Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Microsoft Releases Security Bulletins For March 2018
###Event: Surprise, Supplies! @ OPCDE (Dubai, UAE)
####Date: 2018-04-06 - 2018-04-07
####Speaker: Paul Rascagneres
Synopsis: Supply chain attacks are often discussed, but overlooked in terms of how well a business prepares itself for any associated compromise or breach. Last year marked itself as “The Year Of The Supply Chain Attack,” and marked a turning point concerning supply chain attacks. Talos was involved in two major campaigns: the MeDoc compromise that paralyzed the Ukraine, and the CCleaner compromise that impacted a reported 2.27 million consumers. In this presentation, we will present these two cases. In both cases, we will present how the attackers modified a legitimate application, and what the result of the modification was. We will explain the attackers’ purpose, and the malware used against the victims. For the MeDoc compromise, we were directly involved in the incident response. We will provide a timeline of the events of what happened before, during and after Nyetya and MeDoc. Concerning the CCleaner compromise, we will provide some data and statistics from the attacker’s database and the profiles of the targeted organizations. In the second part, we will speak globally about supply chain attacks. We will discuss the history of these attacks, and we will finally open the discussion regarding the future of these attacks. ####Reference: https://www.opcde.com/
###Event: PyREBox: Making Dynamic Instrumentation Great Again @ HITB Security Conference 2018 Amsterdam
####Date: 2018-04-13 14:00 - 15:00
####Speaker: Xabier Ugarte-Pedrero
Synopsis: PyREBox is an open-source tool focused on reverse engineering, which provides instrumentation and debugging capabilities on top of the QEMU emulator. It allows you to inspect a running QEMU virtual machine (VM), modify its memory or registers, and instrument its execution with simple Python scripts. It combines whole-system-emulation (QEMU) with VM introspection (Volatility). One of the possible applications of this tool is malware analysis. It allows you to debug any process running on the system, and also to instrument the execution of the VM with simple Python scripts to automate common tasks. In this talk, we will present an overview of PyREBox, how it works internally, and how it compares to other tools. We will explain some of the challenges found in implementing Python-based fine-grained instrumentation and how PyREBox tries to solve them. Finally, we will show you how to take advantage of PyREBox for malware analysis by releasing a set of open-source scripts for PyREBox and IDA Pro. ####Reference: https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-pyrebox-making-dynamic-instrumentation-great-again/
###Title: Microsoft Releases Security Bulletins For March 2018
Description: Microsoft has released its monthly set of security bulletins. This month’s release addresses 74 new vulnerabilities with 14 of them rated critical and 59 of them rated important. These vulnerabilities impact Internet Explorer, Edge, Exchange, Scripting Engine, Windows Shell and more.
####Reference: https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/6c8fa125-28f6-e711-a963-000d3a33a34d
####Snort SID: 45873-45884, 45887-45890, 45892-45895, 45900-45903
###Title: Adobe Releases Security Bulletins for Flash Player, Dreamweaver, and Connect
Description: Adobe has released security bulletins for Flash Player, Dreamweaver and Connect. The Flash Player bulletin addresses 2 critical remote code execution vulnerabilities that manifest as use-after-free and type confusion conditions. The Dreamweaver bulletin addresses a critical, arbitrary OS command injection flaw. And the Connect bulletin addresses an arbitrary file deletion flaw and an information disclosure flaw. Adobe has released software updates that address these vulnerabilities.
####Reference:
- https://helpx.adobe.com/security/products/flash-player/apsb18-05.html
- https://helpx.adobe.com/security.html
####Snort SID: Detection pending
###Title: Cisco Prime Collaboration Provisioning Hard-Coded Password Vulnerability
Description: Cisco has released a software update that addresses a vulnerability in Cisco Prime Collaboration Provisioning (PCP) software which could allow an unauthenticated, local attacker to log in to the underlying Linux operating system via a hard-coded account password on the system. An attacker could exploit this vulnerability by connecting to the affected system via SSH, gain low level access and elevate to root privilege to take full control of the device.
####Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-cpcp
###Title: Samba Releases Updates for Two Samba Vulnerabilities
Description: Samba has released two security advisories that address CVE-2018-1050 and CVE-2018-1057. CVE-2018-1050 is a denial of service vulnerability impacting Samba version 4.0.0 onwards and manifests when the RPC spoolss service is configured to run as an external daemon. CVE-2018-1057 is a security feature bypass flaw also affecting Samba 4.0.0 onward. CVE-2018-1057 manifests due to improper permission validation and could allow authenticated users to change other users’ passwords. Samba has released software updates that address these vulnerabilities.
####Reference:
- https://www.samba.org/samba/security/CVE-2018-1050.html
- https://www.samba.org/samba/security/CVE-2018-1057.html
####Snort SID: Detection pending release of vulnerability information
Vulnerability in Robots Can Lead To Costly Ransomware Attacks
https://threatpost.com/vulnerability-in-robots-can-lead-to-costly-ransomware-attacks/130245/
amass - Subdomain Enumeration in Go
https://github.com/caffix/amass
A House of Cards: An Exploration of Security When Building Docker Containers
https://blog.heroku.com/exploration-of-security-when-building-docker-containers
Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters
https://blog.trendmicro.com/trendlabs-security-intelligence/detecting-attacks-that-exploit-meltdown-and-spectre-with-performance-counters/?
AMD investigating chip security flaws after less than 24 hours notice
http://www.zdnet.com/article/amd-investigates-chip-flaws-after-zero-day-research/
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/analysis/#additional-info
- Typical Filename: mf2016341595.exe
- Claimed Product: (none)
- Detection Name: W32.Generic:Gen.21cp.1201
- SHA 256: 41ee9b1251b490a4619e24b2a25b194ddfd42fdb492deea67620f9ec54761abc
- MD5: ad73fa217be65de47a4012af0216880b
- VirusTotal: https://www.virustotal.com/file/41ee9b1251b490a4619e24b2a25b194ddfd42fdb492deea67620f9ec54761abc/analysis/#additional-info
- Typical Filename: helperamc.zip
- Claimed Product: Advance Mac Cleaner
- Detection Name: W32.Auto:41ee9b.in03.Talos
- SHA 256: 7c8e2fa9c2e79093834cb0dd04d41a9a0022ada60920c1ee5423a967f30acff8
- MD5: 5d60516dc6b946a3f0074839003a64a4
- VirusTotal: https://www.virustotal.com/file/7c8e2fa9c2e79093834cb0dd04d41a9a0022ada60920c1ee5423a967f30acff8/analysis/#additional-info
- Typical Filename: 5d60516dc6b946a3f0074839003a64a471a5d38f886a617e053f3efc809029f3701c6036160091.dll
- Claimed Product: (none)
- Detection Name: W32.Worm:Malwaregen.20mi.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/analysis/#additional-info
- Typical Filename: Tempmf582901854.exe
- Claimed Product: (none)
- Detection Name: W32.C3E530CC00-95.SBX.TG
- SHA 256: e099579856d1e32111fc2d53906705cd5f37adb98303b6180cd71f70013dc513
- MD5: ec0ac966d2bebdfbe3eeecf497d2eaac
- VirusTotal: https://www.virustotal.com/file/e099579856d1e32111fc2d53906705cd5f37adb98303b6180cd71f70013dc513/analysis/#additional-info
- Typical Filename: setup.exe
- Claimed Product: (none)
- Detection Name: W32.GenericKD.21ek.1201
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM