Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
You may remember our post from a few weeks back outlining a mobile device management (MDM) campaign targeting iPhone and Windows users. In our subsequent research, we have uncovered more about the attackers’ methods. We have this handy guide to show you what you can do to check and see if a malicious MDM is on your phone.
Talos also has a cool new YouTube channel, where we uploaded our first video on this MDM campaign and how to protect your mobile device.
Cryptocurrency mining has become the malware of choice for many malicious actors, given that they can generally be quietly installed and generate money for the attacker. One particular threat actor, Rocke, has carried out multiple campaigns to install miners on the machines of unsuspecting users. Here’s a deep dive into Rocke, along with an analysis of their infrastructure.
There’s also a new episode of the Beers with Talos podcast out. The guys, without Joel or Nigel, discuss the Remcos botnet that exists in somewhat of a grey area on the internet. Matt also discusses his (and his Twitter followers’) love of sporks.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining” Location: CactusCon, Mesa Convention Center in Mesa, Arizona ####Date: Sept. 28 - 29 ####Speaker: Edmund Brumaghin Synopsis: The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected, but the impact has been. From an adversary’s perspective, there are two primary ways of getting these currencies: ransom payouts or mining. Cryptocurrency mining has been around as long as cryptocurrency, and it’s always been a trade-off. Can you earn enough currency to offset the electricity and hardware costs? Well, imagine if you didn’t have to worry about either of them. This talk will provide a deep dive into pool mining, and how it is being leveraged by attackers. ###Event name: Virus Bulletin conference Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada ####Date: Oct. 3, 2018 ####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis. ###Event name: “Wiping The Slate Clean: The Ongoing Evolution of Wiper Malware” Location: Texas Cyber Summit at Wyndham River Walk Hotel in San Antonio, Texas ####Date: Oct. 12 - 14 ####Speaker: Edmund Brumaghin Synopsis: Wiper malware has been leveraged by attackers for years to facilitate the destruction of data and systems. In many cases, this malware has caused widespread operational issues for organizations and critical infrastructure all over the globe. Attackers have increasingly been leveraging and improving upon their wiper malware over the past several years. This talk will cover several notable examples of wiper malware, how they were distributed and the impacts that resulted from these attacks. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * The U.S. Department of Justice says it may not be able to prosecute hackers who target American voting machines. Current hacking laws may not allow for this, as the machines are not connected to the internet. But a new amendment could change that. * Yahoo scans the emails its users send and receive, hoping to sell that data to advertisers. This is a practice that most email services, including Gmail, has stopped over the past few years. * A hacker posted an unpatched exploit in Windows Task Scheduler on GitHub and Twitter. All Windows 64-bit users are currently vulnerable. * Attackers are utilizing a vulnerability on Apple Macs to target government agencies in the Middle East. The victims were sent spear-phishing emails that prompted them to click on a link, which downloaded the malware WindTale and WindTape. * The U.S. accused China of carrying out a massive campaign on LinkedIn in an attempt to recruit Americans that may have knowledge of government and commercial secrets. The Chinese government allegedly set up fake accounts and contacted thousands of users at once.
* Congress is pushing the MITRE Corp. to improve the process of assigning and tracking CVEs. This could mean the nonprofit will begin receiving more stable financing from the federal government to make substantial improvements to the program in the coming years. * A hacker behind the high-profile leak of several celebrities’ nude photos has been sentenced to eight months in prison. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Additional protection for Apache Struts flaw Description: Cisco Talos has released additional coverage for a critical vulnerability in Apache Struts that could allow an attacker to execute arbitrary code on a targeted system. The bug impacts multiple Cisco products and has already been used in the wild(https://searchsecurity.techtarget.com/news/252447943/Another-patched-Apache-Struts-vulnerability-exploited) to install a cryptocurrency miner on multiple machines. ####Snort SID: 29639, 39190 - 39191, 47634, 47689 - 47691
###Title: Cisco TelePresence code injection vulnerability Description: There is a flaw in the way that Cisco TelePresence IX5000 Series software and Cisco TelePresence TX9000 series software handles HTML inline frames. The bug could allow a malicious actor to carry out click-jacking or other client-side browser-based attacks. ####Snort SID: 47679 - 47681
###Title: Shrug2 ransomware adds new features Description: The ransomware Shrug2 has been spotted in the wild with new features, making it more effective than the original version discovered in July. Shrug2, which is built on the .NET framework, can encrypt 76 different types of files. Once infected, a user is asked to pay $70 in the form of bitcoins to the attacker. ####Snort SID: 47692 *** ##MOST PREVALENT MALWARE FILES Aug. 30 - Sept. 6:
- **SHA 256: 0b5a060cb8ac0611f910926087d68eb86156149f2c3bf7ac85feafd7af3bc576
- MD5: 7a000e948bc4d2dfc304d734a7ddc7a17a0
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: PUA.Osx.Trojan.Amcleanerca::agent.tht.talos
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc799
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5ae2e
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 800c0d8e5a72d856398894329b6e3927b5b46bda9f8157d6e47c059cea3cb5b7
- MD5: 68bdead645dc97e55597be4aa3664fa968b
- Typical Filename: SearchBar_2.25.exe
- Claimed Product: Desktop Search Bar
- Detection Name: PUA.Win.Ransomware.Spigot::in03.talos
- SHA 256: c2a25323747317ccfcd1157fd08779f177a994db32672a1c28d83d199b23fc84
- MD5: a9bae0c302ab960b98900051e377138ea9b
- Typical Filename: wpsnotify.exe
- Claimed Product: WPS Office
- Detection Name: PUA.Win.Trojan.Kingsoft::100.sbx.vioc
** ##SPAM STATS FOR Aug. 30 - Sept. 6:
####TOP SPAM SUBJECTS OBSERVED - “Reminder: Your account will be limited until we hear from you !” - “La facture d’août FA-378058 de “ - “FACTURE” - “Reçu” - “: Reçu de commande #2577”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 42845 Bretagne Telecom SAS - 8560 1&1 Internet SE - 37153 HETZNER - 577 Bell Canada ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.