Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
By now, everyone has used some kind of third-party messaging app — WhatsApp, Telegram, etc. These services promise to keep users’ messages secure and encrypted, away from the prying eyes of third parties. However, our recent research shows it may be easier than users think for attackers to monitor their account and steal their messages on these services.
This week was also Microsoft Patch Tuesday. You can find our coverage of the 38 vulnerabilities that the company patched here. As part of Patch Tuesday, Adobe also released fixes for a number of vulnerabilities in Acrobat and Reader. We specifically discovered a remote code execution bug in Reader, which Adobe disclosed this week.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Indonesia Security Summit
####Date: Jan. 10, 2019
####Speaker: Paul Rascagneres
Synopsis: This talk will consist of two parts. First, we will provide an introduction to Cisco Talos and cover what the organization does. Then, we will dive into a specific campaign we recently discovered targeting the Middle East: “DNSpionage.” This malware targeted several government agencies in the Middle East, as well as a airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and registered SSL certificates for them. We will present the timeline for these two events and their technical details.
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Researchers have uncovered a new malware that can steal money from Android users’ PayPal accounts. The trojan is able to bypass two-factor authentication, as well.
* Google is speeding up the shutdown of its Google+ social media site. The company discovered a bug that exposed the account information of more than 52 million users to developers.
* A new Congressional report says that the massive data breach at Equifax was “entirely preventable.” The report also says the credit reporting agency failed to “mitigate its cybersecurity risks.”
* A study of Super Micro chips found no evidence that Chinese manufacturers snuck in spying mechanisms. The company continues to fight back on claims that potential microchips had been installed to potential infiltrate American networks.
* Gaming company Razer is encouraging customers to download cryptocurrency mining software. The digital currency mined by these users will go to a platform called GammaNow, which Razer partnered with earlier this year.
* Iranian hackers attempted to access the accounts of U.S. Treasury Department officials. The APT group Charming Kitten is suspected behind the attacks.
*
##NOTABLE RECENT SECURITY ISSUES
###Title: Microsoft discloses 38 bugs as part of Patch Tuesday
Description: Microsoft released its monthly security update, disclosing a variety of vulnerabilities in several of its products. This month’s security update covers 38 vulnerabilities, nine of which are rated “critical” and 29 that are considered “important.” The advisories cover bugs in the Chakra scripting engine, several Microsoft Office products and the Microsoft Internet Explorer web browser.
Snort SIDs: 45142, 45143, 48509, 48510, 48513 - 48520, 48531 - 48534, 48559, 48562
###Title: Adobe fixes security flaws in Acrobat, Reader
Description: Adobe released security updates for Adobe Acrobat and Reader on Windows and MacOS. In all, the company released patches covering 88 vulnerabilities. There are two critical bugs that an attacker could exploit in order to execute code in the context of the current user.
Snort SIDs: 48293, 48294
###Title: New spam campaign delivers CARROTBAT to South Korea
Description: Researchers discovered a new dropper known as “CARROTBAT” that’s being spread in South Korea through spam emails. The dropper can deliver additional decoy documents and secondary payloads, such as remote access trojans, to its victims. The malware allows attackers to drop and open an embedded document in one of 11 different file formats.
Snort SIDs: 48475, 48476, 48479, 48480
***
##MOST PREVALENT MALWARE FILES Dec. 6 - 13:
- **SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
- MD5: 8c80dd97c37525927c1e549cb59bcbf3
- Typical Filename: blue.exe
- Claimed Product: N/A
- Detection Name: W32.GenericKD:WNCryLdrA.21lx.1201
- SHA 256: 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
- MD5: c24315b0585b852110977dacafe6c8c1
- Typical Filename: star.exe
- Claimed Product: N/A
- Detection Name: W32.DoublePulsar:Malwaregen.21ip.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
- SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393
- MD5: 1a5a7532854ab45ac74b1c657fe47941
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.18042540B3-95.SBX.TG
**
##SPAM STATS FOR Dec. 6 - 13:
####TOP SPAM SUBJECTS OBSERVED
- “Invoice for your BNPP Account”
- “PayPal Instant payment”
- “PayPal Instant payment received”
- “You received a PayPal payment”
- “Instant payment received”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 8075 Microsoft Corporation
- 46606 Unified Layer
- 29873 The Endurance International Group, Inc.
- 16276 OVH SAS
- 15169 Google LLC
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.