Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
You’ve probably heard about the “Cyber Moonshot” that the U.S. recently released and approved. But what is it, actually? Should you care? Is it going to actually help anyone? We answer those questions — and vent some more — in the most recent episode of the Beers with Talos podcast.
On the malware front, we have a new report out outlining a new campaign we’re calling “DNSpionage.” This is a two-part study which looks at a new malware family, as well as a DNS redirect campaign that’s targeting governments in the Middle East and a Lebanese airline.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
###Event: Cisco Connect Denver
####Date: Dec. 5
####Speaker: Ashlee Benge
Synopsis: Join Ashlee Benge as she takes part in a day-long education event on all things Cisco. Ashlee will specifically highlight the work that Talos does as part one of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he’ll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Australia’s prime minister pledged to pass a controversial encryption bill before the end of the calendar year. If passed, police would be able to read encrypted messages of individuals involved in criminal investigations.
* A widely used CPAP machine was tracking users’ sleep habits and giving that data to insurance companies. Privacy experts are concerned that information could be used to discriminate against certain patients or increase their costs.
* Brazil’s Federation of Industries of the State of São Paulo exposed about 180 million records of individuals in an unprotected Elasticsearch database.
* The U.S. Postal Service’s API contained a vulnerability that exposed the account information of more than 60 million users. It took the USPS more than a year to fix the bug.
* The U.S. charged two Iranians for orchestrating the SamSam ransomware. The malware existed for about 36 months, and made the actors an estimated $30 million.
* Dell reset the passwords of its users after the company disclosed a potential data breach. Dell said it discovered, and stopped, an attack on Nov. 9, and it believes no information was stolen.
*
##NOTABLE RECENT SECURITY ISSUES
###Title: New malware, DNS redirect campaign goes after Middle East
Description: Cisco Talos discovered two new campaigns targeting the Middle East originating from the same actor. A malware, known as “DNSpionage,” is spreading via malicious Microsoft Office documents. So far, government agencies in Lebanon and the United Arab Emirates have been hit, along with a Lebanese airline company.
Snort SIDs: 48444, 48445
###Title: New Olympic Destroyer variant spotted in wild
Description: A new variant of the Olympic Destroyer malware has been active over the past month with new IOCs and samples that indicate the actor behind the campaign is evolving. The malware now contains a dropper that features anti-analysis measures and delayed execution.
Snort SIDs: 48435, 48436
###Title: Zebrocy malware deployed to targets in Central Asia
Description: The Sednit APT is rolling out two new components of the Zebrocy malware, targeting countries in Central Asia and Eastern Europe. Zebrocy is a set of downloaders, droppers and backdoors. The newer components exfiltrate gathered information by using protocols related to mail services, such as POP3 and SMTP.
Snort SIDs: 48431, 48432
***
##MOST PREVALENT MALWARE FILES Nov. 22 - 29:
- **SHA 256: 90cfabf6f24fd6298a1f11e7de6a101406b952642f303cce54ae58f35ff546aa
- MD5: 0d83a645018d9c2cd6ad9d00ff721636
- Typical Filename: QuickMapsAndDirections-7160824.exe
- Claimed Product: IEInstaller
- Detection Name: PUA.Win.Trojan.Springtech::100.sbx.vioc
- SHA 256: 187d3fdce705e9e898be4a85b2193d0631bde275bf86c9a0dd510945a9131849
- MD5: b21422c2cbf71010e386770b74060aec
- Typical Filename: pvz_2231500572.exe”; filename*=UTF-8’‘pvz_2231500572.exe
- Claimed Product: Fekaputu
- Detection Name: W32.187D3FDCE7-95.SBX.VIOC
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
- MD5: c24315b0585b852110977dacafe6c8c1
- Typical Filename: spoolsv.exe
- Claimed Product: N/A
- Detection Name: W32.DoublePulsar:Malwaregen.21ip.1201
- SHA 256: 935eddc164a994a88c372909593908c2bac327af0f29826f9d8d46da860f54a5
- MD5: 178e27373fc6c417f2b56e67617c2ba9
- Typical Filename: cpnprt2.DLL
- Claimed Product: Coupon Format Type 1
- Detection Name: PUA.Win.Adware.Coupons::1201
**
##SPAM STATS FOR Nov. 22 - 29:
####TOP SPAM SUBJECTS OBSERVED
- “Double @ in From”
- “Erneuern Sie Ihr Konto”
- “Your Amazon Black Friday coupon”
- “Amazon coupon to 50%!”
- “Benachrichtigung: Erneuern Sie Ihr Konto”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 14061 DigitalOcean, LLC
- 4837 CHINA UNICOM China169 Backbone
- 27357 Rackspace Hosting
- 4713 NTT Communications Corporation
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.