Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
As part of our continued research into a mobile device management (MDM) campaign that’s been targeting mobile devices in India, we take a deep dive into the malware in the latest episode of Beers with Talos. The guys (once again without Nigel) go into our latest findings and talk about why mobile users are so susceptible to these kinds of attacks.
We are also sharing a whitepaper that was recently released by our friends over at the Cyber Threat Alliance. Talos contributed to this report on cryptocurrency mining. While many people have heard of the concept of cryptomining, they may not know about the numerous negative impacts an attack could have on their organization. It could also be a sign that their security system could be at risk of a more serious breach.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining” Location: CactusCon, Mesa Convention Center in Mesa, Arizona ####Date: Sept. 28 - 29 ####Speaker: Edmund Brumaghin Synopsis: The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected, but the impact has been. From an adversary’s perspective, there are two primary ways of getting these currencies: ransom payouts or mining. Cryptocurrency mining has been around as long as cryptocurrency, and it’s always been a trade-off. Can you earn enough currency to offset the electricity and hardware costs? Well, imagine if you didn’t have to worry about either of them. This talk will provide a deep dive into pool mining, and how it is being leveraged by attackers. ###Event name: Virus Bulletin conference Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada ####Date: Oct. 3, 2018 ####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis. ###Event name: “Wiping The Slate Clean: The Ongoing Evolution of Wiper Malware” Location: Texas Cyber Summit at Wyndham River Walk Hotel in San Antonio, Texas ####Date: Oct. 12 - 14 ####Speaker: Edmund Brumaghin Synopsis: Wiper malware has been leveraged by attackers for years to facilitate the destruction of data and systems. In many cases, this malware has caused widespread operational issues for organizations and critical infrastructure all over the globe. Attackers have increasingly been leveraging and improving upon their wiper malware over the past several years. This talk will cover several notable examples of wiper malware, how they were distributed and the impacts that resulted from these attacks. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * India’s Aadhaar software — which contains the personal and biometric information of 1 million residents — was compromised once again. A bug, which has since been patched, could have allowed an attacker to randomly generate any person’s information that is contained in the database. * Several popular mobile video games targeted toward children may be unknowingly collecting users’ information. A lawsuit recently filed by New Mexico’s attorney general and supported by parents alleges that Tiny Lab Productions is inappropriately targeting its games at users 13 and under and violates one of the state’s laws regarding data collection. * The U.S.’s major wireless carriers are banding together in an attempt to convince some websites’ reliance on passwords. Project Verify instead aims to use each mobile device user’s unique information to log into online services, including GPS location and physical attributes of their device. * Trend Micro is having to defend its products after researchers discovered their security apps were inappropriately collecting data. The Apple App Store forced the company to change the code in some of its products that were storing users’ browser history. * Apple released its new iOS 12 operating system for mobile devices that fixed a number of security flaws. The update patched vulnerabilities in phones’ Bluetooth and WiFi capabilities that could allow an attacker to install malicious apps on a device, among other bugs. * A critical vulnerability in NUUO software could open up thousands of internet-of-things devices to attack. The bug affects video cameras that are part of home security systems and could allow an attacker to remotely view and edit footage. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Adobe patches vulnerabilities in ColdFusion, Flash Player Description: Several bugs were fixed as part of Adobe’s monthly security update. The majority of the vulnerabilities that the company disclosed were in ColdFusion — six of which are rated “critical.” There is also an information disclosure vulnerability in Flash Player. Adobe was also scheduled to release additional advisories regarding Acrobat and Reader on Sept. 19. ####Reference: https://helpx.adobe.com/security/products/acrobat/apsb18-34.html https://helpx.adobe.com/security/products/flash-player/apsb18-31.html https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html ####Snort SID: 47786 - 47787, 47833 - 47834
###Title: SoftNAS Cloud command injection bug Description: A vulnerability exists in the SoftNAS Cloud file storage platform in all versions leading up to 4.0.3. An unauthenticated attacker could execute arbitrary code with root permissions due to the way the snserv script sanitizes the ‘recentVersion’ parameter from the snserv endpoint. ####Snort SID: 47817-47819
###Title: Diagnostic Hub Standard Collector escalation of privilege vulnerability Description: An escalation of privilege vulnerability exists in the Diagnostics Hub Standard Collector when it — or the Visual Basic Studio Standard Collector — allows files to be created in arbitrary locations. An attacker needs to log onto the system to exploit this bug, and then run a specially crafted application. ####Snort SID: 47850 - 47851 *** ##MOST PREVALENT MALWARE FILES Sept. 13 - 20:
- **SHA 256: 486b6e503ebfa15ed2a22934361d382d64c454774ea6de4c26a95fb2392ccec1
- MD5: efab302e91335694b6864360a6280fd6
- Typical Filename: Remove_HIPs_key.exe
- Claimed Product: N/A
- Detection Name: Win.Trojan.Generic::100.sbx.vioc
- SHA 256: 33819ff564d959d343cb8ff7e45107956f5463874044f9a1333874556712f23f
- MD5: 05b53b3170c51c0615dd9afd2ba101bd
- Typical Filename: Alona.doc
- Claimed Product: N/A
- Detection Name: W32.Auto:33819ff564.in05.Talos
- SHA 256: 800c0d8e5a72d856398894329b6e3927b5b46bda9f8157d6e47c059cea3cb5b7
- MD5: 68bdead645dc97e55597be4aa3664fa9
- Typical Filename: SearchBar_2.25.exe
- Claimed Product: Desktop Search Bar
- Detection Name: PUA.Win.Ransomware.Spigot::in03.talos
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: mf2016341595.exe
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
** ##SPAM STATS FOR Sept. 13 - 20:
####TOP SPAM SUBJECTS OBSERVED - “Security Alert: Your ability to receive email has been restricted [Ticket AB107421015]” - “[SPAM] RE: Vérification du mot de passe du compte Outlook!” - “Handlungsbedarf” - “Proposal” - “Alert”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 8560 1&1 Internet SE - 24323 aamra networks limited - 21345 Messagelabs Limited - 378 Israel InterUniversity Computation Center` ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.