Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
We know we’re a little late on this, but after some technical difficulties, the latest episode of the Beers with Talos podcast is here. The guys this week cover sextortion malware, the importance of vulnerability research and attackers who want to go after mobile devices.
Speaking of vulnerabilities, we had a lot to cover in this month’s Microsoft security update. Here is the rundown of all of the bugs Microsoft disclosed Tuesday. We also have all of our Snort coverage here.
We also have full coverage of a Brazilian banking trojan we’ve spotted in the wild. While the trojan itself is not new, there are new campaigns spreading it in an attempt to steal customers’ login information.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Cisco Connect Seattle ####Date: Nov. 29 ####Speaker: Nick Biasini Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will specifically highlight the work that Talos does as part one of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he’ll discuss the threats that are top-of-mind for our researchers, and the trends that you, as defenders, should be most concerned about.
###Presentation: “(In)Secure messaging apps: A lateral movement into your privacy” ####Location: BSides Lisbon at the Grande Auditório in Lisbon, Portugal ####Date: Nov. 29 and 30 ####Speaker: Vitor Ventura Synopsis: One of the cornerstones of privacy in our days are secure messaging applications such as Signal, WhatsApp and Telegram, which deploy end-to-end encryption to protect the communications. However, a deeper look into these applications shows that they lack transparency, leading to session hijacking at different levels. This presentation will walk through various secure chat applications and how malware we’ve seen in the wild can take advantage of this software. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * More than 50 nations have signed onto an agreement regarding cybersecurity principles. However, the U.S. remains one of the major holdouts, along with other countries that usually use more offensive cyber capabilities, such as China and Russia. * Facebook agreed to host French regulators at its offices as the company continues to fight hate speech in the country. The investigators will monitor the social media site’s policies and tools for preventing posts and pictures that attack people based on race, sexuality, religion or gender. * Despite being more than a year-and-a-half old, WannaCry still remains the top ransomware out in the wild. A new report from Kaspersky Labs found that WannaCry was responsible for 28.72 percent of ransomware attacks in the third quarter. * A flaw in a popular GDPR plugin for WordPress allowed attackers to completely take over sites. * Kaspersky Labs opened its new “Transparency Center” in Switzerland. The cybersecurity firm started processing data in Europe, as well, as it attempts to distance itself from claims that it has ties to the Russian government. * A popular voting machine used in the past two elections in the U.S. encouraged election officials to use weak passwords. * A bug in a popular drone maker’s forums allowed attackers to view any drone’s live feed made by the company. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Microsoft patches 53 vulnerabilities, 11 critical Description: Microsoft released its monthly security update, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 53 vulnerabilities, 11 of which are rated “critical,” 40 that are rated “important” and one “moderate” and “low” vulnerability, each. The advisories cover bugs in the Chakra scripting engine, Microsoft Outlook and DirectX. This update also includes three advisories. One covers vulnerabilities in Adobe Flash Player, and another covers important bugs in the Microsoft Surface tablet. Additionally, there is guidance for how users should configure BitLocker in order to properly enforce software encryption. ####Snort SIDs: 32637, 45142, 45143, 48399 - 48404, 48374 - 48388, 48393 - 48395, 48360 - 48373, 48408 - 48410
###Title: Adobe security updates for Acrobat, Photoshop, Flash Player Description: Adobe released patches for several vulnerabilities in three of its products: Acrobat Reader DC, Photoshop and Flash Player. All five of the bugs disclosed are considered “important” and could lead to otherwise protected information being exposed. ####Reference: https://helpx.adobe.com/security/products/flash-player/apsb18-39.html https://helpx.adobe.com/security/products/acrobat/apsb18-40.html https://helpx.adobe.com/security/products/photoshop/apsb18-43.html ####Snort SID: 48293, 48294
###Title: APT exploits flaw in ColdFusion servers Description: A Chinese actor was spotted in the wild attacking Adobe ColdFusion servers. The group appears to have reverse-engineered an Adobe security patch to quietly upload a variant of the China Chopper backdoor on unpatched servers and take over the entire system. ####Snort SID: 48359 *** ##MOST PREVALENT MALWARE FILES Nov. 8 - 15:
- **SHA 256: 187d3fdce705e9e898be4a85b2193d0631bde275bf86c9a0dd510945a9131849
- MD5: b21422c2cbf71010e386770b74060aec
- Typical Filename: pvz_2231500572.exe”; filename=UTF-8’‘pvz_2231500572.exe
- Claimed Product: Fekaputu
- Detection Name: W32.187D3FDCE7-95.SBX.VIOC
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
- MD5: 8c80dd97c37525927c1e549cb59bcbf3
- Typical Filename: eternalblue-2.2.0.exe
- Claimed Product: N/A
- Detection Name: W32.GenericKD:WNCryLdrA.21lx.1201
- SHA 256: 73d876ec3e9c2e459ed771873bd07bb81e56244f7ae395ec7f2368c2f29e9611
- MD5: 68f811127c2e434d13652448bd225ab3
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: OSX.73D876EC3E.agent.tht.Talos
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
** ##SPAM STATS FOR Nov. 8 - 16:
####TOP SPAM SUBJECTS OBSERVED - “Xero subscription invoice” - “Message Box is full” - “FW: Confidential documents “ - “RE: microsoft technical support” - “New message”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 16276 OVH SAS - 15169 Google LLC - 44444 Forcepoint Cloud Ltd - 15399 WANANCHI *** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.