Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Did you miss out on going to Orlando for Cisco Live! or the Talos Threat Research Summit? Fear not, for this week we bring you the live Beers with Talos podcast that was recorded on-site. The guys provide an update on VPNFilter and give a recap of the Research Summit, plus a way-too-late World Cup preview.
We also published details about a new campaign utilizing the FormBook malware. A malicious actor appears to be sending out malicious emails with four different attachments that can install FormBook. Get all of the details here.
The Talos researchers also stepped up to the plate with the release of a new decryptor for the Thanatos ransomware. Even though the attack left victims with few options, our new, free tool will allow them to unencrypt their files that were impacted by the attack.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where Talos will be represented.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Event name: Cisco Talos at Black Hat USA Location: Mandalay Bay Convention Center, Las Vegas, Nevada ####Date: Aug. 4 - 9 ####Speaker: Paul Rascagneres and Warren Mercer Synopsis: Cisco Talos will be represented at the Black Hat conference for all six days. On Aug. 8, from 3 to 5 p.m., Paul and Warren will be delivering a talk in Business Hall Theater B covering supply chain attacks. ####Reference: http://cs.co/BlackHatUS2018 ###Event name: Virus Bulletin conference Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada ####Date: Oct. 3, 2018 ####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis. ####Reference: http://cs.co/VB2018 * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * A new email campaign is leveraging the WannaCry ransomware. The emails warn users that their computer has been infected by WannaCry, even though it hasn’t, and demands payment in bitcoin to release their files. * The Wi-Fi Alliance, the nonprofit organization that certifies wireless network standards, has unveiled the latest internet security protocol. WPA3, which is the successor to WPA2, was revealed alongside Wi-Fi Easy Connect, a new program that makes it easier to pair Wi-Fi devices without displays. * Yattaze, an APT that has been around for many years, is selling a new malware called “Kardon Loader.” Kardon Loader is available on underground forums as an advertised beta test for $50 for a standalone build. * The U.S. Supreme Court ruled this week that government officials need to obtain a warrant before accessing individuals’ cellular location data. However, it still leaves the door open for law enforcement officials to access the information without a warrant or permit. * An unpatched vulnerability in WordPress can allow for complete site takeover and arbitrary code execution. An attacker would need to first gain privileges to edit and delete media files before exploiting the issue. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Remote code execution vulnerabilities in Cisco Fabric Services Description: There are multiple flaws in Cisco Fabric Services that could allow a malicious attacker to remotely execute code on a victim’s machine or cause a denial-of-service condition. The bugs cover CVE-2018-0308, CVE-2018-0314, CVE-2018-0304 and CVE-2018-0308. ####References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-cli-execution https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fx-os-fabric-execution https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-ace https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-fxnxos-fab-ace ####Snort SID: 46992 - 46996, 47003, 47004, 47008 - 47014
###Title: InvisiMole malware can use machine’s camera, microphone Description: A new malware known as InvisiMole can infect a victim machine and use the camera and microphone to record audio and video. InvisiMole has been targeting computers in Russia and Ukraine for the past five years, according to researchers. ####Snort SID: 47016
###Title: Instead Hub strcpy() function error Description: The Insteon Hub internet-of-things central controller contains many vulnerabilities that can cause a range of problems, from denial of service to remote code execution. The majority of the vulnerabilities have their cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow. ####Snort SID: 45441, 45422, 44863, 45049, 45086, 45087, 44863, 45088 *** ##MOST PREVALENT MALWARE FILES June 21 - 28:
- **SHA 256: 486b6e503ebfa15ed2a22934361d382d64c454774ea6de4c26a95fb2392ccec1
- MD5: efab302e91335694b6864360a6280fd6efa
- Typical Filename: Remove_HIPs_key.exe
- Claimed Product: N/A
- Detection Name: Win.Trojan.Generic::100.sbx.vioc
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5ae2e
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21gl.1201
- SHA 256: c7e5c0ffa605a9ef9ddc6e8da81dee04c13e4fd1d03c9bd87297b6db2afaa1f4
- MD5: 5f9d9245e16ca28dcf1af24140b9c3d15f9
- Typical Filename: com.xiaomi.payment_1.10.0-1045012_minAPI18_arm64-v8a_armeabi-v7a_x86_64__nodpi__APKdot.com.apk
- Claimed Product: com.xiaomi.payment
- Detection Name: PUA.Andr.Tool.Umpay::apk.agent.talos
- SHA 256: bb5ca947a9ed44d46e2845bdc3eac1bd368577aa40a8dcd1fae29b8da5b0253e
- MD5: 9ff32613fc850c9937257665ec051e69
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Dropper.Gt32supportgeeks::in03.talos
** ##SPAM STATS FOR June 21 - 28:
####TOP SPAM SUBJECTS OBSERVED - “Microsoft account security info verification” - “Action Required- Payment Confirmation” - “FW: Payslip “ - “Suspicious URL:RE: TAKE NOTE” - “Action Required- Confirm the attached information.”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 8560 1&1 Internet SE - 5110 City of Vancouver - 16276 OVH SAS - 60781 LeaseWeb Netherlands B.V. ** Keep up with all things Talos by following us on Twitter and Facebook. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.