Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s ThreatSource newsletter — the perfect place to get caught up on all things Talos from the past week.
We had some pretty big news recently. After months of research and cooperation with our intelligence and government partners, we have released what we know so far about a new malware known as “VPNFilter.” You can read more about it below, and in the full blog post here. VPNFilter has already affected more than 500,000 networking devices across the globe, and has the potential to totally cut off internet access to those users.
In case you’re looking for reasons to celebrate, the Beers with Talos podcast has hit its one-year anniversary. You can listen to the latest episode here, where Joel complains about taxes and the guys break down the Gandcrab malware. Matt was unavailable this week, so Nick Biasini joined the show as a special guest.
While VPNFilter has been getting all of the headlines this week, we also have another new malware called “TeleGrab,” which targets the Telegram encrypted messaging software. TeleGrab specifically targets Russian-speaking victims — and we’re already pretty sure we found the author. Read about TeleGrab here.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where Talos will be represented.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Event name: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining” Location: CircleCityCon 5.0 in Indianapolis, Indiana ####Date: June 2, 2018 ####Speaker: Edmund Brumaghin and Nick Biasini, threat researchers
Synopsis: In today’s world, online crime is currently being primarily run through extortion via ransomware. Times are changing, and the business models for these types of malware are changing along with it. The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected — but the impact has been. ####Reference: http://cs.co/CircleCityCon
Event name: Cisco Live! Location: Orange County Convention Center in Orlando, Florida ####Date: June 10 - 14, 2018 Synopsis: Join leaders from Cisco and Talos for a week of learning, new experiences and face-to-face time with our engineers. Craig Williams, the director of Talos Global Outreach, will be leading a session in the security track on the current cyber security landscape. There will also be a recording of a live Beers with Talos episode on June 12 at 4 p.m., in the main hall balcony Cisco TV studio. The Talos Threat Research Summit and Happy Hour are sold out on June 10, but you can still follow along on the Talos and Cisco Security Twitter channels. ####Reference: https://www.ciscolive.com
Event name: “The Destructive Menace of Wiper Malware” Location: Security Interest Group Switzerland Technology Conference in Regensdorf, Switzerland ####Date: June 13, 2018 ####Speaker: Martin Lee, threat researcher Synopsis: The recent Olympic Destroyer and Nyetya (NotPetya) attacks have emphasized the destructive effects of wiper malware. Organizations need to be aware of the nature of such malware, not only because they may be targeted by such attacks, but because they may become collateral damage as part of an attack against a third party. Lee will explore how wiper malware has developed over time, how attacks may meet the objectives of threat actors, and how organizations need to consider their security posture in order to detect and block such attacks. ####Reference: http://cs.co/SIGSConf
###Title: Nation-state actor believed to be targeting networking devices worldwide Description: Cisco Talos has discovered a new malware, called “VPNFilter,” that is targeting as many as 500,000 networking devices across the globe. The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide. ####Reference: https://blog.talosintelligence.com/2018/05/VPNFilter.html ####Snort SID: 25589; 26276 - 29831; 44743; 46080 - 46086; 46287; 46121 - 46124; 41445; 44971; 46297 - 46310; 46315; 46335; 46340 - 46342; 46376; 46377; 37963; 45555; 46076; 40063; 44643; 44790; 26275; 35734; 41095; 41096; 41504; 41698 - 41700; 41748 - 41751; 44687; 44688; 44698 - 45001; 46312 - 46314; 46317; 46318; 46322; 46323; 40866; 40907; 45157 ####ClamAV: Unix.Trojan.Vpnfilter-6425811-0; Unix.Trojan.Vpnfilter-6425812-0; Unix.Trojan.Vpnfilter-6550590-0; Unix.Trojan.Vpnfilter-6550591-0; Unix.Trojan.Vpnfilter-6550592-0
###Title: Cisco patches three critical vulns in DNA system Description: Cisco has addressed three critical vulnerabilities in the Digital Network Architecture (DNA) Center. All three give attackers elevated privileges and could compromise the entire DNA Center. ####Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dna https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dna2 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dnac ####Snort SID: 46738, 46740, 46741
###Title: Dasan GPON routers open to attack by botnets Description: Hundreds of thousands of Dasan Gigabit-capable Passive Optical Network (GPON) routers may be open to attack by botnets through two new vulnerabilities that were recently discovered. The flaws can be activated remotely, and could give an attacker complete control of the device. ####Reference: https://www.securityweek.com/botnets-target-zero-days-gpon-routers ####Snort SID: 46624 - 46627
##MOST PREVALENT MALWARE FILES May 17 - 24:
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf
- VirusTotal: https://www.virustotal.com/#/file/be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394/details
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21gr.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21gl.1201
- SHA 256: a84a97e3434ec5efcffe3fa230755a9cdf24583c237bee91191d2f97565040cb
- MD5: 00a2ab0d05fd46053cde764acacc16d0
- VirusTotal: https://www.virustotal.com/#/file/a84a97e3434ec5efcffe3fa230755a9cdf24583c237bee91191d2f97565040cb/details
- Typical Filename: ojec.exe
- Claimed Product: N/A
- Detection Name: W32.Variant:Gen.21gk.1201
- SHA 256: bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e
- MD5: 9ff32613fc850c9937257665ec051e699ff
- VirusTotal: https://www.virustotal.com/#/file/bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e/details
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Dropper.Gt32supportgeeks::in03.talos
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- VirusTotal: https://www.virustotal.com/#/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 4760 PCCW Limited - 8075 Microsoft Corporation - 21621 Responsys Inc. - 27357 Rackspace Ltd. - 9365 its communications Inc.