May 03, 2018

TOP VULNERABILITY THIS WEEK:

Third major recent vulnerability found in Drupal

UPCOMING PUBLIC ENGAGEMENTS WITH TALOS

###Event: “Threat Intelligence: From Raw Data to Taking Action” @ Bynet Israel Tech Expo in Tel Aviv, Israel ####Date: May 15, 2018 ####Speaker: Martin Lee, threat researcher

Synopsis: The threat environment is a cat-and-mouse game between attackers seeking to compromise systems, and defenders seeking to protect systems from attack. However, even the most sophisticated attackers leave tell-tale traces that decry their intentions or activity. In this presentation, Lee will present examples of how Cisco Talos transforms raw data into intelligence in order to detect and block the latest attacks. ####Reference: http://cs.co/Bynet

###Event: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining” @ CircleCityCon 5.0 in Indianapolis, Indiana ####Date: June 2, 2018 ####Speaker: Edmund Brumaghin and Nick Biasini, threat researchers

Synopsis: In today’s world, online crime is currently being primarily run through extortion in the electronic age via ransomware. Times are changing, and the business models for these types of malware are changing along with it. The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected — but the impact has been. ####Reference: http://cs.co/CircleCityCon

###Event: Cisco Talos Threat Research Summit at Cisco Live in Orlando, Florida ####Date: June 10, 2018

Synopsis: Join us in Orlando prior to Cisco Live for the first ever Cisco Talos Threat Research Summit, a one-day conference by defenders, for defenders, designed to give you actionable insights to keep your users and network safer. Throughout the summit, you will hear from leading researchers at Talos and cyber security experts from across the industry. Lurene A. Grenier, an industry veteran, will be the keynote speaker, and will be speaking about why many businesses are not taking their security seriously enough. ####Reference: http://cs.co/TTRS

NOTABLE RECENT SECURITY ISSUES

###Title: Another major vulnerability found in Drupal Description: For the third time in the past 30 days, a major remote code execution vulnerability has been found in the Drupal open-source content management framework. The vulnerability, nicknamed Drupalgeddon3, could allow an attacker to completely compromise a site. ####Reference: https://www.imperva.com/blog/2018/04/just-third-critical-drupal-flaw-discovered/ https://www.drupal.org/sa-core-2018-004 ####Snort SID: Detection pending

###Title: Hyland Perceptive Document Filters file conversion feature could lead to arbitrary code execution Description: Multiple vulnerabilities in the Hyland Perceptive Document Filters were patched this week. The four vulnerabilities allow an attacker to execute arbitrary code, and exist in the file conversion feature. ####Reference: https://blog.talosintelligence.com/2018/04/hyland-vulnerabilities-code-execution.html ####Snort SID: 45689, 45690, 45717, 45718, 45750, 45751

###Title: New 7-Zip version released Description: A new update to the Microsoft Windows open-source archiving software 7-Zip was released this week, patching a number of flaws. The new version fixes a security vulnerability in the Rar unpacking code. ####Reference: https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/ https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/ ####Snort SID: Detection pending

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

Google has released a new security update, protecting all of their devices against the Meltdown attack, which targeted Intel chips.
https://www.securityweek.com/all-chrome-os-devices-now-protected-against-meltdown

Attackers are using the well-known ETERNALROMANCE exploit to push a new cryptocurrency mining malware that specifically mines the Monero cryptocurrency.
https://www.fortinet.com/blog/threat-research/python-based-malware-uses-nsa-exploit-to-propagate-monero–xmr–.html

Security researchers were able to turn Amazon’s Alexa smart speaker into a remote recording device. Amazon has since patched this exploit.
https://www.wired.com/story/amazon-echo-alexa-skill-spying/

Researchers from Cisco Talos have discovered a new RAT that is specifically targeting users in India. The malware has been consistently evolving over the past two years.
https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

Microsoft has unveiled its new solution designed to protect critical infrastructure against modern cyber threats.
https://www.securityweek.com/microsoft-unveils-new-solution-securing-critical-infrastructure

MOST PREVALENT MALWARE FILES April 27 - May 3:

- SHA 256: dcd8dd9faf40dc9bdab70027811292196cd7c747475157ea39e176ada3456a85
- MD5: 0878011dffca72620846828312de59bd
- VirusTotal: https://www.virustotal.com/#/file/dcd8dd9faf40dc9bdab70027811292196cd7c747475157ea39e176ada3456a85/details
- Typical Filename: 0878011dffca72620846828312de59bd
- Claimed Product: N/A
- Detection Name: JAR.DCD8DD9FAF.malicious.tht.Talos

- SHA 256: bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e
- MD5: 9ff32613fc850c9937257665ec051e69
- VirusTotal: https://www.virustotal.com/#/file/bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e/details
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Dropper.Gt32supportgeeks.in03.talos

- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf
- VirusTotal: https://www.virustotal.com/#/file/be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394/details
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21fo.1201

- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21fu.1201

- SHA 256: bce9ad68be9bdf3791c5e7b5c9c7e3e3bbfeac13456b19b5c723ba3c2c76ed36
- MD5: bbf57526c13a2bc620601e8a37a4a97d
- VirusTotal: https://www.virustotal.com/#/file/bce9ad68be9bdf3791c5e7b5c9c7e3e3bbfeac13456b19b5c723ba3c2c76ed36/details
- Typical Filename: DOC001.exe
- Claimed Product: GBH International Contracting LLC
- Detection Name: Simple_Custom_Detection

SPAM STATS FOR April 27 - May 3:

####TOP SPAM SUBJECTS OBSERVED

“Change of Password Required Immediately”
“[EXTERNAL] Remittance Advice”
“Windows 10 Upgrade Error”
“New Documents”
“CONGRATULATIONS!!!”

####MOST FREQUENTLY USED ASNs FOR SENDING SPAM

8075 Microsoft Corporation
4760 PCCW Limited
40444 Constant Contact, Inc
13260 SKUBA, UAB
15169 Google LLC

Vulnerability Information

Reputation Center

Support

Podcasts

Talos Threat Source Newsletters

May 03, 2018

TOP VULNERABILITY THIS WEEK:

UPCOMING PUBLIC ENGAGEMENTS WITH TALOS

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

MOST PREVALENT MALWARE FILES April 27 - May 3:

SPAM STATS FOR April 27 - May 3:

Recent Newsletters

Newsletter Archives

2019

October (4)

September (4)

August (5)

July (3)

June (4)

May (5)

April (2)

March (4)

February (4)

January (4)

2018

December (3)

November (5)

October (4)

September (4)

August (5)

July (4)

June (4)

May (5)

April (1)

March (3)

February (4)

January (5)

2017

December (3)

November (3)

October (5)

September (4)

August (5)

July (4)

June (4)

May (5)

April (4)

March (4)

February (4)

January (5)

2016

December (3)

November (5)

October (5)

September (3)

August (5)

July (2)

June (4)

May (5)

April (4)

March (6)

February (3)