Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
After a long week of conferences out in Las Vegas, we are back in the swing of things. Thanks to everyone who came and checked out the Cisco Security booth at Black Hat, B-Sides and DEFCON. If you have any photos from Vegas, tag us at either @TalosIntelligence or @Snort on Twitter and we’ll retweet your photos.
This week we have coverage for Microsoft Patch Tuesday. Microsoft, as part of its monthly update, fixed 62 vulnerabilities in a variety of its products. You can read about the most prevalent bugs here, and be sure to check the bottom of the post for the new Snort rules that we have to keep you safe.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining”
Location: CactusCon, Mesa Convention Center in Mesa, Arizona
####Date: Sept. 28 - 29
####Speaker: Edmund Brumaghin
Synopsis: The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected, but the impact has been. From an adversary’s perspective, there are two primary ways of getting these currencies: ransom payouts or mining. Cryptocurrency mining has been around as long as cryptocurrency, and it’s always been a trade-off. Can you earn enough currency to offset the electricity and hardware costs? Well, imagine if you didn’t have to worry about either of them. This talk will provide a deep dive into pool mining, and how it is being leveraged by attackers.
###Event name: Virus Bulletin conference
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
####Date: Oct. 3, 2018
####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
###Event name: “Wiping The Slate Clean: The Ongoing Evolution of Wiper Malware”
Location: Texas Cyber Summit at Wyndham River Walk Hotel in San Antonio, Texas
####Date: Oct. 12 - 14
####Speaker: Edmund Brumaghin
Synopsis: Wiper malware has been leveraged by attackers for years to facilitate the destruction of data and systems. In many cases, this malware has caused widespread operational issues for organizations and critical infrastructure all over the globe. Attackers have increasingly been leveraging and improving upon their wiper malware over the past several years. This talk will cover several notable examples of wiper malware, how they were distributed and the impacts that resulted from these attacks.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Hackers at the Black Hat conference last week in Las Vegas were able to expose several flaws in voting machines that have been used in U.S. elections. The attendees had physical access to the devices.
* Several vulnerabilities have been discovered in the line of Medtronic pacemakers that could potentially allow an attacker to install malware directly on the device. The two researchers who discovered the bugs say they have only been partially fixed.
* More than 26.5 million Comcast customers potentially had their social security numbers exposed as part of a flaw on the cable and internet company’s website. Comcast is currently reviewing whether the information was actually used in any malicious way while the vulnerability was active.
* The Pentagon has banned deployed soldiers from using mobile GPS devices, such as fitness trackers. Defense officials say the data exposed presents a “significant risk” to military personnel.
* Government officials say a recent cyberattack was the work of a nation-state actor. More than 1.5 million people had their personal information exposed during a breach of the country’s health care database.
* An internal government investigation found that the Federal Communications Commission lied about being the victim of a denial-of-service attack in 2017. The department’s website had actually gone down after fans of the show “Last Week Tonight” with John Oliver went to the site to voice their opinions on net neutrality.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Microsoft Patch Tuesday
Description: Microsoft fixed 62 vulnerabilities in a variety of its products as part of its monthly update. This month’s advisory addresses 20 bugs that are rated as “critical” and 28 that are rated “important.” The bugs exist in Microsoft Edge, Internet Explorer, and several other products.
####Snort SID: 45877-45878, 46548-46549, 46999-47002, 47474-47493, 47495-47496, 47503-47504, 47512-47513, 47515-47520
###Title: Multiple bugs in Adobe products
Description: Adobe has patched multiple vulnerabilities in its products, including Flash Player, Creative Cloud and Acrobat. Two of the bugs, located in Adobe Acrobat and Reader, are rated as “critical,” and could allow an attacker to execute arbitrary code on a victim machine with the same privileges as the current user.
####References:
- https://helpx.adobe.com/security/products/creative-cloud/apsb18-20.html
- https://helpx.adobe.com/security/products/flash-player/apsb18-25.html
- https://helpx.adobe.com/security/products/experience-manager/apsb18-26.html
- https://helpx.adobe.com/security/products/acrobat/apsb18-29.html
####Snort SID: 47074 - 47075
###Title: CGit clone objects bug
Description: There is a directory traversal vulnerability in CGit, a web frontend for Git repositories, identified as CVE-2018-14912. The vulnerability exists in the cgit_clone_objects function in CGit before version 1.2.1 when enable-http-clone=1
is not turned off.
####Snort SID: 47464 - 47466
***
##MOST PREVALENT MALWARE FILES Aug. 9 - 16:
- **SHA 256: 800c0d8e5a72d856398894329b6e3927b5b46bda9f8157d6e47c059cea3cb5b7
- MD5: 68bdead645dc97e55597be4aa3664fa968b
- Typical Filename: N/A
- Claimed Product: Desktop Search Bar
- Detection Name: W32.Auto:800c0d.in03.Talos
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc799
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: be904d34fdc803c60df5ddde64016e3ab1bd331d2875b863c6085acc24557394
- MD5: 15a05c3741d7374cdf8a2dc20c58c3cf15a
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.Variant:Gen.21ij.1201
- SHA 256: adbdde4fcb694514302b8dc7a987cb11ec82cefa450afd9a815351088f4a5b40
- MD5: 8683e0b27f04087efba09c010fc7a1f8868
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: OSX.ADBDDE4FCB.agent.tht.Talos
**
##SPAM STATS FOR Aug. 9 - 16:
####TOP SPAM SUBJECTS OBSERVED
- “Critical Notice: Statement of Liabilities”
- “Attention !! Email Upgrade Alert!!”
- “Award Email Notification”
- “CODIGO PROMOCIONAL R$100!”
- “New Document - (Invoices838&contractAgreement938.Pdf)”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 49335 Mir Telematiki Ltd
- 8075 Microsoft Corporation
- 35017 Swiftway Sp. z o.o.
- 60781 LeaseWeb Netherlands B.V.
- 49981 WorldStream B.V.
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.