Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Are all of your Microsoft products up to date? They should be after the latest round of security updates. Microsoft disclosed 61 vulnerabilities this week, 17 of which are rated “critical.” If you want to read more about them, visit our blog here. We also have complete Snort rule coverage as well, which you can see here.
We also had two major vulnerability disclosures over the past week. One is actually a re-hash of a bug that appeared to be patched already in the ProtonVPN and NordVPN VPN clients. While the vendors released fixes earlier this year for the flaws, they were insufficient, leaving the products still open to exploitation.
We also discovered multiple SQL injection vulnerabilities in Frappe ERPNext, version 10.1.6. Frappe ERPNext is an open-source enterprise resource planning (ERP) cloud application.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
</br>
###Event name: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining”
Location: CactusCon, Mesa Convention Center in Mesa, Arizona
####Date: Sept. 28 - 29
####Speaker: Edmund Brumaghin
Synopsis: The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected, but the impact has been. From an adversary’s perspective, there are two primary ways of getting these currencies: ransom payouts or mining. Cryptocurrency mining has been around as long as cryptocurrency, and it’s always been a trade-off. Can you earn enough currency to offset the electricity and hardware costs? Well, imagine if you didn’t have to worry about either of them. This talk will provide a deep dive into pool mining, and how it is being leveraged by attackers.
###Event name: Virus Bulletin conference
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
####Date: Oct. 3, 2018
####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
###Event name: “Wiping The Slate Clean: The Ongoing Evolution of Wiper Malware”
Location: Texas Cyber Summit at Wyndham River Walk Hotel in San Antonio, Texas
####Date: Oct. 12 - 14
####Speaker: Edmund Brumaghin
Synopsis: Wiper malware has been leveraged by attackers for years to facilitate the destruction of data and systems. In many cases, this malware has caused widespread operational issues for organizations and critical infrastructure all over the globe. Attackers have increasingly been leveraging and improving upon their wiper malware over the past several years. This talk will cover several notable examples of wiper malware, how they were distributed and the impacts that resulted from these attacks.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* The U.S. formally accused a North Korean hacker of orchestrating the massive WannaCry ransomware attack, as well as a hack on Sony back in 2014. Park Jin Hyok, the hacker, is believed to be linked to the LazarusGroup APT.
* The mobile spyware company mSpy leaked millions of their users’ information. A now-defunct open server contained users’ login information, call logs, contacts, text messages and more — and the server didn’t require authentication.
* Google alerted dozens of its users that it had been asked to provide information to the FBI related to an investigation into the LuminosityLink RAT. It is currently unclear what data — if any — the company has handed over.
* A new government website briefly exposed the social security numbers of about 80 individuals. It was part of a rough launch week for the site.
* Several apps on the Mac store were found to be improperly collecting user data. An investigation also revealed that even if the apps are reported to Apple, it can take several months for them to be removed.
* Apple is working on a new hub that would make it easier for law enforcement agencies to request users’ information during formal investigations. The company is also creating a team that will train those officers on digital evidence.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Microsoft Patch Tuesday
Description: Microsoft released patches for many of its products as part of its monthly security update. The latest release covered 61 different vulnerabilities, 18 of which were rated “critical.” This update also includes two critical advisories, one of which covers security updates to Adobe Flash, and another that deals with a denial-of-service vulnerability in the Microsoft Windows operating system.
####Snort SID: 45142-45143, 47702-47703, 47717-47718, 47730-47741, 47745-47748
###Title: Multiple vulnerabilities found in Cisco products
Description: Cisco released several advisories covering bugs in several of their products, including two critical vulnerabilities. A vulnerability in the API of Cisco Umbrella could allow a remote attacker to view and modify data across an entire organization. Additionally, multiple models of the RV router are susceptible to an interface buffer overflow vulnerability.
####Reference:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-rv-routers-overflow
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-api
####Snort SID: 47698 - 47711, 47713 - 47715
***
##MOST PREVALENT MALWARE FILES Sept. 6 - 13:
- **SHA 256: 800c0d8e5a72d856398894329b6e3927b5b46bda9f8157d6e47c059cea3cb5b7
- MD5: 68bdead645dc97e55597be4aa3664fa9
- Typical Filename: SearchBar_2.25.exe
- Claimed Product: Desktop Search Bar
- Detection Name: PUA.Win.Ransomware.Spigot::in03.talos
- SHA 256: 473fef2203ef277822822152b5642191a466a6905d83fee4f51cbb4e0052fe8d
- MD5: 1650ae4badd53bc0675f4a475c275c3a
- Typical Filename: Accounting.doc
- Claimed Product: N/A
- Detection Name: W32.Auto:473fef2203.in05.Talos
- SHA 256: 0b5a060cb8ac0611f910926087d68eb86156149f2c3bf7ac85feafd7af3bc576
- MD5: 7a000e948bc4d2dfc304d734a7ddc7a1
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: PUA.Osx.Trojan.Amcleanerca::agent.tht.talos
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
***
##SPAM STATS FOR Sept. 6 - 13:
####TOP SPAM SUBJECTS OBSERVED
- “Summary Annual Report”
- “RE: Last Reminder: New Payroll Bulletin”
- “Unauthorized Login Attempts to you PayPal account”
- “Internal only “
- “Handlungsbedarf””
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 13716 Hewitt Associates LLC
- 22843 Proofpoint, Inc.
- 44444 Forcepoint Cloud Ltd
- 27357 Rackspace Ltd.