Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
The latest episode of the Beers with Talos podcast arrived earlier this week, with plenty of talk about home devices. Why are so many attackers going after small and home office routers? How is the average user supposed to protect their internet-of-things devices? The guys run down all of this and more in this episode.
We want to give everyone a reminder that time is running out to submit your talk to the second annual Talos Threat Research Summit. Talos is still looking for cybersecurity experts who want to speak at our conference for defenders, by defenders. This year, it will take place on June 9 in San Diego, the same day that Cisco Live kicks off. Get your submissions in before the end of the day tomorrow.
And, after a long break, the Threat Roundup is here to bring you the top threats we’ve seen — and blocked — over the past week.
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* U.S. regulators have reportedly met to considering levying a massive fine against Facebook. The penalty would cover several scandals that the social media site has gone through over the past year.
* The U.S. government is warning against DNS hijacking attempts. The Department of Homeland Security says several federal government sites were targeted, allowing attackers to intercept web and mail traffic.
* France hit Google with a record-setting fine for violating the GDPR. The company was charged with failing to provide enough information to users about its data consent policies.
* Several consumer protections websites are down as a result of the government shutdown, including the national do-not-call registry.
* A bug in Twitter exposed some private users’ protected tweets. The vulnerability affected Twitter for Android users who made certain changes to their accounts with the “Protect my Tweets” function turned on.
##NOTABLE RECENT SECURITY ISSUES
###Title: APT launches new attacks with FlawedGrace, ServHelper variants Description: TA505, a well-known attacker who has a history launching ransomware campaigns, is using new variants of the ServHelper backdoor and FlawedGrace remote access tool. These appear to be long-term investments by the actor that they have been distributing since November 2018. Snort SIDs: 48879 - 48887
###Title: BITTER RAT resurfaces in Microsoft-focused attack Description: A new variant of the BITTER remote access tool is in the wild once again. Attackers are trying to exploit CVE-2017-11882, a vulnerability in Microsoft Office, to download the malware. Victims receive malicious, specially crafted Word documents that execute HTTP GET requests to download special executable files. Snort SIDs: 48873 - 48878 *** ##MOST PREVALENT MALWARE FILES Jan. 17 - 24:
- **SHA 256: f54459dbcda4aae7f983f25a5917a1dbf932fe761b9b18396f1d7568e2e24d84
- MD5: 21a9440e6b5ecec1472da9c3dedab4ab
- Typical Filename: 3dfx32v2.dll
- Claimed Product: Voodoo2® DirectX for Windows® 95
- Detection Name: Auto.F54459DBCD.Sbmt.tht.Talos
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 6d36f92ee3f1a7be56e00118cebf62fc4f3f127e307f5a4e7f008793ca549671
- MD5: b23f736c46d9fa238b02c9eb0cea37cf
- Typical Filename: CONFIGURETGN.EXE
- Claimed Product: N/A
- Detection Name: W32.Auto:6d36f9.in03.Talos
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
** ##SPAM STATS FOR Jan. 17 - 24:
####TOP SPAM SUBJECTS OBSERVED - “REVIEW” - “DOA Help Desk.” - “[EXTERNAL] Reminder: Telstra TBS Documents” - “Reminder: Telstra TBS Documents” - “Your Amazon.com order”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 29873 The Endurance International Group, Inc. - 46606 Unified Layer - 16276 OVH SAS - 8075 Microsoft Corporation - 15169 Google LLC ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.