Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
If you were at Black Hat but missed out on the live Beers with Talos podcast, we have you covered. We just released the recording of the episode, which features a special guest from CyberWire, a Baltimore-based cybersecurity news service. We let the audience choose the topics, and talked about everything from VPNFilter to Matt Olney’s belts.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining”
Location: CactusCon, Mesa Convention Center in Mesa, Arizona
####Date: Sept. 28 - 29
####Speaker: Edmund Brumaghin
Synopsis: The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected, but the impact has been. From an adversary’s perspective, there are two primary ways of getting these currencies: ransom payouts or mining. Cryptocurrency mining has been around as long as cryptocurrency, and it’s always been a trade-off. Can you earn enough currency to offset the electricity and hardware costs? Well, imagine if you didn’t have to worry about either of them. This talk will provide a deep dive into pool mining, and how it is being leveraged by attackers.
###Event name: Virus Bulletin conference
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
####Date: Oct. 3, 2018
####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
###Event name: “Wiping The Slate Clean: The Ongoing Evolution of Wiper Malware”
Location: Texas Cyber Summit at Wyndham River Walk Hotel in San Antonio, Texas
####Date: Oct. 12 - 14
####Speaker: Edmund Brumaghin
Synopsis: Wiper malware has been leveraged by attackers for years to facilitate the destruction of data and systems. In many cases, this malware has caused widespread operational issues for organizations and critical infrastructure all over the globe. Attackers have increasingly been leveraging and improving upon their wiper malware over the past several years. This talk will cover several notable examples of wiper malware, how they were distributed and the impacts that resulted from these attacks.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* China is continuing to build up its cyberwarfare capabilites, despite the fact that it believes it still lags behind the U.S., according to a new Pentagon report.
* A severe flaw in PHP leaves thousands of WordPress websites open to attack. The vulnerability was reported more than a year ago, but it still isn’t fixed.
* Cities around the U.S. that utilize smart technology are open to so-called “panic attacks”. There are multiple bugs in the sensors that the cities use to track things like traffic and radiation alarms.
* A cryptocurrency investor sued AT&T for $224 million after millions of dollars worth of cryptocurrency was stolen from his phone.
* Hackers stole $13.5 million from Cosmos Bank, one of the largest financial institutions in India. The attackers made thousands of withdrawals over the course of three days from ATMs across the country.
* U.S. President Donald Trump has reversed an Obama-era policy regarding cyberattacks against its adversaries. The move is designed to relax how often the attacks can be deployed and in what scenarios.
* The FBI is launching an investigation into a cyberattack against David Min, a Democrat who is running for Congress in California. It was the second such attack to take place in the state during this election cycle.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Multiple flaws in Adobe Flash Player
Description: There are several vulnerabilities in Adobe Flash Player that could allow a remote attacker to execute arbitrary code on the victim machine. The five bugs are all rated as “important.” Three of them are due to out-of-bounds reads.
####Snort SID: 47529 - 47534, 47568, 47569
###Title: Epic MyChart command injection vulnerability
Description: There is an XPath injection vulnerability in Epic MyChart, a medical records management platform. The bug could allow a remote attacker to access contents of an XML document containing static display settings, such as field labels.
####Snort SID: 47552 - 47555
***
##MOST PREVALENT MALWARE FILES Aug. 16 - 23:
- **SHA 256: bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f
- MD5: 2dbf779808d2ec3f5121891be9f4b1cf2db
- Typical Filename: helperamc
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Malware.Amcleaner::1201
- SHA 256: 38dd6e623626109f41e4cc46f4514ceae560bff025b9528340fb92d233892122
- MD5: 5c775039f60f560ce46db2821159e9e15c7
- Typical Filename: bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f~.x86
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Downloader.Amcleaner::1201
- SHA 256: 545c9d50242b5a4dfe4c71f0bff64fcdc7df6bcaa08f798450c6d96ddb804ff3
- MD5: 4b5186ca88ed8ef855ce7c409b9b50354b5
- Typical Filename: bcffda040c93b743bca1a67128ec1f60595dc0b14655afd7949b6c779e0e997f~.x64
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Malware.Amcleaner::1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc799
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5ae2e
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
**
##SPAM STATS FOR Aug. 16 - 23:
####TOP SPAM SUBJECTS OBSERVED
- “Critical Notice: Statement of Liabilities”
- “Submission 5DW8 F36N MG2A 9HJ not processed “
- “CONGRATULATIONS YOU HAVE A DONATION OF $5, 000,
000 FROM MAVIS WANCZYK JACKPOT WINNER POWERBALL LOTTERY “
- “Verify Your Email Account (Final Warning from Microsoft before we
disable your account)”
- “CODIGO PROMOCIONAL R$100!”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 35017 Swiftway Sp. z o.o.
- 48635 Astralus B.V.
- 60781 LeaseWeb Netherlands B.V.
- 8928 Interoute Communications Limited
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.