Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
Our researchers recently discovered a command injection vulnerability in Netgate pfSense’s system_advanced_misc.php powerd_normal_mode. pfSense is a free and open-source firewall and router that also features unified threat management, load balancing and multi-WAN, among other features. You can read about the vulnerability here and see our coverage.
ClamAV users will be happy to know the new 0.101.0 is here with a slew of new features. There’s now support for RAR v5 archive extraction, changes to the Libclamav API and two new scan options.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Marriott says more than 500 million Starwood Hotels guests had their information stolen in a yearslong hack. The company says it discovered the data breach in September, but it may date back to 2014.
* Several car manufacturers are sending data to the Chinese government without drivers’ knowledge. Often, this data includes the location of the car and dozens of other data points.
* House Republicans say they were affected by a cyberattack during the 2018 midterm election cycle. The Republican National Committee say they alerted the FBI and also started their own internal investigation.
* Anonymous Q&A website Quora says 100 million users had their account information compromised. The site said it discovered last week that a “malicious third party” gained access to some of their systems.
* Australia passed a controversial bill that forces tech companies to hand over encrypted data. Parties who don’t give over this information if it’s related to suspected illegal activities could face a fine of up to $7.8 million and possible jail time.
##NOTABLE RECENT SECURITY ISSUES
###Title: Cisco Prime License Manager SQL injection vulnerability Description: There is a vulnerability in the web framework code of Cisco Prime License Manager that could allow a remote, unauthenticated attacker to execute arbitrary SQL queries. The vulnerability lies in the way the application validates user-supplied inputs in SQL queries. An attacker could exploit this flaw by sending specially crafted HTTP POST requests that contain malicious SQL statements to an affected application. Snort SIDs: 48454, 48455
###Title: Netgate pfSense system_advanced_misc.php powerd_normal_mode command injection vulnerability Description: A command injection vulnerability exists in Netgate pfSense system_advanced_misc.php powerd_normal_mode. This command injection vulnerability in Netgate pfSense is due to lack of sanitization on the ‘powerd_normal_mode’ parameter in POST requests to ‘system_advanced_misc.php’. ####Reference: Snort SIDs: 48178
###Title: APT switches attacks from ransomware to trojan Description: The hacking group TA505 is back with a new trojan known as “tRat.” The malware is targeting financial institutions with the goal of stealing credentials, financial data and other customer information. TA505 has been around for years and is behind some of the most well-known malware, including Locky and Dridex. Snort SIDs: 48466 - 48468 *** ##MOST PREVALENT MALWARE FILES Nov. 29 - Dec. 6:
- **SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 9a7286ab998af68c4e1c80ff9d7c77569a450f90de11923f13a0d724574f98fa
- MD5: 822b24cdb456059bb8e6aa3a88b65707
- Typical Filename: remote-trial.zip
- Claimed Product: N/A
- Detection Name: PUA.Win.Dropper.Remoteadmin::in01
- SHA 256: 0777cf69bbf14a13aa73bb4ea638d5d5863a11f8f16494e14b3068d154a428ee
- MD5: b5a8f6b111211256ba83abcb3cd1d61a
- Typical Filename: VirusShare_b5a8f6b111211256ba83abcb3cd1d61a
- Claimed Product: pup
- Detection Name: W32.0777CF69BB-100.SBX.VIOC
- SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393
- MD5: 1a5a7532854ab45ac74b1c657fe47941
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.18042540B3-95.SBX.TG
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
** ##SPAM STATS FOR Nov. 29 - Dec. 6:
####TOP SPAM SUBJECTS OBSERVED - “[SPAM] [SPAM] Problemas con su situación fiscal. Regularizar de inmediato” - “Resignation Notice” - “New voice message from: +1 925-548-6336” - “Citrix ShareFile Password Reset” - “INVALID SWIFT CODE”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 4760 HKT Limited - 46606 Unified Layer - 11377 SendGrid, Inc. - 15169 Google LLC ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.