Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
On the malware front, this week we tracked a campaign spreading malicious emails that claimed to contain information about a job opening with Cisco in Korea. We believe an actor behind these attacks has a history of sending out malicious emails as part of multi-stage infections.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos. ##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: RSA Conference Location: Moscone Center, San Francisco, Calif. ####Date: March 4 - 8 ####Speaker: Matt Watchinski Synopsis: Matt Watchinksi, the vice president of Cisco Talos, will partake in one of the keynote addresses at this year’s RSA conference. Watchinski, along with Liz Centoni of Cisco, will discuss how to defend against internet-of-things attacks. As more automated devices are added to our homes every day, it just creates more attack vectors. Watchinski and Centoni will talk about successful defense strategies Cisco has employed in the past.
###Event: SecIT Location: Hannover Congress Center, Hanover, Germany ####Date: March 3 - 4 ####Speaker: Holger Unterbrink Synopsis: The pressure on IT security officers to compete for resistant IT security never ends. Attackers are trying to penetrate companies’ networks with new methods and to monetize deducted data every day. Unterbrink sits at the front and will provide insights into the current threat situation and attack scenarios. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * Apple disabled its group FaceTime service after it discovered a bug that could allow users to prematurely listen in on conversations. The company’s delayed response to the vulnerability prompted New York’s attorney general to launch an investigation. * A new APT believed to be associated with Iran is spying on Iranian citizens in an attempt to collect personal information. APT39 primarily utilizes the SEAWEED and CACHEMONEY backdoors, as well as a variant of the POWBAT backdoor. * The United Arab Emirates has assembled a new hacking team targeting opponents of the Arab monarchy. Many of the team’s members were ex-hackers for the U.S. National Security Agency. * Facebook is reportedly paying some younger users to install a VPN on their phone. The social media company then monitors those users to gather data on their competitors. * The FBI and Air Force are working together on dismantling a North Korean botnet. The two groups obtained search warrants earlier this year that allowed them to join the botnet, called “Joanap” and take it down from the inside. * A group of hackers is passing around a collection of 2.2 million login credentials. This is a continuation of a massive trove of personal data discovered by a security researcher earlier this year. * A new cryptocurrency miner on Macs has the ability to steal login credentials, iPhone messages and browser cookies. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Cisco discloses several flaws in WebEx, SD-Wan Solution Description: There are several vulnerabilities in a variety of Cisco products, which the networking company patched last week. The most notable bug is a critical vulnerability in the SD-WAN Solution that could allow an attacker to arbitrarily execute code as the root user on the victim machine. There are also remote code execution vulnerabilities in WebEx. Snort SIDs: 48946 - 48962
###Title: Rocke APT back on the scene with cryptocurrency miner Description: The well-known Rocke APT, which is infamous for its cryptocurrency miners, recently released a new Linux-focused malware. The new family can target and remove cloud security products before installing a cryptocurrency miner. Snort SIDs: 48938, 48939 *** ##MOST PREVALENT MALWARE FILES Jan. 24 - 31:
- **SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
- SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393
- MD5: 1a5a7532854ab45ac74b1c657fe47941
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.18042540B3-95.SBX.TG
- SHA 256: 6d36f92ee3f1a7be56e00118cebf62fc4f3f127e307f5a4e7f008793ca549671
- MD5: b23f736c46d9fa238b02c9eb0cea37cf
- Typical Filename: CONFIGURETGN.EXE
- Claimed Product: N/A
- Detection Name: W32.Auto:6d36f9.in03.Talos
** ##SPAM STATS FOR Jan. 24 - 31:
####TOP SPAM SUBJECTS OBSERVED - “57040849684__F588CA4B-08EB-4607-B3FC-35E7B0BAB923” - “Benefits_Docs#621” - “Strehlow, Frank RG A74W73I” - “Important Account Update” - “WARNING: LOW QUOTA”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 46606 Unified Layer - 29873 The Endurance International Group, Inc. - 4760 HKT Limited - 36351 SoftLayer Technologies Inc. ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.