Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
Since it’s Thanksgiving week in the U.S., there’s not much going on on our blog this week. However, we do have some good information for you as the holiday shopping season kicks into gear. Attackers view Black Friday and Cyber Monday as opportune times to capitalize on shoppers who may not be as cyber-literate as they should be. Last year, we saw a spike in malicious emails targeting customers on the two most popular shopping days of the year, a trend we expect to see this year, too. Here’s what you can do to keep yourself safe.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Cisco Connect Seattle ####Date: Nov. 29 ####Speaker: Nick Biasini Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will specifically highlight the work that Talos does as part one of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he’ll discuss the threats that are top-of-mind for our researchers, and the trends that you, as defenders, should be most concerned about.
###Presentation: “(In)Secure messaging apps: A lateral movement into your privacy” ####Location: BSides Lisbon at the Grande Auditório in Lisbon, Portugal ####Date: Nov. 29 and 30 ####Speaker: Vitor Ventura Synopsis: One of the cornerstones of privacy in our days are secure messaging applications such as Signal, WhatsApp and Telegram, which deploy end-to-end encryption to protect the communications. However, a deeper look into these applications shows that they lack transparency, leading to session hijacking at different levels. This presentation will walk through various secure chat applications and how malware we’ve seen in the wild can take advantage of this software. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * BlackBerry plans to buy cybersecurity company Cylance for $1.5 billion. Cylance will help the smartphone maker with its division that works on self-driving cars. * Russia-linked hackers are impersonating U.S. State Department officials as part of an attack. They are sending fake emails that attempt to get other government employees to open malicious attachments. * Instagram patched a bug in its website that could have allowed an attacker to view some users’ passwords in plain text. The vulnerability lied in the social media site’s new “Download Your Data” function. * A new variant of the Olympic Destroyer malware is out in the wild, attempting to infect users via malicious email attachments. * APT20, also known as the Russian threat actor “Cozy Bear” is behind a series of spear-phishing campaigns over the past few weeks. The attackers sent malicious emails to a variety of companies and public sector agencies. * Ivanka Trump, the daughter of President Donald Trump, reportedly used a personal email account to communicate about government business last year. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Adobe Flash Player type confusion vulnerability Description: A type confusion vulnerability exists in Adobe Flash Player that could lead to remote code execution in the context of the current user. The bug affects Flash Player, version 18.104.22.168 and earlier. The latest security patch from Adobe fixes Flash on Windows, MacOS, Linux and Chrome OS. Snort SIDs: 48425, 48426
###Title: OilRig APT continues to use BONDUPDATER malware Description: The threat actor OilRig has been using the BONDUPDATER malware over the past few months to target a Middle Eastern government. The group sent phishing emails containing malicious documents that they attempted to trick the user into opening. Once launched, the BONDUPDATER malware will install a backdoor on the victim’s machine, allowing the actor to download and upload files and execute commands. Snort SIDs: 48420 - 48422
###Title: Security flaws in TP-Link TL-R600VPN router Description: There are multiple vulnerabilities in TP-Link’s TL-R600VPN router that could lead to remote code execution. In order to exploit these bugs, the attacker would need authentication. However, if successful, they could execute code with root privileges. Snort SIDs: 47039, 47040, 47037, 47062 *** ##MOST PREVALENT MALWARE FILES Nov. 15 - 22:
- **SHA 256: 187d3fdce705e9e898be4a85b2193d0631bde275bf86c9a0dd510945a9131849
- MD5: b21422c2cbf71010e386770b74060aec
- Typical Filename: pvz_2231500572.exe”; filename=UTF-8’‘pvz_2231500572.exe
- Claimed Product: Fekaputu
- Detection Name: W32.187D3FDCE7-95.SBX.VIOC
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
- MD5: 8c80dd97c37525927c1e549cb59bcbf3
- Typical Filename: eternalblue-2.2.0.exe
- Claimed Product: N/A
- Detection Name: W32.GenericKD:WNCryLdrA.21lx.1201
- SHA 256: 73d876ec3e9c2e459ed771873bd07bb81e56244f7ae395ec7f2368c2f29e9611
- MD5: 68f811127c2e434d13652448bd225ab3
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: OSX.73D876EC3E.agent.tht.Talos
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
** ##SPAM STATS FOR Nov. 15 - 22:
####TOP SPAM SUBJECTS OBSERVED - “Xero subscription invoice” - “FW: Confidential documents “ - “Important Microsoft message: You have 11 pending messages” - “We tried to call you on 15/11/2018 8:14 AM” - “RE: microsoft technical support”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 16276 OVH SAS - 4760 HKT Limited - 44444 Forcepoint Cloud Ltd - 23528 Sparkpost *** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.