Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Multiple Vulnerabilities in Trend Micro Email Encryption Gateway Disclosed
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly changing as attackers evolve their skills. Talos advances the overall efficacy of all Cisco Security platforms by aggregating data, cooperating with teams of security experts, and applying cutting-edge big data technology to security. In this talk, we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Synopsis: Supply chain attacks are often discussed, but overlooked in terms of how well a business prepares itself for any associated compromise or breach. Last year marked itself as "The Year Of The Supply Chain Attack" and marked a turning point concerning supply chain attacks. Talos was involved in two major campaigns: the MeDoc compromise that paralyzed the Ukraine, and CCleaner compromise that impacted a reported 2.27 million consumers. In this presentation, we will present these two cases. In both cases, we will present how the attackers modified a legitimate application, and what the result of the modification was. We will explain the attackers’ purpose, and the malware used against the victims. For the MeDoc compromise, we were directly involved in the incident response. We will provide a timeline of the events of what happened before, during and after Nyetya and MeDoc. Concerning the CCleaner compromise, we will provide some data and statistics from the attacker’s database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will discuss the history of these attacks, and we will finally open the discussion regarding the future of these attacks.
Synopsis: PyREBox is an open-source tool focused on reverse engineering, which provides instrumentation and debugging capabilities on top of the QEMU emulator. It allows you to inspect a running QEMU virtual machine (VM), modify its memory or registers, and instrument its execution with simple Python scripts. It combines whole-system-emulation (QEMU) with virtual machine introspection (Volatility). One of the possible applications of this tool is malware analysis. It allows you to debug any process running on the system, and also to instrument the execution of the VM with simple Python scripts to automate common tasks. In this talk, we will present an overview of PyREBox, how it works internally, and how it compares to other tools. We will explain some of the challenges found in implementing Python-based fine-grained instrumentation and how PyREBox tries to solve them. Finally, we will show you how to take advantage of PyREBox for malware analysis by releasing a set of open-source scripts for PyREBox and IDA Pro.
Description: Researchers from Core Security have identified multiple vulnerabilities in Trend Micro Email Encryption Gateway. The most severe of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary commands as root on affected devices. Other vulnerabilities include SQL injections, insecure updates via HTTP, reflected XSS attacks, and arbitrary locations leading to command execution. Trend Micro has released a software update addressing a majority of these vulnerabilities. Two additional vulnerabilities were reported to Trend Micro but were not patched "due to the difficulties of implementing and the negative impact on critical normal product function."
Description: Google Project Zero has disclosed a privilege escalation vulnerability in Windows 10 that has not yet been patched. Details of this vulnerability were made public on Feb. 20. Per Project Zero notes, Microsoft considers this vulnerability "Important," as code execution is a prerequisite to exploit it, and it cannot be exploited remotely by itself. Patches for this vulnerability are anticipated the following Patch Tuesday.
Who Wasn’t Responsible for Olympic Destroyer?
http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html?f_l=s
Chrome extension and Express server that exploits keylogging abilities of CSS
https://github.com/maxchehab/CSS-Keylogging
"Pwned Passwords" v2 Launched; Half a Billion Passwords for Download
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
mitmproxy v3.0 Released
https://mitmproxy.org/posts/releases/mitmproxy3/
Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign
https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massive-malspam-campaign