Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
Another week is down, which means we’ve got another round of malware to discuss.
First up is GPlay, a new campaign we discovered that’s attempting to dupe Android users into downloading malicious software. The malware disguises itself as a fake Google app store on phones but is actually a trojan.
We also discovered a new RTF-based campaign that’s distributing the Agent Tesla and Loki malware families. The actors behind this malware are using a well-known and existing vulnerability in Microsoft Office to carry out these attacks. If undetected, Agent Tesla has the ability to steal user’s credentials from a number of popular software, including Google Chrome and Microsoft Outlook.
On the vulnerability front, we disclosed multiple bugs in the E Series line of Linksys routers. All three could lead to arbitrary code execution if an attacker exploits them.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
###Presentation: “Talos: Threat Intelligence and the Evolving Threat Landscape”
Location: Tech at the Gap conference at the Western Maryland IT Center of Excellence in Cumberland, Md.
####Date: Oct. 24
####Speaker: Ashlee Benge
Synopsis: Talos specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape by leveraging the work of Talos’ large team of threat intelligence experts, researchers, and engineers. In this talk, Ashlee will cover recent threats and the methods and analysis used by Talos to defend against them.
###Presentation: “(In)Secure messaging apps: A lateral movement into your privacy”
Location: BSides Lisbon at the Grande Auditório in Lisbon, Portugal
####Date: Nov. 29 and 30
####Speaker: Vitor Ventura
Synopsis: One of the cornerstones of privacy in our days are secure messaging applications such as Signal, WhatsApp and Telegram, which deploy end-to-end encryption to protect the communications. However, a deeper look into these applications shows that they lack transparency, leading to session hijacking at different levels. This presentation will walk through various secure chat applications and how malware we’ve seen in the wild can take advantage of this software.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Cybersecurity experts fear a wave of cyberattacks from China after the U.S. arrested and extradited a Chinese spy. The U.S. Department of Justice charged the man with attempting to steal trade secrets.
* One of the main sources used in a bombshell Bloomberg story about hardware implants is casting doubt on the validity of it. A security researcher, who was one of the only named sources in the story, says his comments were taken out of context and were meant to be stated as a theory, not a fact.
* The administrators of federal government agencies’ websites must all use two-factor authentication to log in. It is another layer of security for dot-gov domains and would require a hacker to steal the admin’s login credentials, as well as their physical device.
* A grey-hat hacker says they patched thousands of MikroTik routers without users’ consent. The hacker patches several vulnerabilities that would have left the routers open to attack, but some users were still upset.
* Irish privacy authorities are formally investigating Twitter over whether the company violated the General Data Protection Regulation. The social media network declined to provide tracking data to a user when he asked to see how he was tracked when clicking on links in tweets.
* The U.K.’s top cybersecurity agency is warning that a major cyberattack is imminent with life-threatening consequences. The CEO of the National Cyber Security Centre (NCSC) said he had “little doubt” the country’s cybersecurity defenses would be tested in the coming years.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Adobe releases security updates for Frame Maker, Technical Communications Suite
Description: Adobe disclosed several vulnerabilities in a few of their products, including Technical Communications Suite, Digital Editions and Framemaker. Four of the bugs, all in Digital Editions, are rated as “critical.” An attacker could exploit these vulnerabilities to execute arbitrary code in the context of the current user.
####References:
- https://helpx.adobe.com/security/products/techcommsuite/apsb18-38.html
- https://helpx.adobe.com/security/products/framemaker/apsb18-37.html
- https://helpx.adobe.com/security/products/experience-manager/apsb18-36.html
- https://helpx.adobe.com/security/products/Digital-Editions/apsb18-27.html
Snort SIDs: 44919, 44920, 45819 - 45821, 47682, 47683, 46260, 46261, 48107, 48108, 48074, 48075, 48100 - 48103, 48124, 48125, 48134, 48135
###Title: Foxit PDF Reader information disclosure, remote code execution bugs
Description: There are two vulnerabilities in Foxit PDF Reader: one that could lead to the disclosure of sensitive information, and another that could allow an attacker to execute code on the victim’s machine. The bugs are CVE-2018-9948 and CVE-2018-9958. The information disclosure flaw lies in the way the software handles typed arrays, while the remote code execution bug exists in the handling of text annotations.
####Reference:
- https://www.cvedetails.com/cve/CVE-2018-9948/
- https://nvd.nist.gov/vuln/detail/CVE-2018-9958
Snort SIDs: 48110 - 48113
***
##MOST PREVALENT MALWARE FILES Oct. 11 - 18:
- **SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
- MD5: 8c80dd97c37525927c1e549cb59bcbf3
- Typical Filename: cstr.exe
- Claimed Product: N/A
- Detection Name: W32.GenericKD:Malwaregen.21ip.1201
- SHA 256: 800c0d8e5a72d856398894329b6e3927b5b46bda9f8157d6e47c059cea3cb5b7
- MD5: 68bdead645dc97e55597be4aa3664fa9
- Typical Filename: SearchBar_2.25.exe
- Claimed Product: Desktop Search Bar
- Detection Name: PUA.Win.Ransomware.Spigot::in03.talos
- SHA 256: 93da45a3cb6f184f3ee4094f93a8659030efdffabb5c9f968d5bddf1abe397a0
- MD5: d344f2e60c0ec18e3742e035b5620e28
- Typical Filename: MacKeeper Helper
- Claimed Product: MacKeeper Helper
- Detection Name: PUA.Osx.Malware.Mackeeper::1201
- SHA 256: 66a4f5df35234205ad530a1123c7021afb75623b0e16e53143bc553b6adf595e
- MD5: d1a457c76250cd0ad73385fac4ab43e4
- Typical Filename: mssvca.exe
- Claimed Product: N/A
- Detection Name: W32.66A4F5DF35-100.SBX.TG
- SHA 256: c59ac374df03908a863bb5e2a8cfd911b788f9751b4d5d4d075f013b75195217
- MD5: be4e947c89ee40058f37534c4a3d3f34
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: Auto.C59AC3.212256.in02
**
##SPAM STATS FOR Oct. 11 - 18:
####TOP SPAM SUBJECTS OBSERVED
- “Alert”
- “Suspicious Activities Notification”
- “Account Statement Oct 11 1018”
- “Your account Pay-Pal access will be limited in 24h.”
- “hi”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 16276 OVH SAS
- 14782 The Rocket Science Group, LLC
- 14061 DigitalOcean, LLC
- 32934 Facebook, Inc.
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.