Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
It was a busy week for us in terms of vulnerabilities. We have major breakdowns for two well-known pieces of software.
First up is Pixar’s Renderman application, a 3-D animation tool that is widely used. There are two denial-of-service vulnerabilities that exist due to the lack of proper validation during the parsing process of network packets.
There are also multiple remote code execution flaws in Insteon Hub, an internet-of-things central control system that is used in many homes. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack or global overflow.
We also are back to our weekly Threat Roundups. While we missed a week earlier this month, the most recent post covers everything between June 1 and 15. You can find the biggest threats we’ve monitored during that time here.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where Talos will be represented.
###Event name: Cisco Talos at C-Days in Portugal
Location: C-Days 2018, University of Coimbra, Coimbra, Portugal
####Date: June 20 - 21
####Speaker: Vitor Ventura
Synopsis: Vitor will be giving two different talks at the annual C-Days conference in Portugal. One will be a light and fast introduction to malware hunting, and the other will focus on how to protect all of your devices as the internet becomes more wide-reaching.
####Reference: http://cs.co/CDaysPortugal
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
####Date: Oct. 3, 2018
####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
####Reference: http://cs.co/VB2018
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Olympic Destroyer may be back. Researchers at Kaspersky Labs have discovered that an actor is currently carrying out similar attacks across the globe using similar features to the malware. Olympic Destroyer was first seen during the Winter Olympics in South Korea.
* Thousands of Axis home security cameras could be open to hacking. Security research firm VDOO found that as many as 390 different models could be open to total compromise. A malicious actor could potentially access the cameras’ video stream, control the camera, or add it to a botnet.
* The Android malware worm ADB.miner has been seen infecting Amazon Fire televisions and Fire Sticks. The devices can become infected by downloading an app that carries the malware.
* Singapore faced a number of cyberattacks during a summit between U.S. President Donald Trump and North Korean leader Kim Jong-Un. Researchers at F5 Networks found that IP addresses from Russia and other countries were scanning internet-of-things devices in Singapore in the days before, during and after the meeting.
* Researchers are warning that the ongoing World Cup will be a huge target for attackers. IBM’s X-Force has already seen one email phishing campaign targeting attendees at the soccer tournament, and warns that more could be coming.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Remote code execution vulnerability in the Microsoft wimgapi library
Description: A remote code execution flaw exists in Microsoft’s wimgapi library. If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack.
####Reference: https://blog.talosintelligence.com/2018/06/vulnerability-spotlight-talos-2018-0545.html
####Snort SID: 46055, 46056, 46058, 46059
###Title: PGP bug could allow for fake signatures
Description: A decades’ old flaw PGP vulnerability could allow a malicious actor to create phony signatures for just about any user. The flaw exists in some of the most widely used email encryption tools, including GnuPG, Enigmail, GPGTools, and python-gnupg.
####Reference: https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/
####Snort SID: Detection pending
###Title: Multiple bugs in Pixar Renderman
Description: There are multiple major vulnerabilities in Pixar’s RenderMan 3-D modeling software. Both vulnerabilities are due to the lack of proper validation during the parsing process of network packets.
####Reference: https://blog.talosintelligence.com/2018/06/vulnerability-spotlight-talos-2018-0523.html
####Snort SID: 45610, 45604
***
##MOST PREVALENT MALWARE FILES June 14 - 21:
- **SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf15a
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21ha.1201
- SHA 256: bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e
- MD5: 9ff32613fc850c9937257665ec051e69
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Dropper.Gt32supportgeeks::in03.talos
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21gl.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5ae2e
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
**
##SPAM STATS FOR June 14 - 21:
####TOP SPAM SUBJECTS OBSERVED
- “Confirmation Letter “
- “Action Required !! Syncing Error - Inbox / Outbox /Sent Mail Failed To Sync”
- “Full Inbox”
- “Your Netflix Membership Has Been Suspended”
- “Hello”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 59729 ITL Company
- 40676 Psychz Networks
- 4760 PCCW Limited
- 15169 Google LLC
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.