Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s ThreatSource newsletter — the perfect place to get caught up on all things Talos from the past week.
If you still haven’t gotten a chance to read about VPNFilter, which we first wrote about last week, we urge you to do so here. As a result of this campaign, the FBI is urging all internet users to reset their router.
The Beers with Talos podcast this week dives even deeper into VPNFilter, discussing why we chose to publish our research when we did, and where to go from here. There’s an in-depth overview of the malware itself. Listen to it here.
In case you missed it, we also have a new Threat Roundup now, which covers the most prevalent malware we’ve seen — outside of VPNFilter. You can read that here.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where Talos will be represented.
###Event: Event name: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining” Location: CircleCityCon 5.0 in Indianapolis, Indiana ####Date: June 2, 2018 ####Speaker: Edmund Brumaghin and Nick Biasini, threat researchers Synopsis: In today’s world, online crime is currently being primarily run through extortion via ransomware. Times are changing, and the business models for these types of malware are changing along with it. The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected — but the impact has been. ####Reference: http://cs.co/CircleCityCon
Event name: Cisco Live! Location: Orange County Convention Center in Orlando, Florida ####Date: June 10 - 14, 2018 Synopsis: Join leaders from Cisco and Talos for a week of learning, new experiences and face-to-face time with our engineers. Craig Williams, the director of Talos Global Outreach, will be leading a session in the security track on the current cyber security landscape. There will also be a recording of a live Beers with Talos episode on June 12 at 4 p.m., in the main hall balcony Cisco TV studio. The Talos Threat Research Summit and Happy Hour are sold out on June 10, but you can still follow along on the Talos and Cisco Security Twitter channels. ####Reference: https://www.ciscolive.com
Event name: “The Destructive Menace of Wiper Malware” Location: Security Interest Group Switzerland Technology Conference in Regensdorf, Switzerland ####Date: June 13, 2018 ####Speaker: Martin Lee, threat researcher Synopsis: The recent Olympic Destroyer and Nyetya (NotPetya) attacks have emphasized the destructive effects of wiper malware. Organizations need to be aware of the nature of such malware, not only because they may be targeted by such attacks, but because they may become collateral damage as part of an attack against a third party. Lee will explore how wiper malware has developed over time, how attacks may meet the objectives of threat actors, and how organizations need to consider their security posture in order to detect and block such attacks. ####Reference: http://cs.co/SIGSConf
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Data from several high-profile insurance companies was accidentally leaked by an Amazon Web Services S3 bucket — the second such incident in two weeks.
* BMW has fixed 14 vulnerabilities in some of its vehicles that were exposed earlier by a Chinese security research firm. Owners are encouraged to patch their on-board computer system as soon as possible.
* Two Canadian banks are warning their customers that their information may have been stolen as the result of a recent hack.
* A new vulnerability has been found in the Z-Wave pairing function of many internet-of-things devices, which could open them up to attack. By utilizing this flaw, an attacker could completely access the device.
* The majority of federal agencies in the U.S. are not prepared for a cyber attack. According to a new report from the White House’s Office of Management and Budget, 71 of 96 agencies surveyed were relying on cyber security programs that were deemed “at risk or high risk.”
* All of the funds on the cryptocurrency trading app Taylor were stolen in an apparent attack this week. Executives of the company say that the amount of coins stolen equates to about $1.5 million.
##NOTABLE RECENT SECURITY ISSUES
###Title: Vega Stealer malware targets web browsers Description: A new malware known as “Vega Stealer” is targeting saved login and credit card information on the Chrome and Firefox browsers. Vega is a variant of August Stealer, which was first discovered in December 2016. ####Reference: https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign ####Snort SID: 46836 - 46838 *** ##MOST PREVALENT MALWARE FILES May 24 - 31:
- **SHA 256: c0e6e3beb661ee1ee5fd2544fb347a2d5c4d0abb7b0a3124ad404eb4fee44b56
- MD5: 923b27b289179f658be9edfe7aab50cb923
- VirusTotal: https://www.virustotal.com/#/file/c0e6e3beb661ee1ee5fd2544fb347a2d5c4d0abb7b0a3124ad404eb4fee44b56/details
- Typical Filename: 923b27b289179f658be9edfe7aab50cb.virus
- Claimed Product: N/A
- Detection Name: Andr.Trojan.Generic::other.talos
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf
- VirusTotal: https://www.virustotal.com/#/file/be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394/details
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21g0.1201
- SHA 256: 248a8bbd8b349dc8d3a84d7df4fa9f93c186f5284ab0f239c347c28f9c1b39b0
- MD5: 31334a6cc103f9359b95edb91e9cc6cd313
- VirusTotal: https://www.virustotal.com/#/file/248a8bbd8b349dc8d3a84d7df4fa9f93c186f5284ab0f239c347c28f9c1b39b0/details
- Typical Filename: Payroll Report.doc
- Claimed Product: N/A
- Detection Name: W32.248A8BBD8B-100.SBX.TG
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21gl.1201
- SHA 256: bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e
- MD5: 9ff32613fc850c9937257665ec051e699ff
- VirusTotal: https://www.virustotal.com/#/file/bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e/details
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Dropper.Gt32supportgeeks::in03.talos
*** ##SPAM STATS FOR May 24 - 31:
####TOP SPAM SUBJECTS OBSERVED - “Your 11 incoming mails was placed on pending! Read Now” - “GDPR updates and how to you can get ready” - “Accont Notification” - “Accont Limited!!!” - “system administrator”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 3758 SingNet - 21621 Responsys Inc. - 46475 Limestone Networks, Inc. - 60781 LeaseWeb Netherlands B.V.