Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
This was a crazy week of vulnerabilities for us.
On Tuesday, Microsoft released its monthly security update that fixed 53 vulnerabilities, 17 of which are rated critical. We have coverage for these that you can read all about here.
The same day, Adobe also released a torrent of fixes for many of its products, but we specifically helped them solve multiple vulnerabilities in Acrobat. You can read about those here.
We also disclosed six vulnerabilities in Antenna House Office Server Document Converter. The vulnerabilities can be exploited to locally execute code, or even remotely if the product is used in batch mode by the owners. There’s also a new post out covering multiple bugs in Computerinsel Photoline.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where Talos will be represented.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: Cisco Talos at Black Hat USA
Location: Mandalay Bay Convention Center, Las Vegas, Nevada
####Date: Aug. 4 - 9
####Speaker: Paul Rascagneres and Warren Mercer
Synopsis: Cisco Talos will be represented at the Black Hat conference for all six days. On Aug. 8, from 3 to 5 p.m., Paul and Warren will be delivering a talk in Business Hall Theater B covering supply chain attacks.
###Event name: Virus Bulletin conference
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
####Date: Oct. 3, 2018
####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* A team of researchers has discovered a new kind of attack that could use thermal heat signatures left behind on a keyboard by a user to steal login credentials. The University of California, Irvine professors say the actor would have to retrieve the heat signature within a minute after the user last typed.
* Yet another cyberattack is utilizing stolen Taiwanese certificates to circumvent security tools and launch a backdoor and a related password stealer.
* Timehop, an app that lets users look back at their past social media posts, suffered a data breach on July 4. More than 21 million users had their contact information and names stolen.
* Smaller, local cryptocurrency exchanges in India are still finding ways to operate, despite the country’s recent ban on exchanges. But they’re having to face much stiffer competition in major international exchanges.
* Some Samsung smartphone users are accusing their devices of randomly sending photos to their contacts. While no one is still sure of the cause, one major theory is that a bug is occurring between Samsung Messages and recent RCS profile updates that have rolled out to major carriers.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Microsoft Patch Tuesday
Description: Microsoft released its monthly set of security advisories today for vulnerabilities that have been identified and addressed in various products. This month’s release addresses 53 new vulnerabilities, 17 of which are rated critical, 34 are rated important, one is rated moderate, and one is rated as low severity. These vulnerabilities impact Windows Operating System, Edge, Internet Explorer and more.
####Snort SID: 47111-47114, 47091-47092, 47107-47110, 47100-47103, 47096-47099
###Title: Adobe releases updates for multiple products
Description: Adobe has released security updates for a wide variety of its products, including Flash Player, Experience Manager, Connect, Acrobat and Reader. Several of the bugs were rated as critical, including multiple flaws in Acrobat and Reader that could lead to arbitrary code execution.
####References:
https://helpx.adobe.com/security/products/flash-player/apsb18-24.html
https://helpx.adobe.com/security/products/acrobat/apsb18-21.html
https://helpx.adobe.com/security/products/connect/apsb18-22.html
https://helpx.adobe.com/security/products/experience-manager/apsb18-23.html
####Snort SID: 47127 - 47132
###Title: Apple fixes security flaws in iOS update
Description: Apple has released patches for a variety of security updates in its latest version of iOS for iPhones and iPads. The specifics of the bugs have not yet been detailed. Additionally, it patched in USB Restricted Mode, which makes it more difficult for anyone to break into the iPhone through the Lightning port on the bottom of the phone. Updates were also released for iCloud for Windows, iTunes for Windows and macOS High Sierra.
####Snort SID: Detection pending
***
##MOST PREVALENT MALWARE FILES July 5 - 12:
- **SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf15a
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21ha.1201
- SHA 256: 28507f240370b796597a1de6347cee117d72709b7f855536507bef4567d50503
- MD5: 91a5849c692b923d14f0f66e59dbf05391a
- Typical Filename: Threatfully1.exe
- Claimed Product: Zallo cRA jECCZallo
- Detection Name: W32.28507F2403-95.SBX.TG
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc799
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ii.1201
- SHA 256: 813adf5ee77f5dd72e912d21d4b9a37516672a12d1ebdae72415f6f1f449ecf8
- MD5: ef8b9e68d1d1f89131ada3ee9cf7f7b8ef8
- Typical Filename: file_FF8436.ext
- Claimed Product: N/A
- Detection Name: W32.813ADF5EE7-100.SBX.TG
**
##SPAM STATS FOR July 5 - 12:
####TOP SPAM SUBJECTS OBSERVED
- “IT ADMIN”
- “Microsoft account security info verification”
- “BREAKING: Emergency Concern on Campus”
- “RE: Missed Voice Message from (562) 985-4111”
- “RE: Password Manager”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8560 1&1 Internet SE
- 8075 Microsoft Corporation
- 53714 London Drugs Limited
- 7922 Comcast Cable Communications, LLC
- 4760 PCCW Limited
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.