Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
The blog has been quiet this week with many of our researchers out in Las Vegas for so-called “hacker summer camp.” There’s a number of conferences going on this week, most notably Black Hat, which wraps up today. Look for the Cisco booth during the final hours of Black Hat and at Defcon later on if you want to pick up a special Snort or even a pair of Talos socks.
If you need something to hold you over until we return to a normal schedule this week, there is a post covering the Tetrane REVEN reverse-engineering platform. We dive into how using the platform can allow you to quickly determine whether a bug is exploitable or not.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: Virus Bulletin conference
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
####Date: Oct. 3, 2018
####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Facebook is under fire for reportedly asking some of the U.S.’s largest banks to share their customers’ data with the social networking site, including card transactions and checking account balances. The information would be used to display banking information in Facebook’s Messenger app.
* The U.S. Transportation Security Administration has been tracking airline passengers for years, even if they are not under investigation by a federal agency. Known as the “Quiet Skies” program, the initiative gives the agency discretion over who they track and for how long.
* Federal officials arrested three Ukrainians involved with the FIN7 APT. The individuals are linked to hacks that targeted more than 100 companies in the U.S. and around the world, which caused losses totaling tens of millions of dollars.
* The FBI is struggling to retain top cybersecurity talent as researchers head to the private sector for better pay and benefits. About 20 top FBI leaders in the cyber field have left for corporate jobs over the past five years, according to Politico.
* A new APT known as “DarkHydrus” has been targeting government agencies in the Middle East with spear-phishing campaigns.
* The Department of Homeland Security has launched a new cybersecurity risk management center. The initiative will focus on evaluating threats and defending the U.S.’s critical infrastructure against hacking, starting with the energy, finance and telecommunications sectors.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Gorgon group launches widespread attacks
Description: An APT known as “Gorgon” has been launching identical email spam and targeted campaigns against government agencies in the U.S., U.K., Russia and Spain. The most recent campaign launched spear-phishing emails that contained Microsoft Word documents exploiting the Microsoft Office vulnerability CVE-2017-0199.
####Snort SID: 47444 - 47454
###Title: Oracle WebLogic web services authentication bypass vulnerability
Description: A vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. An attacker could exploit this flaw by sending HTTP requests that submit malicious inputs to the affected software.
####Snort SID: 47386 - 47390
###Title: WordPress Site Editor path traversal vulnerability
Description: A bug in the Site Editor plugin for WordPress could allow an unauthenticated, remote attacker to access sensitive information on a targeted system. A successful exploit could allow the attacker to access arbitrary files on the system, which could be used to conduct additional attacks.
####Snort SID: 47424
***
##MOST PREVALENT MALWARE FILES Aug. 2 - 9:
- **SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5ae2e
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc799
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
- SHA 256: adbdde4fcb694514302b8dc7a987cb11ec82cefa450afd9a815351088f4a5b40
- MD5: 8683e0b27f04087efba09c010fc7a1f8
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: OSX.ADBDDE4FCB.agent.tht.Talos
- SHA 256: 4bd61a7f2b1287e2c94973062b91ad075ce73637441982f426d269c527069015
- MD5: 5e414220b8e34fcfb2c315e772527a255e4
- Typical Filename: bfa9b296d648a5eac19e0d6bb23139e9104cfd55ee8a02cd1aa9d768ef398747~.x86
- Claimed Product: MacKeeper Helper
- Detection Name: PUA.Osx.Trojan.Mackeeper::1201
- SHA 256: bfa9b296d648a5eac19e0d6bb23139e9104cfd55ee8a02cd1aa9d768ef398747
- MD5: cb7eb6e04cf0e4549c09a82e0da9b984cb7
- Typical Filename: MacKeeper Helper
- Claimed Product: MacKeeper Helper
- Detection Name: PUA.Osx.Malware.Mackeeper::other.talos
**
##SPAM STATS FOR July 26 - Aug. 2:
####TOP SPAM SUBJECTS OBSERVED
- “Password Expired - Reset Immediately Required”
- “Paul McGuckin has invited you to CS Financial Solutions”
- “R.B.C. Express Reference Code / Authorization Code”
- “Married women are looking to get laid almost as much,
or just as much as married men”
- “TD Web Business Banking Reference Code / Authorization Code”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 49335 Mir Telematiki Ltd
- 8987 Amazon Data Services Ireland Ltd
- 7922 Comcast Cable Communications, LLC
- 11377 SendGrid, Inc.
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.