Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Third major recent vulnerability found in Drupal
###Event: “Threat Intelligence: From Raw Data to Taking Action” @ Bynet Israel Tech Expo in Tel Aviv, Israel
####Date: May 15, 2018
####Speaker: Martin Lee, threat researcher
Synopsis: The threat environment is a cat-and-mouse game between attackers seeking to compromise systems, and defenders seeking to protect systems from attack. However, even the most sophisticated attackers leave tell-tale traces that decry their intentions or activity. In this presentation, Lee will present examples of how Cisco Talos transforms raw data into intelligence in order to detect and block the latest attacks. ####Reference: http://cs.co/Bynet
###Event: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining” @ CircleCityCon 5.0 in Indianapolis, Indiana
####Date: June 2, 2018
####Speaker: Edmund Brumaghin and Nick Biasini, threat researchers
Synopsis: In today’s world, online crime is currently being primarily run through extortion in the electronic age via ransomware. Times are changing, and the business models for these types of malware are changing along with it. The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected — but the impact has been. ####Reference: http://cs.co/CircleCityCon
###Event: Cisco Talos Threat Research Summit at Cisco Live in Orlando, Florida
####Date: June 10, 2018
Synopsis: Join us in Orlando prior to Cisco Live for the first ever Cisco Talos Threat Research Summit, a one-day conference by defenders, for defenders, designed to give you actionable insights to keep your users and network safer. Throughout the summit, you will hear from leading researchers at Talos and cyber security experts from across the industry. Lurene A. Grenier, an industry veteran, will be the keynote speaker, and will be speaking about why many businesses are not taking their security seriously enough. ####Reference: http://cs.co/TTRS
###Title: Another major vulnerability found in Drupal
Description: For the third time in the past 30 days, a major remote code execution vulnerability has been found in the Drupal open-source content management framework. The vulnerability, nicknamed Drupalgeddon3, could allow an attacker to completely compromise a site.
####Reference:
https://www.imperva.com/blog/2018/04/just-third-critical-drupal-flaw-discovered/
https://www.drupal.org/sa-core-2018-004
####Snort SID: Detection pending
###Title: Hyland Perceptive Document Filters file conversion feature could lead to arbitrary code execution
Description: Multiple vulnerabilities in the Hyland Perceptive Document Filters were patched this week. The four vulnerabilities allow an attacker to execute arbitrary code, and exist in the file conversion feature.
####Reference: https://blog.talosintelligence.com/2018/04/hyland-vulnerabilities-code-execution.html
####Snort SID: 45689, 45690, 45717, 45718, 45750, 45751
###Title: New 7-Zip version released
Description: A new update to the Microsoft Windows open-source archiving software 7-Zip was released this week, patching a number of flaws. The new version fixes a security vulnerability in the Rar unpacking code.
####Reference:
https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/
https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/
####Snort SID: Detection pending
Google has released a new security update, protecting all of their devices against the Meltdown attack, which targeted Intel chips.
https://www.securityweek.com/all-chrome-os-devices-now-protected-against-meltdown
Attackers are using the well-known ETERNALROMANCE exploit to push a new cryptocurrency mining malware that specifically mines the Monero cryptocurrency.
https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero–xmr–.html
Security researchers were able to turn Amazon’s Alexa smart speaker into a remote recording device. Amazon has since patched this exploit.
https://www.wired.com/story/amazon-echo-alexa-skill-spying/
Researchers from Cisco Talos have discovered a new RAT that is specifically targeting users in India. The malware has been consistently evolving over the past two years.
https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
Microsoft has unveiled its new solution designed to protect critical infrastructure against modern cyber threats.
https://www.securityweek.com/microsoft-unveils-new-solution-securing-critical-infrastructure
- SHA 256: dcd8dd9faf40dc9bdab70027811292196cd7c747475157ea39e176ada3456a85
- MD5: 0878011dffca72620846828312de59bd
- VirusTotal: https://www.virustotal.com/#/file/dcd8dd9faf40dc9bdab70027811292196cd7c747475157ea39e176ada3456a85/details
- Typical Filename: 0878011dffca72620846828312de59bd
- Claimed Product: N/A
- Detection Name: JAR.DCD8DD9FAF.malicious.tht.Talos
- SHA 256: bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e
- MD5: 9ff32613fc850c9937257665ec051e69
- VirusTotal: https://www.virustotal.com/#/file/bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e/details
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Dropper.Gt32supportgeeks.in03.talos
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf
- VirusTotal: https://www.virustotal.com/#/file/be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394/details
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21fo.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21fu.1201
- SHA 256: bce9ad68be9bdf3791c5e7b5c9c7e3e3bbfeac13456b19b5c723ba3c2c76ed36
- MD5: bbf57526c13a2bc620601e8a37a4a97d
- VirusTotal: https://www.virustotal.com/#/file/bce9ad68be9bdf3791c5e7b5c9c7e3e3bbfeac13456b19b5c723ba3c2c76ed36/details
- Typical Filename: DOC001.exe
- Claimed Product: GBH International Contracting LLC
- Detection Name: Simple_Custom_Detection
####TOP SPAM SUBJECTS OBSERVED
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM