Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
After months of additional research, we have more information to share on VPNFilter. The malware family, which has infected hundreds of thousands of wireless devices around the world, has even more capabilities than we initially thought. Our researchers discovered seven new third-stage modules that add significant functionality. Everyone needs to continue to follow these developments to ensure they are properly protected.
Elsewhere on the malware front, we also discovered a new campaign delivering the Adwind 3.0 remote access tool (RAT). In partnership with fellow security firm ReversingLabs, our researchers found that it is a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past.
We also disclosed a major vulnerability in the Epee library — which is leveraged by a large number of cryptocurrencies. A bug in the Levin serialization could allow an attacker to gain remote code execution privileges.
Congratulations are also in order for Ali Rizvi-Santiago — one of our researchers who recently tied for second place in the annual IDA Pro plugin contest. You can read all about his plugin and its functionality here.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
Location: CactusCon, Mesa Convention Center in Mesa, Arizona
Synopsis: The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected, but the impact has been. From an adversary's perspective, there are two primary ways of getting these currencies: ransom payouts or mining. Cryptocurrency mining has been around as long as cryptocurrency, and it's always been a trade-off. Can you earn enough currency to offset the electricity and hardware costs? Well, imagine if you didn't have to worry about either of them. This talk will provide a deep dive into pool mining, and how it is being leveraged by attackers.
Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada
Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis.
Location: Texas Cyber Summit at Wyndham River Walk Hotel in San Antonio, Texas
Synopsis: Wiper malware has been leveraged by attackers for years to facilitate the destruction of data and systems. In many cases, this malware has caused widespread operational issues for organizations and critical infrastructure all over the globe. Attackers have increasingly been leveraging and improving upon their wiper malware over the past several years. This talk will cover several notable examples of wiper malware, how they were distributed and the impacts that resulted from these attacks.
Description: Researchers discovered a new malware family known as “Xbash” in the wild targeting Windows and Linux systems. Xbash combines features of ransomware and cryptocurrency miners and has the ability to self-propagate. The malware spreads by attacking weak passwords and existing software vulnerabilities.
Description: Adobe released security updates for Acrobat and Reader for Windows and MacOS. Successful exploitation of the critical and important vulnerabilities could lead to arbitrary code execution.
Description: Multiple bugs exist in Cisco Webex Network Recording Player for Advanced Recording Format that could allow an attacker to execute arbitrary code on a targeted system. The vulnerabilities lie in the way that Webex handles recorded files.
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.