Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Do you think email phishing campaigns are a thing of the past? Think again. Even though the days of AOL Mail and Hotmail are behind us, we’ve recently observed a wide range of large-scale email phishing attempts from the Cobalt Group APT. We have a deep dive into those campaigns here.
While keeping attackers out of your cell phone may seem as easy as clicking a “no” prompt on an alert, you’d be surprised how many people can be susceptible to a mobile device management (MDM) attack. In the latest episode of the Beers with Talos podcast, the guys break down how these kinds of attacks happen, and why the latest one we’ve been following is targeting multiple platforms. It really is as simple as users not reading their alerts close enough.
We also had a major vulnerability post last week covering multiple flaws in the Samsung SmartThings Hub. The Hub, which is a central controller for other internet-of-things devices, can be accessed by an unauthenticated user through a number of methods. That could lead to an attacker accessing any device conntected to the Hub, such as cameras, light switches and security motion detectors.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: Cisco Talos at Black Hat USA Location: Mandalay Bay Convention Center, Las Vegas, Nevada ####Date: Aug. 4 - 9 ####Speaker: Paul Rascagneres and Warren Mercer Synopsis: Cisco Talos will be represented at the Black Hat conference for all six days. On Aug. 8, from 3 to 5 p.m., Paul and Warren will be delivering a talk in Business Hall Theater B covering supply chain attacks. ###Event name: Virus Bulletin conference Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada ####Date: Oct. 3, 2018 ####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * Russian hackers were able to penetrate power grids from across the U.S. earlier this year. Homeland Security officials said that the hackers had gained the ability to cause mass blackouts, but chose not to. * Researchers have discovered a new Spectre variant that could allow an attacker to remotely steal data from vulnerable systems. Previously, Spectre could only be exploited by executing code on the machine. But the new variant could allow an attacker to target a device with network traffic. * Popular electric scooter startups in cities across the U.S. have been collecting location data on thousands of their customers. However, experts are raising concerns that these companies don’t have the security to properly protect that data. * U.S. Sen. Ron Wyden sent a letter last week asking the government to stop using Adobe Flash on all of its websites by Aug. 1, 2019, citing security concerns. * The Pentagon has been working on a “do not buy” list of software from Russia and China. Once a vendor is included on the list, their products will be boycotted by the Pentagon as a security risk. * A variant of the Bisonal malware was used in attacks earlier this year in South Korea and Russia. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Numerous vulnerabilities in the Samsung SmartThings Hub Description: There are multiple bugs in the Samsung SmartThings Hub that could allow an attacker to execute OS commands or other arbitrary code on affected devices. The SmartThings Hub allows users to control internet-of-things devices through a central controller. ####Snort SID: 45891, 46079, 46090, 46149, 46150-46155, 46211, 46217, 46296, 46319, 46320, 46321, 46390 - 46392, 46395, 46543, 46661
###Title: Protection against new Remcos variant Description: Cisco Talos has released protections against a new variant of the Remcos remote access trojan. These rules will block attempted connections between the victim machine and the command and control server. ####Snort SID: 47299 - 47305
###Title: QCenter Virtual Appliance credential disclosure and command injection vulnerabilities Description: There are several bugs in QNAP’s QCenter Virtual Appliance that could allow authenticated users to run arbitrary commands or access sensitive information. The credentials of an administrator can be exposed due to the lack of restriction on the data returned to the API endpoint in QCenter Virtual Appliance. ####Snort SID: 47347 - 47349 *** ##MOST PREVALENT MALWARE FILES July 26 - Aug. 2:
- **SHA 256: 5cd21ead98b0c736a199a39618f92504a476b8b3cb761d0f2be246c4be61a207
- MD5: 3ac3f071d49cf65d028692504129cf393ac
- Typical Filename: airpush_new_module_20_1_2_2_dex_557389.jar
- Claimed Product: N/A
- Detection Name: PUA.Andr.Adware.Airpush::other.talos
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c85847b
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 93da45a3cb6f184f3ee4094f93a8659030efdffabb5c9f968d5bddf1abe397a0
- MD5: d344f2e60c0ec18e3742e035b5620e28d34
- Typical Filename: MacKeeper Helper
- Claimed Product: MacKeeper Helper
- Detection Name: PUA.Osx.Trojan.Mackeeper::1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5ae2e
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc799
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
** ##SPAM STATS FOR July 26 - Aug. 2:
####TOP SPAM SUBJECTS OBSERVED - “Verification Required ! -IDPP00C92” - “Password Expired - Reset Immediately Required” - “Image File Received.” - “Important Activity Review !!!” - “Confirmation Letter”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 31083 Telepoint Ltd - 8987 Amazon Data Services Ireland Ltd - 20473 Choopa, LLC - 15169 Google LLC ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.