Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
How does your company or organization handle the conversation around cybersecurity? In this week’s Beers with Talos episode, we try to help you improve that conversation. Does the language itself need to change? Or do the people participating need to be switched out? You can hear our hosts’ take in the full episode.
On the malware side of things, we have a new, significant mobile device management (MDM) system that has targeted iPhones in India. At this time, we don’t know how the attacker managed to enroll the targeted devices, but you can read all about the campaign here.
Our researchers also disclosed some notable vulnerabilities in Computerinsel Photoline — a popular image-editing software. These flaws could allow an attacker to gain arbitrary code execution.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: Cisco Talos at Black Hat USA
Location: Mandalay Bay Convention Center, Las Vegas, Nevada
####Date: Aug. 4 - 9
####Speaker: Paul Rascagneres and Warren Mercer
Synopsis: Cisco Talos will be represented at the Black Hat conference for all six days. On Aug. 8, from 3 to 5 p.m., Paul and Warren will be delivering a talk in Business Hall Theater B covering supply chain attacks.
###Event name: Virus Bulletin conference
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
####Date: Oct. 3, 2018
####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* A U.S. federal grand jury has charged 12 Russians with hacking the computer networks of the Democratic candidates during the 2016 presidential election. Special Counsel Robert Mueller secured the indictment as part of his investigation into Russia’s role in the election.
* China is using the city of Zhengzhou as a testing ground for a new, massive surveillance system that it could one day use to control the majority of its population. The government there is utilizing technologies like facial recognition and artificial intelligence to track its citizens.
* A hacker was able to break into a developer’s npm account and steal credentials by modifying eslint-scope. Npm says only a few users were affected.
* The Russian company Mail.ru was able to access Facebook users’ information through a third-party extension. Facebook, in a written statement to Congress, would not say how much user data Mail.ru obtained, or if any of it was about American citizens.
* A new update to the Google Chrome web browser is designed to protect users against Spectre vulnerabilities and prevent the theft of passwords. The new feature, known as site isolation, segregates code and data from each internet domain into separate processes that do not interact with each other.
* Macys.com and Bloomingdales.com are the latest online retailers to have customers’ credit card information exposed. The attack, which took place between April and June, led to thousands of full names and credit card numbers being stolen.
* Stolen documents from a U.S. military drone were found being sold on the dark web. The discovery comes at a time when more experts are beginning to question how the military protects its data from hackers.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: FXOS, NX-OS Cisco Fabric Services vulnerability
Description: A vulnerability exists in the Cisco Fabric Services component of the Firepower eXtensible Operating System (FXOS) and the NX-OS network operating system that could allow an attacker to read sensitive memory content. The bug also could open a victim machine to a denial-of-service attack or arbitrary code execution.
####Snort SID: 47011 - 47014
###Title: Multiple flaws in Computerinsel Photoline
Description: Computerinsel Photoline — an image-processing tool used to modify and edit images — contains several flaws that could lead to arbitrary remote code execution. The vulnerabilities are present in the parsing functionality of the software.
####Snort SID: 46452, 46453, 46455, 46456, 46459, 46460
###Title: Numerous flaws in Antenna House Office Server Document Converter
Description: There are six different vulnerabilities in the Antenna House Office Server Document Converter. The vulnerabilities can be exploited to locally execute code, or even remotely if the product is used in batch mode by the owners. A specially crafted Microsoft Word document can exploit the bugs.
####Snort SID: 46761, 46762, 4684 - 46946, 46768, 46769
***
##MOST PREVALENT MALWARE FILES July 12 - 19:
- **SHA 256: 486b6e503ebfa15ed2a22934361d382d64c454774ea6de4c26a95fb2392ccec1
- MD5: efab302e91335694b6864360a6280fd6efa
- Typical Filename: Remove_HIPs_key.exe
- Claimed Product: N/A
- Detection Name: Win.Trojan.Generic::100.sbx.vioc
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5ae2e
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 7a5495a7ac93598e62353e1f69f017ceeb66de2858737617f551161fc8aba542
- MD5: f8605587f467ed5bc3d532088c170823f86
- Typical Filename: Summ Stats.exe
- Claimed Product: KERT Srl
- Detection Name: W32.GenericKD:Gen.21ij.1201
- SHA 256: d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0
- MD5: d8461f2978de84045e7ad6bea7a60418
- Typical Filename: svchost (1).exe
- Claimed Product: N/A
- Detection Name: W32.GenericKD:Malwaregen.21il.1201
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf15a
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21ij.1201
**
##SPAM STATS FOR July 12 - 19:
####TOP SPAM SUBJECTS OBSERVED
- “DEAR CUSTOMER ACCESS YOUR ACCOUNT ONLINE”
- “FW: Unpaid Invoice 17.07.2018”
- “Unpaid Invoice “
- “FYI, See Attached copy of new PO#09988433 /2018/07/16 MOQ/SPE Ltd, Co.”
- “CONGRATULATIONS YOU HAVE A DONATION OF $5, 000,
000 FROM MAVIS WANCZYK JACKPOT WINNER POWERBALL LOTTERY”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 209 Qwest Communications Company, LLC
- 50673 Serverius Holding B.V.
- 20454 SECURED SERVERS LLC
- 49352 Domain names registrar REG.RU, Ltd
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.