Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
Clear out your schedule for this weekend, because we’ve got plenty of Talos to fill your free time. We have two new episodes of the Beers with Talos podcast out now, including one extra-large special.
To celebrate episode No. 40, we put together a longer-than-usual episode to discuss the controversial SuperMicro Bloomberg story and the literal hundreds of security updates Oracle released.
There’s also a separate episode covering the increasing prevalence of PDF vulnerabilities, as well as the VirusBulletin conference that took place earlier this month.
Our researchers uncovered ongoing campaigns in South Korea and Japan that all appear to be the work of the same actor. These attacks are distributing malware that shares similarities to the Datper, xxmm backdoor, and Emdivi malware families.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Cisco Connect Seattle
####Date: Nov. 29
####Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will specifically highlight the work that Talos does as part one of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he’ll discuss the threats that are top-of-mind for our researchers, and the trends that you, as defenders, should be most concerned about.
###Presentation: “(In)Secure messaging apps: A lateral movement into your privacy”
####Location: BSides Lisbon at the Grande Auditório in Lisbon, Portugal
####Date: Nov. 29 and 30
####Speaker: Vitor Ventura
Synopsis: One of the cornerstones of privacy in our days are secure messaging applications such as Signal, WhatsApp and Telegram, which deploy end-to-end encryption to protect the communications. However, a deeper look into these applications shows that they lack transparency, leading to session hijacking at different levels. This presentation will walk through various secure chat applications and how malware we’ve seen in the wild can take advantage of this software.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Facebook is considering buying a “major” cybersecurity company. The report comes as negative headlines continue to pile up against the social media site regarding its handling of users’ data.
* Google is stepping up its efforts to protect U.S. political campaigns from phishing attempts. A recent study found that an increasing number of campaigns are using the company’s Gmail service for their communications.
* Security researchers discovered an attacker using a former National Security Agency exploit to target nuclear energy firms in Russia, Iran and Egypt.
* The U.S. charged a Russian national with attempting to influence the 2016 and 2018 elections. The woman allegedly funded a social media troll farm.
* A new actor known as “GreyEnergy” is believed to be the successor to the infamous “BlackEnergy” group. Security researchers discovered malware in the wild that shares similarities to BlackEnergy, which attacked Ukrainian energy grids in 2016.
* An 8-year-old malware originating from China is back in the spotlight. Code seemingly belonging to APT1, a group discovered in 2008, has been seen in the wild, leading to questions about the origins of that code.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Datper campaign targets South Korea, Japan
Description: An APT that’s gone by many names over the years — Tick, Redbaldknight, Bronze Butler — continues to launch attacks against eastern Asian countries. Recent samples studied by Cisco Talos found that the Datper malware contains similarities to two other malware families: xxmm backdoor and Emdivi. Talos saw the malware sample most recently in the wild in July 2018.
####Snort SIDs: 48197, 48198
###Title: Multiple vulnerabilities in Cisco Wireless LAN Controllers
Description: Cisco disclosed multiple bugs in Cisco Wireless LAN Controllers that are considered to be of “high” importance. An attacker could exploit these bugs to elevate their privileges, obtain sensitive information or cause a denial-of-service condition on an access point.
####Snort SID: 48201, 48204
###Title: Remote code execution bug in Live Networks LIVE555
Description: Live Networks LIVE555’s streaming media RTSPServer contains a vulnerability that could lead to remote code execution. An attacker can exploit this bug by sending the victim a specially crafted packet. The flaw lies in the HTTP packet-parsing functionality of the software.
####Snort SIDs: 48067, 48068
***
##MOST PREVALENT MALWARE FILES Oct. 18 - 25:
- **SHA 256: 92f4daf523f803ea0131506dfe9d428088252dbaf6f9e868ca59354cebe8e789
- MD5: da848a3abd3edb81e31f94066636b287
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: W32.Auto.92f4da.MASH.SR.SBX.VIOC
- SHA 256: 73d876ec3e9c2e459ed771873bd07bb81e56244f7ae395ec7f2368c2f29e9611
- MD5: 68f811127c2e434d13652448bd225ab3
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: OSX.73D876EC3E.agent.tht.Talos
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 963d20cb463516ff6825b3b6467d4a6faa7b2838b6ddfae84b2cde26fd801802
- MD5: 4dd2fcd1689fa22161561ef9cf355885
- Typical Filename: September Gleaves Resume.doc
- Claimed Product: N/A
- Detection Name: W32.963D20CB46-100.SBX.TG
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
**
##SPAM STATS FOR Oct. 18 - 25:
####TOP SPAM SUBJECTS OBSERVED
- “CONGRATULATIONS YOU HAVE A DONATION OF $5, 000,
000 FROM MAVIS WANCZYK JACKPOT WINNER POWERBALL LOTTERY”
- “Document”
- “ANTT:THEO,”
- “Er staat een upgrade voor u klaar”
- “Confirmation Letter”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 46606 Unified Layer
- 8075 Microsoft Corporation
- 4760 PCCW Limited
- 8928 Interoute Communications Limited
- 15169 Google LLC
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.