Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
It’s the second week of the month, which means it’s Patch Tuesday time! As always, we have complete coverage of Microsoft’s monthly security update. Here is the Talos blog going over the vulnerabilities we think are most important. You can also check out the Snort blog here to learn more about the coverage we have for these bugs.
Talos discovered one of the bugs in this month’s release — a vulnerability in the WindowsCodecs.dll component of the Windows operating system.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Presentation: “Wiping The Slate Clean: The Ongoing Evolution of Wiper Malware” Location: Texas Cyber Summit at Wyndham River Walk Hotel in San Antonio, Texas ####Date: Oct. 12 - 14 ####Speaker: Edmund Brumaghin Synopsis: Wiper malware has been leveraged by attackers for years to facilitate the destruction of data and systems. In many cases, this malware has caused widespread operational issues for organizations and critical infrastructure all over the globe. Attackers have increasingly been leveraging and improving upon their wiper malware over the past several years. This talk will cover several notable examples of wiper malware, how they were distributed and the impacts that resulted from these attacks. ###Presentation: “Talos: Threat Intelligence and the Evolving Threat Landscape” Location: Tech at the Gap conference at the Western Maryland IT Center of Excellence in Cumberland, Md. ####Date: Oct. 24 ####Speaker: Ashlee Benge Synopsis: Talos specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk, Ashlee will cover recent threats and the methods and analysis used by Talos to defend against them. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * The companies named in a bombshell Bloomberg story regarding secret Chinese-made microchips are denying all of its claims. Apple and Amazon have both strongly stated that it is not true that tech companies found microscopic chips implanted on machines that could allow a hacker to completely take over a network. * Nearly all new U.S. weapons systems contain “critical” cybersecurity flaws, according to a new audit. The report states that from 2012 to 2017, Department of Defense testers “routinely found mission-critical cyber vulnerabilities in nearly all weapons systems that were under development.” * Facebook could face up to $1.63 billion in fines from the European Union after the social media giant disclosed a data breach. The hack may be a violation of new EU laws under the GDPR. * The U.S. Department of Justice charged seven Russian hackers with carrying out cyberattacks against multiple international doping agencies and a nuclear energy company. The hackers worked for GRU, the Russian intelligence agency. * Google is shutting down its Google+ social media network next year. The decision came after a report in Wall Street Journal, which stated that Google tried to cover up a data breach on the site. * Credit reporting agency Experian’s website contained a flaw that exposed the credit freeze PINs of its users. The company patched the bug in a matter of hours, but it’s currently unclear how many accounts were impacted. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Microsoft Patch Tuesday Description: Microsoft disclosed 49 vulnerabilities across several of its products, 12 of which are rated “critical,” 34 that are rated “important,” two that are considered to have “moderate” severity and one that’s rated as “low.” There is also a critical advisory that covers security updates in the Microsoft Office suite of products. ####Snort SID: 48045 - 48057, 48058 - 48060, 48062, 48063, 48072, 48073
###Title: Cisco Prime Infrastructure arbitrary file upload and execution Description: Cisco Prime Infrastructure contains a vulnerability that could allow an unauthenticated, remote attacker to upload an arbitrary file, which would allow the attacker to execute code. The bug exists in the way PI incorrectly sets permissions for certain system directories. ####Snort SID: 40815
###Title: Google PDFium information disclosure vulnerability Description: Google PDFium’s JBIG2 library contains a bug that could lead to an information leak, which could be used as part of a larger exploit. PDFium is a PDF reader used in Google’s Chrome and Chromium web browser. An attacker can exploit this flaw by convincing the user to open a malicious PDF. ####Snort SID: 47340, 47341 *** ##MOST PREVALENT MALWARE FILES Oct. 4 - 11:
- **SHA 256: 6487dc3c2be656d09d37175fcfeddd2dd38d9987a9347dc2915041469c973a44
- MD5: b5c613d7919e121a43e92267e83cf9fe
- Typical Filename: primeupdater.exe
- Claimed Product: FirebirdIS
- Detection Name: PUA.Win.Adware.Techrelinst::Sality.tht.talos
- SHA 256: 800c0d8e5a72d856398894329b6e3927b5b46bda9f8157d6e47c059cea3cb5b7
- MD5: 68bdead645dc97e55597be4aa3664fa9
- Typical Filename: SearchBar_2.25.exe
- Claimed Product: Desktop Search Bar
- Detection Name: PUA.Win.Ransomware.Spigot::in03.talos
- SHA 256: d8647dfb73ad636c7c1a743754b47ff1824c11cfef040104efabca92715ffcff
- MD5: f174283dc138a4e412afbb3395d4288f
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: OSX.D8647DFB73.agent.tht.Talos
- SHA 256: c59ac374df03908a863bb5e2a8cfd911b788f9751b4d5d4d075f013b75195217
- MD5: be4e947c89ee40058f37534c4a3d3f34
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: Auto.C59AC3.212256.in02
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
*** ##SPAM STATS FOR Oct. 4 - 11:
####TOP SPAM SUBJECTS OBSERVED - “Action required: Mailbox Issues- Clustered Server” - “Suspicious Activities Notification” - “MyAccount” - “QBCC Policy Purchase Receipt” - “FOR YOUR URGENT ATTENTION - SUSPENSION NOTICE”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 14782 The Rocket Science Group, LLC - 46606 Unified Layer - 8075 Microsoft Corporation - 45671 Wholesale Services Provider - 32934 Facebook, Inc.