Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Google Releases Monthly Security Bulletin for Android; 39 Vulnerabilities Addressed
###Event: Surprise, Supplies! @ OPCDE (Dubai, UAE)
####Date: 2018-04-06 - 2018-04-07
####Speaker: Paul Rascagneres
Synopsis: Supply chain attacks are often discussed, but overlooked in terms of how well a business prepares itself for any associated compromise or breach. Last year marked itself as “The Year Of The Supply Chain Attack” and marked a turning point concerning supply chain attacks. Talos was involved in two major campaigns: the MeDoc compromise that paralyzed the Ukraine, and the CCleaner compromise that impacted a reported 2.27 million consumers. In this presentation, we will present these two cases. In both cases, we will present how the attackers modified a legitimate application, and what the result of the modification was. We will explain the attackers’ purpose, and the malware used against the victims. For the MeDoc compromise, we were directly involved in the incident response. We will provide a timeline of the events of what happened before, during and after Nyetya and MeDoc. Concerning the CCleaner compromise, we will provide some data and statistics from the attacker’s database and the profiles of the targeted organizations. In the second part, we will speak globally about supply chain attacks. We will discuss the history of these attacks, and we will finally open the discussion regarding the future of these attacks. ####Reference: https://www.opcde.com/
###Event: PyREBox: Making Dynamic Instrumentation Great Again @ HITB Security Conference 2018 Amsterdam
####Date: 2018-04-13 14:00 - 15:00
####Speaker: Xabier Ugarte-Pedrero
Synopsis: PyREBox is an open-source tool focused on reverse engineering, which provides instrumentation and debugging capabilities on top of the QEMU emulator. It allows you to inspect a running QEMU virtual machine (VM), modify its memory or registers, and instrument its execution with simple Python scripts. It combines whole-system-emulation (QEMU) with VM introspection (Volatility). One of the possible applications of this tool is malware analysis. It allows you to debug any process running on the system, and also to instrument the execution of the VM with simple Python scripts to automate common tasks. In this talk, we will present an overview of PyREBox, how it works internally, and how it compares to other tools. We will explain some of the challenges found in implementing Python-based fine-grained instrumentation and how PyREBox tries to solve them. Finally, we will show you how to take advantage of PyREBox for malware analysis by releasing a set of open-source scripts for PyREBox and IDA Pro. ####Reference: https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-pyrebox-making-dynamic-instrumentation-great-again/
###Title: Google Releases Monthly Security Bulletin for Android; 39 Vulnerabilities Addressed
Description: Google has released its monthly security bulletin for Android to address 37 vulnerabilities that have been identified. This month’s bulletin release addresses 11 critical vulnerabilities and 26 high-severity vulnerabilities. The 2018-03-01 security patch level contains fixes for the Media framework and Android System, while the 2018-03-05 security patch level fixes bugs in the kernel, Qualcomm and nVidia components. Updates have been published for Nexus and Pixel devices. Android partners should be in the process of integrating these updates and pushing them out in the near future for other Android handsets.
####Reference: https://source.android.com/security/bulletin/2018-03-01
####Snort SID: Detection pending release of vulnerability information
###Title: Hewlett Packard Enterprise Releases Security Bulletin for Denial-of-Service Vulnerability in iLO 3
Description: Hewlett Packard Enterprise has released a security bulletin for a denial-of-service (DoS) vulnerability in HPE Integrated Lights-Out 3 (iLO 3). This vulnerability, identified as CVE-2017-8987, could be exploited by a remote, unauthenticated attacker and impacts HPE iLO 3 version 1.88. HPE has released a software update to address this vulnerability.
####Reference: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03826en_us
####Snort SID: Detection pending release of vulnerability information
How to Fight Mobile Number Port-out Scams
https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/
VMware Exploitation Through Uninitialized Buffers
https://www.zerodayinitiative.com/blog/2018/3/1/vmware-exploitation-through-uninitialized-buffers
Memcrashed - Major amplification attacks from UDP port 11211
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
Gaining Domain Admin from Outside Active Directory
https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html
Trustico website goes dark after someone drops critical flaw on Twitter
https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/
Intel Releases Updated Spectre Fixes For Broadwell and Haswell Chips
https://threatpost.com/intel-releases-updated-spectre-fixes-for-broadwell-and-haswell-chips/130144/
- SHA 256: 238e42e887eddbb4ab164a62874e21b905665b32fe3b5d80473500d6c3f2e8c9
- MD5: 3395357300dd177727443c015bcdecfe
- VirusTotal: https://www.virustotal.com/file/238e42e887eddbb4ab164a62874e21b905665b32fe3b5d80473500d6c3f2e8c9/analysis/#additional-info
- Typical Filename: WPA_Kill.exe
- Claimed Product: Windows 2003 & XP Anti Product Activation Patch
- Detection Name: W32.238E42E887-95.SBX.TG
- SHA 256: 01b8e11653fb4383805ed7fb88e64f09d709ac0b4b947a00bb3ec8b94c2dddb5
- MD5: 9007fa5163a996c352ecd7da77cb6e38
- VirusTotal: https://www.virustotal.com/file/01b8e11653fb4383805ed7fb88e64f09d709ac0b4b947a00bb3ec8b94c2dddb5/analysis/#additional-info
- Typical Filename: CCP031931.zip
- Claimed Product: N/A
- Detection Name: W32.Auto:01b8e11653.in05.Talos
- SHA 256: 41ee9b1251b490a4619e24b2a25b194ddfd42fdb492deea67620f9ec54761abc
- MD5: ad73fa217be65de47a4012af0216880b
- VirusTotal: https://www.virustotal.com/file/41ee9b1251b490a4619e24b2a25b194ddfd42fdb492deea67620f9ec54761abc/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.Auto:41ee9b.in03.Talos
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/analysis/#additional-info
- Typical Filename: mf2016341595.exe
- Claimed Product: (none)
- Detection Name: W32.Generic:Gen.21cp.1201
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf
- VirusTotal: https://www.virustotal.com/file/be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394/analysis/#additional-info
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21dr.1201
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM