Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
After weeks of additional research, we have new findings regarding that mobile device management (MDM) campaign we wrote about a few weeks ago. The actor appears to be targeting more devices on more platforms than we additionally thought — and it covers both iOS and Windows platforms.
We also have big news regarding TalosIntelligence.com. In the coming weeks, we’ll be adding a new dispute system that streamlines the process of disputing any of our data. Going forward, you’ll need to log in to our new website using a CCO ID (Cisco Connection Online ID). We hope that this will bring our analysts and customers.
If you’re looking for a longer read, we have a new whitepaper out regarding cryptocurrency mining. If you are worried about miners ending up on your networks or machines, this paper will run down all the ways Cisco products can protect you.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: Cisco Talos at Black Hat USA
Location: Mandalay Bay Convention Center, Las Vegas, Nevada
####Date: Aug. 4 - 9
####Speaker: Paul Rascagneres and Warren Mercer
Synopsis: Cisco Talos will be represented at the Black Hat conference for all six days. On Aug. 8, from 3 to 5 p.m., Paul and Warren will be delivering a talk in Business Hall Theater B covering supply chain attacks.
###Event name: Virus Bulletin conference
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
####Date: Oct. 3, 2018
####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* A privacy researcher recently discovered that every transaction on the mobile payment app Venmo is publicly available on the company’s API. The researcher was also able to see complete conversations between users who thought their comments were private.
* The U.S. Department of Justice released a massive report detailing how it plans to deal with foreign meddling in the country’s elections. Officials say they plan to be quicker in informing targets of cyberattacks and will develop new laws to prosecute attackers.
* Hackers stole the personal information of more than 1.5 million citizens in Singapore. The attackers breached the country’s health care database, taking names and addresses, but not medical records.
* Facebook has suspended data analytics firm Crimson Hexagon over concerns that the company has been misusing Facebook’s data. The social network said it was launching an investigation into “whether the analytics firm’s contracts with the U.S. government and a Russian nonprofit tied to the Kremlin violate the platform’s policies.”
* The U.S.’s top supplier of voting machines says its products were shipped with software that left them open to attack. Elections Systems & Software says some of their machines were shipped with remote access software, along with a modem that could connect to the internet.
* A new bug found in some Bluetooth devices can allow an attacker to monitor and manipulate the traffic that two devices exchange. An attacker, if they were in range, could target devices during the pairing process to launch a man-in-the-middle attack.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Oracle patches dozens of products as part of quarterly update
Description: Oracle has released patches fixing 334 different vulnerabilities in a wide variety of its products — the highest number of flaws addressed in the company’s history. Sixty-one of the bugs are considered critical. Oracle’s Financial Services Applications received the most amount of patches, with the update fixing 56 flaws.
####Snort SID: 47327
###Title: Cisco fixes critical vulnerabilities in Policy Suite
Description: Cisco has released patches for multiple critical flaws in Policy Suite. The bugs could leave enterprise users open to attacks that result in information leaks, account compromise, database tampering and more.
####Reference:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-cm-default-psswrd
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-policy-unauth-access
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-ps-osgi-unauth-access
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-pspb-unauth-access
####Snort SID: 47285, 47286
###Title: Sony IPELA E Series Camera bugs
Description: The Sony IPELA E Series Network Camera contains two vulnerabilities that could allow an attacker to execute code remotely. A specially crafted GET request can trigger a command injection flaw, while a POST request triggers a separate remote code execution vulnerability.
####Snort SID: 46867-46869, 46877
***
##MOST PREVALENT MALWARE FILES July 19 - 26:
- **SHA 256: 3b6668948967c873a19ec7e1bc1e700652edf33f8d8cd53f87832797af99f99c
- MD5: 3c9f59ab554831d75044daa402703af83c9
- Typical Filename: mapmywayfree.7bbf20dc02d24710bb860586aabc073e.exe
- Claimed Product: MapMyWay Free
- Detection Name: PUA.Win.Adware.Mywebsearch::1201
- SHA 256: 486b6e503ebfa15ed2a22934361d382d64c454774ea6de4c26a95fb2392ccec1
- MD5: efab302e91335694b6864360a6280fd6efa
- Typical Filename: Remove_HIPs_key.exe
- Claimed Product: N/A
- Detection Name: Win.Trojan.Generic::100.sbx.vioc
- SHA 256: 4bd61a7f2b1287e2c94973062b91ad075ce73637441982f426d269c527069015
- MD5: 5e414220b8e34fcfb2c315e772527a255e4
- Typical Filename: bfa9b296d648a5eac19e0d6bb23139e9104cfd55ee8a02cd1aa9d768ef398747~.x86
- Claimed Product: MacKeeper Helper
- Detection Name: PUA.Osx.Trojan.Mackeeper::1201
- SHA 256: bfa9b296d648a5eac19e0d6bb23139e9104cfd55ee8a02cd1aa9d768ef398747
- MD5: cb7eb6e04cf0e4549c09a82e0da9b984cb7
- Typical Filename: MacKeeper Helper
- Claimed Product: MacKeeper Helper
- Detection Name: PUA.Osx.Malware.Mackeeper::other.talos
- SHA 256: aa1d632adcff87c12c7d2e6fe21c0b58cec3b81944080f4932bf54b7bc6d13cb
- MD5: 682fb542069703ad4b6536e2564700a3682
- Typical Filename: bfa9b296d648a5eac19e0d6bb23139e9104cfd55ee8a02cd1aa9d768ef398747~.x64
- Claimed Product: MacKeeper Helper
- Detection Name: PUA.Osx.Trojan.Mackeeper::1201
**
##SPAM STATS FOR July 19 - 26:
####TOP SPAM SUBJECTS OBSERVED
- “Unpaid Invoice “
- “Nouvelle, 18//07/18”
- “How to Block Malicious File Uploads”
- “Hello !!”
- “RE: ICT Information Desk.”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 22213 Salk Institute
- 3215 Orange
- 14061 DigitalOcean, LLC
- 30762 dotMailer Ltd
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.