Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Cisco Talos from the past week.
First up, a programming note: The Threat Source newsletter will be taking two weeks off as Cisco goes on its annual winter shutdown. Talos would like to wish everyone a safe and happy holiday season. We will be back bringing you your cybersecurity news on Jan. 10.
Speaking of wrapping up the year, one of the largest trends we saw in 2018 was the rise of cryptocurrency miners. Malicious actors began deploying these miners as the value of cryptocurrencies rose in late 2017. However, that value has plummeted over the past few months. Will this have an impact on the kind of malware we expect to see in 2019? Find out in our blog post here. Also on the topic of cryptocurrency miners, we also took a deep dive into some of the most prevalent actors we’ve seen delivering this malware and analyze how they may be connected.
If you happen to be traveling this week and next for the holidays, the Beers with Talos podcast is here to keep you from going insane while you’re in traffic. In this episode, the guys talk about the recent DNSpionage campaign we uncovered, as well as the first steps a CISO should make when his or her company makes an acquisition (we’re looking at you, Mariott).
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
###Event: Indonesia Security Summit
####Date: Jan. 10, 2019
####Speaker: Paul Rascagneres
Synopsis: This talk will consist of two parts. First, we will provide an introduction to Cisco Talos and cover what the organization does. Then, we will dive into a specific campaign we recently discovered targeting the Middle East: “DNSpionage.” This malware targeted several government agencies in the Middle East, as well as a airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and registered SSL certificates for them. We will present the timeline for these two events and their technical details.
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Smartphone apps track users’ locations more often than they realize. And often, these companies sell that data to advertisers and even hedge funds without the users’ knowledge.
* Facebook disclosed a bug that allowed app developers to see users’ unposted photos. Facebook said the vulnerability existed in its API for 12 days in September.
* Credit reporting agency Experian mistakenly exposed users’ personal information in its training manuals. The manuals were exposed to the public due to a flaw in the company’s website, but they have since been taken down.
* Facebook gave more private information to other large tech companies than it has let on, according to a new report. The social media company allowed Microsoft’s search engine, Bing, to see the names of all Facebook users’ friends, for example.
* A group of reporters discovered that Android’s facial recognition software on its smartphones can be tricked by a 3-D-printed head model.
* Former U.S. Secretary of State John Kerry confirmed that Russia was behind a cyberattack on the State Department in 2014. While it had largely been speculated that Russian hackers stole important emails from the department, Kerry is the first U.S. official to comment officially on the matter.
*
##NOTABLE RECENT SECURITY ISSUES
###Title: Microsoft releases out-of-band patch for Internet Explorer
Description: Microsoft released an out-of-band (OOB) patch on Wednesday related to a vulnerability in the scripting engine of Internet Explorer. This particular vulnerability is believed to be actively exploited in the wild and should be patched immediately.
Snort SIDs: 48699 - 48702
###Title: WordPress 5.0.1 fixes several security bugs
Description: WordPress released its latest update, which fixes a number of security vulnerabilities that are considered serious. The most serious flaw allowed the content management system’s “user activation screen” to be indexed by Google, which could lead to some users’ login information to become publicly visible. WordPress also warned users about unauthorized file deletion bug and unauthorized post creation bugs.
Snort SIDs: 48573
***
##MOST PREVALENT MALWARE FILES Dec. 13 - 20:
- **SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: fc62d76945faed86fc11454c8ae1ecc3e8cbb449b8466c7f5aaa9bf45af9730c
- MD5: 1f4ab214b36d80c07898cf1a9efe7d6e
- Typical Filename: MSVSBP20.DLL
- Claimed Product: Microsoft® Win
- Detection Name: W32.FC62D76945-100.SBX.TG
- SHA 256: 709a7dd743ca6a688ee0afc9a67a04c73c4f6fb6559cde2bafadbb5af58f043b
- MD5: 59a06d7e48fd3d80fa2dc1cb859b45cc
- Typical Filename: helperamc
- Claimed Product: Advanced Mac Cleaner
- Detection Name: OSX.709A7DD743.agent.tht.Talos
- SHA 256: e856c759e2dd2e637aaebbfc0eeea4a7f8e7c7a02967b4db2e88dc8914b5b296
- MD5: c76517dc654e6852eae9f2f42a630470
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: OSX.E856C759E2.agent.tht.Talos
- SHA 256: e5f1609df4f67e0e23f3b3409f265722692e5e15a6349bf1157d36b79c5acf9d
- MD5: c9636e35954360b7b1375ee615ba6c24
- Typical Filename: 3dfx32v2.dll
- Claimed Product: Voodoo2® DirectX for Windows® 95
- Detection Name: W32.Auto:e5f160.in03.Talos
**
##SPAM STATS FOR Dec. 13 - 20:
####TOP SPAM SUBJECTS OBSERVED
- “Re: Qoute #767689”
- “2019-Vereinbarung”
- “Account Summary”
- “Account Suspension”
- “Invoice 6469 from FourthLine”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 16276 OVH SAS
- 8075 Microsoft Corporation
- 5384 Emirates Telecommunications Corporation
- 46606 Unified Layer
- 200069 Mailjet SAS
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.