Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Oracle releases critical patches, 254 vulnerabilities found
###Event: “Talos Overview and Latest and Greatest Threat Updates” @ Cisco Connect in Salt Lake City, Utah
####Date: April 26
####Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, we’ll discuss the threats that are top of mind for our researchers, and the trends that you, as defenders, should be most concerned about.
####Reference: http://cs.co/9001DwdSX
###Event: “The Increasingly Sophisticated Threat Landscape” @ the Atlantic Security Conference in Nova Scotia, Canada
####Date: April 26
####Speaker: Earl Carter
Synopsis: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. During this tal, Earl will examine various threats that Talos has examined over the past year to show how attackers are continually becoming more sophisticated. Understanding how these actors are evolving and how they are targeting networks is vital to protecting your network. People can only begin to harden their networks against these increasingly sophisticated attacks if they understand the evolving threat landscape and the attack vectors that threat actors are using. ####Reference: http://cs.co/ATLSEC
###Event: Cisco Talos Threat Research Summit at Cisco Live in Orlando, Florida
####Date: June 10
Synopsis: Join us in Orlando prior to Cisco Live for the first ever Cisco Talos Threat Research Summit, a one-day conference by defenders, for defenders, designed to give you actionable insights to keep your users and network safer. Throughout the summit, you will hear from leading researchers at Talos and cyber security experts from across the industry. Lurene A. Grenier, an industry veteran, will be the keynote speaker, and will be speaking about why many businesses are not taking their security seriously enough. ####Reference: http://cs.co/TTRS
###Title: Oracle releases critical patches, 254 vulnerabilities found
Description: Oracle released its monthly critical patch update this week, fixing vulnerabilities across hundreds of products. In all, Oracle found 254 new security vulnerabilities. Some of the products with the most fixes include Oracle Fusion Middleware, Oracle Retail Applications and Oracle Financial Applications. Oracle users are urged to download these patches as quickly as possible.
####Reference: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
###Title: Cisco releases fixes for Smart Install remote code execution vulnerability
Description: Cisco released a patch for the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software that could allow an attacker to gain the ability to remotely execute code. The vulnerability is due to improper validation of packet data. The patch this week is a continuation of a previous advisory that Cisco released in late March alerting customers of vulnerabilities involving the Smart Install client.
####Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
####Snort SID: 46096; 46097
###Title: VMware discloses two vulnerabilities in vRealize Automation
Description: VMware has patched two vulnerabilities in the cloud management suite vRealize Automation. The patches cover CVE-2018-6958 and CVE-2018-6959. Users are urged to update to the most recent version of vRealize Automation as soon as possible. The two vulnerabilities could lead to the host machine being compromised, or the hijacking of the user’s session in vRealize, respectively.
####Reference: https://www.vmware.com/security/advisories/VMSA-2018-0009.html
####Snort SID: Detection pending release of vulnerability information.
U.S., U.K. cyber officials warn of Russian attacks on private routers
https://mashable.com/2018/04/17/russian-router-warning-us-uk/#buS9rzZsjsqT
Microsoft, Facebook among major tech firms to vow to not aid governments in cyber attacks
https://www.reuters.com/article/us-usa-cyber-microsoft/tech-firms-including-microsoft-facebook-vow-not-to-aid-government-cyber-attacks-idUSKBN1HO283
Why vulnerabilities keep coming up in Adobe Flash, despite a decline in usage
https://securingtomorrow.mcafee.com/mcafee-labs/despite-decline-use-adobe-flash-vulnerabilities-will-continue-cause-concern/
IBM releases new open-source software to protect AI systems from attacks
https://www.securityweek.com/ibm-releases-open-source-ai-security-tool
Cryptomining surpasses ransomware as most popular malware so far in 2018
https://threatpost.com/cryptominer-malware-threats-overtake-ransomware-report-warns/131237/
- SHA 256: AC3E93A33EA50466E096A2E2616439C93E17F8C8DBFEBDC6EF8E17D60278A65A
- MD5: 905216b57fed6412ec209099ffbc16b7
- VirusTotal: https://www.virustotal.com/#/file/ac3e93a33ea50466e096a2e2616439c93e17f8c8dbfebdc6ef8e17d60278a65a/details
- Typical Filename: Recents file activity reports.pdf
- Claimed Product: N/A
- Detection Name: PDF.Auto:ac3e93a33e.in05.Talos
- SHA 256: B3CB2409992B119F1FF63C11306884868185E9BC88033B5E4D7BBDE48684B9FF
- MD5: 1029a50ac321b5d2c850cb64fd1ef415
- VirusTotal: https://www.virustotal.com/#/file/b3cb2409992b119f1ff63c11306884868185e9bc88033b5e4d7bbde48684b9ff/details
- Typical Filename: newupdate.exe
- Claimed Product: WPS Office
- Detection Name: PUA.Win.Trojan.Generic.in10.talos
- SHA 256: C7FE73C90F530518A177159B0B66742A7DA463F070F21BAC78DFCD9F18DE6E2C
- MD5: b737dc6f5c57118f768d7f9499157976
- VirusTotal: https://www.virustotal.com/#/file/c7fe73c90f530518a177159b0b66742a7da463f070f21bac78dfcd9f18de6e2c/details
- Typical Filename: Invoice.html
- Claimed Product: N/A
- Detection Name: W32.C7FE73C90F-95.SBX.TG
- SHA 256: 6925DEA0C806BEA1DB50E2CC36EDE5E6ACE4671DD5239BA0B71B74466873EE02
- MD5: f3a5f29fa18eaa6374907eee2c67d716
- VirusTotal: https://www.virustotal.com/#/file/6925dea0c806bea1db50e2cc36ede5e6ace4671dd5239ba0b71b74466873ee02/details
- Typical Filename: HTTP-FbnUTM3QYFw2ifWxcl.txt
- Claimed Product: N/A
- Detection Name: W32.Auto.6925de.MASH.RT.SBX.VIOC
- SHA 256: F8FC6547A9093434FA1C4081C52B9F611F6DA1694431CA3599786977004A9895
- MD5: 21445547952630f391d773491a6c75bd
- VirusTotal: https://www.virustotal.com/#/file/f8fc6547a9093434fa1c4081c52b9f611f6da1694431ca3599786977004a9895/details
- Typical Filename: EnvWrapper.exe
- Claimed Product: ENVWrapper
- Detection Name: Win.Trojan.Generic.100.sbx.vioc
####TOP SPAM SUBJECTS OBSERVED
- “Your Netflix Membership Has Been Suspended”
- “Service Removal Requested(15 Apr 2018) has initiated Final Warning”
- “Your one-time passcode to view the message”
- “Quick Review”
- “RE: IT System Support.”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 33070 Rackspace Ltd.
- 4760 PCCW Limited
- 15169 Google LLC
- 7349 TierPoint, LLC