Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
After months of additional research, we have more information to share on VPNFilter. The malware family, which has infected hundreds of thousands of wireless devices around the world, has even more capabilities than we initially thought. Our researchers discovered seven new third-stage modules that add significant functionality. Everyone needs to continue to follow these developments to ensure they are properly protected.
Elsewhere on the malware front, we also discovered a new campaign delivering the Adwind 3.0 remote access tool (RAT). In partnership with fellow security firm ReversingLabs, our researchers found that it is a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past.
We also disclosed a major vulnerability in the Epee library — which is leveraged by a large number of cryptocurrencies. A bug in the Levin serialization could allow an attacker to gain remote code execution privileges.
Congratulations are also in order for Ali Rizvi-Santiago — one of our researchers who recently tied for second place in the annual IDA Pro plugin contest. You can read all about his plugin and its functionality here.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event name: “Stealing Cycles, Mining Coin: An introduction to Malicious Cryptomining” Location: CactusCon, Mesa Convention Center in Mesa, Arizona ####Date: Sept. 28 - 29 ####Speaker: Edmund Brumaghin Synopsis: The rise of ransomware has paralleled a rise in the value of cryptocurrencies. The two are not necessarily connected, but the impact has been. From an adversary’s perspective, there are two primary ways of getting these currencies: ransom payouts or mining. Cryptocurrency mining has been around as long as cryptocurrency, and it’s always been a trade-off. Can you earn enough currency to offset the electricity and hardware costs? Well, imagine if you didn’t have to worry about either of them. This talk will provide a deep dive into pool mining, and how it is being leveraged by attackers. ###Event name: Virus Bulletin conference Location: Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada ####Date: Oct. 3, 2018 ####Speaker: Paul Rascagneres, Warren Mercer and Vanja Svajcer Synopsis: Paul and Warren are hosting a joint talk on the Olympic Destroyer malware from earlier this year, and will cover why it is so difficult to attribute the attack. Vanja will also be hosting a workshop on manual kernel mode malware analysis. ###Event name: “Wiping The Slate Clean: The Ongoing Evolution of Wiper Malware” Location: Texas Cyber Summit at Wyndham River Walk Hotel in San Antonio, Texas ####Date: Oct. 12 - 14 ####Speaker: Edmund Brumaghin Synopsis: Wiper malware has been leveraged by attackers for years to facilitate the destruction of data and systems. In many cases, this malware has caused widespread operational issues for organizations and critical infrastructure all over the globe. Attackers have increasingly been leveraging and improving upon their wiper malware over the past several years. This talk will cover several notable examples of wiper malware, how they were distributed and the impacts that resulted from these attacks. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * The creators of the Mirai botnet were able to avoid jail time by striking a deal with the federal government. Rather than be sentenced, the three men will now work with the FBI “on cybercrime and cybersecurity matters.” * GovPayNow.com, a popular website where users can pay for government services, leaked the personal information of more than 14 million people. The company does business with 2,300 government agencies in 25 states. * The U.K. has plans to establish a new government agency to regulate the use of the internet. This government body would hold companies liable for the content published on their websites, as well as potential age restrictions. * The U.S. laid out a plan to be more aggressive in the cybersecurity space toward its adversaries. National Security Advisor John Bolton said America “will identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests.” * Online retailer Newegg exposed customers’ credit card information for more than a month. The same actor is connected to previous attacks carried out against British Airways and Ticketmaster U.K. * The U.S. State Department’s classified email server was recently hacked. A spokesperson for the agency says that less than 1 percent of employees’ inboxes were breached. * Hackers robbed Japanese cryptocurrency exchange Zaif of more than $60 million worth of digital coins. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: New Xbash malware targets Windows, Linux systems Description: Researchers discovered a new malware family known as “Xbash” in the wild targeting Windows and Linux systems. Xbash combines features of ransomware and cryptocurrency miners and has the ability to self-propagate. The malware spreads by attacking weak passwords and existing software vulnerabilities. ####Snort SID: 47866 - 47873
###Title: Adobe discloses bugs in Acrobat and Reader Description: Adobe released security updates for Acrobat and Reader for Windows and MacOS. Successful exploitation of the critical and important vulnerabilities could lead to arbitrary code execution. ####Snort SID: 47852 - 47857, 47883, 47884
###Title: Three important vulnerabilities in Cisco Webex Description: Multiple bugs exist in Cisco Webex Network Recording Player for Advanced Recording Format that could allow an attacker to execute arbitrary code on a targeted system. The vulnerabilities lie in the way that Webex handles recorded files. ####Snort SID: 47878 - 47879 *** ##MOST PREVALENT MALWARE FILES Sept. 20 - 27:
- **SHA 256: d8647dfb73ad636c7c1a743754b47ff1824c11cfef040104efabca92715ffcff1
- MD5: f174283dc138a4e412afbb3395d4288f
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: OSX.D8647DFB73.agent.tht.Talos
- SHA 256: 2730b9afbda5db068b8736e49b329e49aa0156b30180af2fa7bb178151e17a0a
- MD5: 14c543a105c1b089879d5eb7a8ac45f1
- Typical Filename: ServicePlug.zip
- Claimed Product: N/A
- Detection Name: W32.2730B9AFBD-87.SBX.VIOC
- SHA 256: 253676d93e6b79d119c99967e407926052df8b5520948069a2cac5e9ec5c7a7f
- MD5: cbdef3b550a24cdfbb96a7501337a14f
- Typical Filename: diantz.exe
- Claimed Product: Microsoft Cabinet Maker
- Detection Name: Win.Trojan.Emotet.hunt.Talos
- SHA 256: c59ac374df03908a863bb5e2a8cfd911b788f9751b4d5d4d075f013b75195217
- MD5: be4e947c89ee40058f37534c4a3d3f34
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: Auto.C59AC3.212256.in02
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
** ##SPAM STATS FOR Sept. 20 - 27:
####TOP SPAM SUBJECTS OBSERVED - “Java update needed before using internet” - “RE: Last Reminder: New Payroll Bulletin” - “Your Netflix Membership Account Has Been Suspended” - “Accont Notification!!!!!” - “GOD IS WITH US”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 13776 QX.Net - 26211 Proofpoint, Inc. - 3136 State of WI Dept. of Administration - 24323 aamra networks limited ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.