Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
You probably see our Vulnerability Spotlights come and go (there are a lot of them, after all). But we decided to take a deep dive into TALOS-2018-0636/CVE-2018-3971, a bug we recently disclosed in Sophos HitmanPro.Alert, an antivirus software. Here, we dive into the exploitation process and talk about how we discovered the vulnerability in the first place.
With Veteran’s Day on the way, we also feel it’s important to highlight one of Cisco Talos’ newest initiatives. We are starting a new chapter of CyberVets U.S.A. in Maryland, in conjunction with other local tech companies and state officials. Through this program, military veterans can receive free training for cybersecurity jobs, and could even find themselves working for Cisco one day. You can learn more about the program here.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Cisco Connect Seattle ####Date: Nov. 29 ####Speaker: Nick Biasini Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will specifically highlight the work that Talos does as part one of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he’ll discuss the threats that are top-of-mind for our researchers, and the trends that you, as defenders, should be most concerned about.
###Presentation: “(In)Secure messaging apps: A lateral movement into your privacy” ####Location: BSides Lisbon at the Grande Auditório in Lisbon, Portugal ####Date: Nov. 29 and 30 ####Speaker: Vitor Ventura Synopsis: One of the cornerstones of privacy in our days are secure messaging applications such as Signal, WhatsApp and Telegram, which deploy end-to-end encryption to protect the communications. However, a deeper look into these applications shows that they lack transparency, leading to session hijacking at different levels. This presentation will walk through various secure chat applications and how malware we’ve seen in the wild can take advantage of this software. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * The CIA’s secret communication channel came under attack in 2013, leading to weeks of around-the-clock work to save the service. The problems started with the agency failing to “noindex” the pages. * December’s Google Chrome update will begin blocking advertisements from websites that traditionally host malicious ads. Site owners will have a 30-day window to fix their problems before they are completely blocked. * The U.S.’s election went off without any major cybersecurity incidents, but officials warn there will still be interference. Foreign adversaries will “continue to push misinformation” as the next election cycle ramps up, according to the Department of Homeland Security. * Some Cisco Small Business switches could allow a remote attacker to gain complete access to vulnerable devices. While a patch is not available yet, there is a viable workaround. * The U.S. Secret Service warned its field offices that scammers are abusing the USPS’ mail-scanning system to carry out various identity theft and credit card schemes. * HSBC says some of its American customers had their accounts breached in October. While only 1 percent of the bank’s U.S. customers were affected, according to the company, it still restricted online access to those users. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Chalubo botnet launches denial-of-service attacks against internet-of-things devices Description: A botnet known as “Chalubo” is targeting IoT devices and launching distributed denial-of-service attacks against them. Once a device is infected, the attacker can download the three components: a downloader, the main bot and a Lua command script. Snort SIDs: 48281 - 48286
###Title: Octopus malware targets Telegram users in Asia Description: A Russian-speaking actor recently launched a new campaign known as “Octopus” in Central Asia, hoping to target users of the encrypted messaging app Telegram. The malware poses as Telegram and then infects users once they download the malicious app. ####Snort SID: 48258 - 48260
###Title: Multiple vulnerabilities in Yi Technology Home Camera Description: There are several bugs in the Yi Technology Home Camera that could allow an attacker to completely take over the camera and potentially delete footage. For half of the vulnerabilities, physical access is required to exploit them, and there is also a network attack vector in one of the bugs (CVE-2018-3892), raising its severity. ####Snort SID: 46190, 46191, 46294, 46295, 46780, 46870 *** ##MOST PREVALENT MALWARE FILES Nov. 1 - 8:
- **SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
- MD5: 8c80dd97c37525927c1e549cb59bcbf3
- Typical Filename: b.exe
- Claimed Product: N/A
- Detection Name: W32.GenericKD:WNCryLdrA.21lx.1201
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 73d876ec3e9c2e459ed771873bd07bb81e56244f7ae395ec7f2368c2f29e9611
- MD5: 68f811127c2e434d13652448bd225ab3
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: OSX.73D876EC3E.agent.tht.Talos
- SHA 256: 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
- MD5: c24315b0585b852110977dacafe6c8c1
- Typical Filename: c.exe
- Claimed Product: N/A
- Detection Name: W32.DoublePulsar:Malwaregen.21ip.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
** ##SPAM STATS FOR Nov. 1 - 8:
####TOP SPAM SUBJECTS OBSERVED - “Dear Customer” - “Restposten abzugeben: Smartphones und Laptops” - “Unpaid Invoice statement.” - “FW: Account Review “ - “FW: New Shipment”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 46475 Limestone Networks, Inc. - 32244 Liquid Web, L.L.C - 15169 Google LLC - 8075 Microsoft Corporation - 16509 Amazon.com, Inc. ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.