Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
Another week is down, which means we’ve got another round of malware to discuss.
First up is GPlay, a new campaign we discovered that’s attempting to dupe Android users into downloading malicious software. The malware disguises itself as a fake Google app store on phones but is actually a trojan.
We also discovered a new RTF-based campaign that’s distributing the Agent Tesla and Loki malware families. The actors behind this malware are using a well-known and existing vulnerability in Microsoft Office to carry out these attacks. If undetected, Agent Tesla has the ability to steal user’s credentials from a number of popular software, including Google Chrome and Microsoft Outlook.
On the vulnerability front, we disclosed multiple bugs in the E Series line of Linksys routers. All three could lead to arbitrary code execution if an attacker exploits them.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
Location: Tech at the Gap conference at the Western Maryland IT Center of Excellence in Cumberland, Md.
Synopsis: Talos specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk, Ashlee will cover recent threats and the methods and analysis used by Talos to defend against them.
Location: BSides Lisbon at the Grande Auditório in Lisbon, Portugal
Synopsis: One of the cornerstones of privacy in our days are secure messaging applications such as Signal, WhatsApp and Telegram, which deploy end-to-end encryption to protect the communications. However, a deeper look into these applications shows that they lack transparency, leading to session hijacking at different levels. This presentation will walk through various secure chat applications and how malware we’ve seen in the wild can take advantage of this software.
Description: Adobe disclosed several vulnerabilities in a few of their products, including Technical Communications Suite, Digital Editions and Framemaker. Four of the bugs, all in Digital Editions, are rated as “critical.” An attacker could exploit these vulnerabilities to execute arbitrary code in the context of the current user.
Description: There are two vulnerabilities in Foxit PDF Reader: one that could lead to the disclosure of sensitive information, and another that could allow an attacker to execute code on the victim’s machine. The bugs are CVE-2018-9948 and CVE-2018-9958. The information disclosure flaw lies in the way the software handles typed arrays, while the remote code execution bug exists in the handling of text annotations.
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.