Welcome to this week’s ThreatSource newsletter — the perfect place to get caught up on all things Talos from the past week.
We recently published an important update to our research on VPNFilter. Thanks to the hard work of our researchers and our intelligence partners, we discovered that there were more devices impacted by this malware than initially thought. Additionally, we discovered more details about stage 3 modules that are impacting endpoints.
In addition to VPNFilter, there’s another new malware family we recently discovered: NavRAT. The email phishing campaign is targeting users in South Korea, attempting to trick them into clicking on a malicious document. The document is disguised as a news article outlining a potential summit between the U.S. and North Korea.
Meanwhile, we’re eagerly looking forward to this weekend’s Talos Threat Research Summit as part of Cisco Live! If you are planning on heading to Orlando to listen to some of the fantastic talks we have planned, here’s a handy guide we’ve pulled together with the week’s events.
It’s also been a busy week for vulnerabilities. We have posted a series of advisories on flaws that affect the Natus Neuroworks software, as well as Ocularis Recorder.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where Talos will be represented.
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Cisco Live!
Location: Orange County Convention Center in Orlando, Florida
Date: June 10 - 14, 2018
Synopsis: Join leaders from Cisco and Talos for a week of learning, new experiences and face-to-face time with our engineers. Craig Williams, the director of Talos Global Outreach, will be leading a session in the security track on the current cyber security landscape. There will also be a recording of a live Beers with Talos episode on June 12 at 4 p.m., in the main hall balcony Cisco TV studio. The Talos Threat Research Summit and Happy Hour are sold out on June 10, but you can still follow along on the Talos and Cisco Security Twitter accounts.
Reference: https://www.ciscolive.com
Event: “The Destructive Menace of Wiper Malware”
Location: Security Interest Group @ Switzerland Technology Conference in Regensdorf, Switzerland
Date: June 13, 2018
Speaker: Martin Lee, threat researcher
Synopsis: The recent Olympic Destroyer and Nyetya (NotPetya) attacks have emphasized the destructive effects of wiper malware. Organizations need to be aware of the nature of such malware, not only because they may be targeted by such attacks, but because they may become collateral damage as part of an attack against a third party. Lee will explore how wiper malware has developed over time, how attacks may meet the objectives of threat actors, and how organizations need to consider their security posture in order to detect and block such attacks.
Reference: http://cs.co/SIGSConf
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
- A remote code execution vulnerability may have existed in the Steam video game storefront for almost 10 years. The flaw was a heap corruption that could be triggered remotely.
- Since the source code of the Mirai malware family has been released, new variants have been popping up. The authors of these variants have been deploying new botnets that target internet-of-things devices.
- Apple is planning to beef up its security and privacy measures in the upcoming iOS 12 release for iPhones. New features include an autofill feature that will make two-factor authentication easier, as well as the ability for developers to get their apps “notarized” before they hit the store.
- The online ticketing platform Ticketfly has been down for days in the wake of a hack. The company says that more than 26 million users may have had their home and email addresses stolen in the breach.
- Cryptocurrency exchange Bitfinex had to pause trading on Tuesday after a cyber attack. The exchange, which is one of the largest in the world, had to shut down briefly after being hit by a distributed denial-of-service attack.
NOTABLE RECENT SECURITY ISSUES
Title: Severe Git vulnerability could lead to remote code execution
Description: Researchers have discovered a severe flaw in the Git software source code that could allow an attacker to execute code on a victim machine. The bug, CVE 2018-11235, occurs due to the management of remote repository definitions and data.
Reference: https://www.zdnet.com/article/critical-git-repository-security-flaw-leads-to-remote-code-execution-attacks/
Snort SID: Detection pending
Title: Ocularis Recorder denial-of-service vulnerability
Description: Cisco Talos has discovered a denial-of-service vulnerability in the Ocularis Recorder video management software. An attacker can take advantage of this flaw by crafting a malicious network packet that causes a process to terminate.
Reference: https://blog.talosintelligence.com/2018/06/vulnerability-spotlight-talos-2018-0535.html
Snort SID: 45829
Title: Multiple flaws in Natus NeuroWorks
Description: Multiple vulnerabilities exist in the Natus NeuroWorks software. The software, which is used to measure brain activity on EEG machines, can be inappropriately accessed in multiple ways to cause a denial of service.
Reference: https://blog.talosintelligence.com/2018/05/vulnerability-spotlight-natus-part2.html
Snort SID: 43150, 43192
MOST PREVALENT MALWARE FILES June 1 - 7:
-
SHA 256: c0e6e3beb661ee1ee5fd2544fb347a2d5c4d0abb7b0a3124ad404eb4fee44b56
-
MD5: 923b27b289179f658be9edfe7aab50cb
-
VirusTotal: https://www.virustotal.com/#/file/c0e6e3beb661ee1ee5fd2544fb347a2d5c4d0abb7b0a3124ad404eb4fee44b56/details
-
Typical Filename: 923b27b289179f658be9edfe7aab50cb.virus
-
Claimed Product: N/A
-
Detection Name: Andr.Trojan.Generic::other.talos
-
SHA 256: a882d93645fd30e223af72f30a5faed32c698118f14370bbc896df52cb0d36bb
-
MD5: 1d58d6ec609428e74f912929ff88cc8e
-
VirusTotal: https://www.virustotal.com/#/file/a882d93645fd30e223af72f30a5faed32c698118f14370bbc896df52cb0d36bb/details
-
Typical Filename: 1d58d6ec609428e74f912929ff88cc8e.vir
-
Claimed Product: cutil
-
Detection Name: W32.Malwaregen.21gx.1201
-
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
-
MD5: 799b30f47060ca05d80ece53866e01cc799
-
VirusTotal: https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
-
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
-
Claimed Product: N/A
-
Detection Name: W32.Generic:Gen.21gl.1201
-
SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
-
MD5: 15a05c3741d7374cdf8a2dc20c58c3cf15a
-
VirusTotal: https://www.virustotal.com/#/file/be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394/details
-
Typical Filename: ipts.exe
-
Claimed Product: Traffic Spirit
-
Detection Name: W32.Variant:Gen.21ha.1201
-
SHA 256: 55bc52ead4c668b4dad978bebd80821a68eccd36b3927072a5d113cd5d79a27a
-
MD5: e8089341ee0442a2ecf82e4b70829143e80
-
VirusTotal: https://www.virustotal.com/#/file/55bc52ead4c668b4dad978bebd80821a68eccd36b3927072a5d113cd5d79a27a/details
-
Typical Filename: mssecsvc.exe
-
Claimed Product: N/A
-
Detection Name: W32.Ransom:Wannacry.21gw.1201
SPAM STATS FOR Month, June 1 - 7:
TOP SPAM SUBJECTS OBSERVED
- "Your Netflix Membership Has Been Suspended"
- "AMWINS 06/04/2018 DOCS"
- "Your 11 incoming mails was placed on pending! Read Now"
- "Microsoft account team"
- "Re: Bulletin weekly reminder (INV# 97151)"
MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 33070 Rackspace Ltd.
- 19994 Rackspace Ltd.
- 3758 SingNet
- 4760 PCCW Limited
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly ThreatSource newsletter here.