee9b.in03.Talos
- SHA 256: 238e42e887eddbb4ab164a62874e21b905665b32fe3b5d80473500d6c3f2e8c9
- MD5: 3395357300dd177727443c015bcdecfe
- VirusTotal: https://www.virustotal.com/file/238e42e887eddbb4ab164a62874e21b905665b32fe3b5d80473500d6c3f2e8c9/analysis/#additional-info
- Typical Filename: Windows 2003 & XP Anti Product Activation Patch
- Claimed Product: WPA_Kill.exe
- Detection Name: W32.238E42E887-95.SBX.TG
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/analysis/#additional-info
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21cp.1201
- SHA 256: ab5985cfa3ef4b249ed0fb6b70013be9a2e7cb17d7113431bd5727dfcc0642ce
- MD5: a3a1eba3622a71f819ff2596a48d5f6f
- VirusTotal: https://www.virustotal.com/file/ab5985cfa3ef4b249ed0fb6b70013be9a2e7cb17d7113431bd5727dfcc0642ce/analysis/#additional-info
- Typical Filename: worming.png
- Claimed Product: (none)
- Detection Name: W32.AB5985CFA3-100.SBX.TG
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf
- VirusTotal: https://www.virustotal.com/file/be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394/analysis/#additional-info
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21dr.1201
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM