• Cisco Login
  • Software
  • Vulnerability Information
    • Vulnerability Information

    • Vulnerability Reports
    • Microsoft Advisories
  • Reputation Center
    • Reputation Center

    • IP & Domain Reputation
    • Talos File Reputation
    • Reputation Support
    • AMP Threat Naming Conventions
    • AWBO Exercises
    • Intelligence Categories
  • Library
  • Support
    • Support

    • Reputation Center Support
    • Snort Community
    • ClamAV Community
    • SpamCop
  • Incident Response
  • Careers
  • Blog
  • Podcasts
    • Podcasts

    • Beers with Talos
    • Talos Takes
  • About
  • Cisco Login

Talos Threat Source Newsletters

Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.

March 06, 2018


TOP VULNERABILITY THIS WEEK:

Google Releases Monthly Security Bulletin for Android; 39 Vulnerabilities Addressed


UPCOMING PUBLIC ENGAGEMENTS WITH TALOS


###Event: Surprise, Supplies! @ OPCDE (Dubai, UAE) ####Date: 2018-04-06 - 2018-04-07 ####Speaker: Paul Rascagneres

Synopsis: Supply chain attacks are often discussed, but overlooked in terms of how well a business prepares itself for any associated compromise or breach. Last year marked itself as “The Year Of The Supply Chain Attack” and marked a turning point concerning supply chain attacks. Talos was involved in two major campaigns: the MeDoc compromise that paralyzed the Ukraine, and the CCleaner compromise that impacted a reported 2.27 million consumers. In this presentation, we will present these two cases. In both cases, we will present how the attackers modified a legitimate application, and what the result of the modification was. We will explain the attackers’ purpose, and the malware used against the victims. For the MeDoc compromise, we were directly involved in the incident response. We will provide a timeline of the events of what happened before, during and after Nyetya and MeDoc. Concerning the CCleaner compromise, we will provide some data and statistics from the attacker’s database and the profiles of the targeted organizations. In the second part, we will speak globally about supply chain attacks. We will discuss the history of these attacks, and we will finally open the discussion regarding the future of these attacks. ####Reference: https://www.opcde.com/


###Event: PyREBox: Making Dynamic Instrumentation Great Again @ HITB Security Conference 2018 Amsterdam ####Date: 2018-04-13 14:00 - 15:00 ####Speaker: Xabier Ugarte-Pedrero

Synopsis: PyREBox is an open-source tool focused on reverse engineering, which provides instrumentation and debugging capabilities on top of the QEMU emulator. It allows you to inspect a running QEMU virtual machine (VM), modify its memory or registers, and instrument its execution with simple Python scripts. It combines whole-system-emulation (QEMU) with VM introspection (Volatility). One of the possible applications of this tool is malware analysis. It allows you to debug any process running on the system, and also to instrument the execution of the VM with simple Python scripts to automate common tasks. In this talk, we will present an overview of PyREBox, how it works internally, and how it compares to other tools. We will explain some of the challenges found in implementing Python-based fine-grained instrumentation and how PyREBox tries to solve them. Finally, we will show you how to take advantage of PyREBox for malware analysis by releasing a set of open-source scripts for PyREBox and IDA Pro. ####Reference: https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-pyrebox-making-dynamic-instrumentation-great-again/


NOTABLE RECENT SECURITY ISSUES


###Title: Google Releases Monthly Security Bulletin for Android; 39 Vulnerabilities Addressed Description: Google has released its monthly security bulletin for Android to address 37 vulnerabilities that have been identified. This month’s bulletin release addresses 11 critical vulnerabilities and 26 high-severity vulnerabilities. The 2018-03-01 security patch level contains fixes for the Media framework and Android System, while the 2018-03-05 security patch level fixes bugs in the kernel, Qualcomm and nVidia components. Updates have been published for Nexus and Pixel devices. Android partners should be in the process of integrating these updates and pushing them out in the near future for other Android handsets. ####Reference: https://source.android.com/security/bulletin/2018-03-01 ####Snort SID: Detection pending release of vulnerability information


###Title: Hewlett Packard Enterprise Releases Security Bulletin for Denial-of-Service Vulnerability in iLO 3 Description: Hewlett Packard Enterprise has released a security bulletin for a denial-of-service (DoS) vulnerability in HPE Integrated Lights-Out 3 (iLO 3). This vulnerability, identified as CVE-2017-8987, could be exploited by a remote, unauthenticated attacker and impacts HPE iLO 3 version 1.88. HPE has released a software update to address this vulnerability. ####Reference: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03826en_us ####Snort SID: Detection pending release of vulnerability information


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

How to Fight Mobile Number Port-out Scams
https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/

VMware Exploitation Through Uninitialized Buffers
https://www.zerodayinitiative.com/blog/2018/3/1/vmware-exploitation-through-uninitialized-buffers

Memcrashed - Major amplification attacks from UDP port 11211
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

Gaining Domain Admin from Outside Active Directory
https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html

Trustico website goes dark after someone drops critical flaw on Twitter
https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/

Intel Releases Updated Spectre Fixes For Broadwell and Haswell Chips
https://threatpost.com/intel-releases-updated-spectre-fixes-for-broadwell-and-haswell-chips/130144/


MOST PREVALENT MALWARE FILES 2018-02-27 - 2018-03-06:


- SHA 256: 238e42e887eddbb4ab164a62874e21b905665b32fe3b5d80473500d6c3f2e8c9
- MD5: 3395357300dd177727443c015bcdecfe
- VirusTotal: https://www.virustotal.com/file/238e42e887eddbb4ab164a62874e21b905665b32fe3b5d80473500d6c3f2e8c9/analysis/#additional-info
- Typical Filename: WPA_Kill.exe
- Claimed Product: Windows 2003 & XP Anti Product Activation Patch
- Detection Name: W32.238E42E887-95.SBX.TG


- SHA 256: 01b8e11653fb4383805ed7fb88e64f09d709ac0b4b947a00bb3ec8b94c2dddb5
- MD5: 9007fa5163a996c352ecd7da77cb6e38
- VirusTotal: https://www.virustotal.com/file/01b8e11653fb4383805ed7fb88e64f09d709ac0b4b947a00bb3ec8b94c2dddb5/analysis/#additional-info
- Typical Filename: CCP031931.zip
- Claimed Product: N/A
- Detection Name: W32.Auto:01b8e11653.in05.Talos


- SHA 256: 41ee9b1251b490a4619e24b2a25b194ddfd42fdb492deea67620f9ec54761abc
- MD5: ad73fa217be65de47a4012af0216880b
- VirusTotal: https://www.virustotal.com/file/41ee9b1251b490a4619e24b2a25b194ddfd42fdb492deea67620f9ec54761abc/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.Auto:41ee9b.in03.Talos


- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/analysis/#additional-info
- Typical Filename: mf2016341595.exe
- Claimed Product: (none)
- Detection Name: W32.Generic:Gen.21cp.1201


- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf
- VirusTotal: https://www.virustotal.com/file/be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394/analysis/#additional-info
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21dr.1201


SPAM STATS FOR 2018-02-27 - 2018-03-06


####TOP SPAM SUBJECTS OBSERVED

  • “FYI - Important”
  • “Your invoice is ready”
  • “Urgent Security Alert”
  • “YOUR IMMEDIATE ACTION IS REQUIRED”
  • “update”


####MOST FREQUENTLY USED ASNs FOR SENDING SPAM

  • 15169 Google LLC
  • 8075 Microsoft Corporation
  • 16276 OVH SAS
  • 14742 Internap Network Services Corporation
  • 22773 Cox Communications Inc.
Most Recent 25 Newsletters
Newsletter Archives

For more, click here...

      • Software
      • Reputation Center
      • Vulnerability Information
      • Microsoft Advisory Snort Rules
      • Incident Response
      • AMP Naming Conventions
      • Talos File Reputation
      • AWBO Exercises
      • Library
      • Support Communities
      • About
      • Careers
      • Blog
      • Threat Source Newsletter
      • Beers with Talos Podcast
      • Talos Takes Podcast
Connect With Us
  • Follow us on Twitter
  • Watch our informational videos on YouTube
  • Connect with us on LinkedIn
Cisco

© 2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our Privacy Policy here.