Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We’ve got a new episode of the Beers with Talos podcast to keep you company as you transition into the weekend. This week, the guys break down the recent ExileRAT malware our researchers discovered earlier this year.
If you haven’t already, you need to update your Microsoft products. The company disclosed 69 vulnerabilities this week as part of its monthly security update. The latest Patch Tuesday covers 69 vulnerabilities, 20 of which are rated “critical,” 46 that are considered “important” and three that are “moderate.”
Have you ever wanted to hack a massive oil pump? Well, we can’t really help you with that. But we can show you how to do it on a much smaller scale. We recently released a model of an oil pump jack that you can 3-D print at home and run several tests on to see the impact of a potential cyber attack on its function. Or, look for us at a future conference where we’ll be showing this off.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: RSA Conference
Location: Moscone Center, San Francisco, Calif.
####Date: March 4 - 8
####Speaker: Matt Watchinski
Synopsis: Matt Watchinksi, the vice president of Cisco Talos, will partake in one of the keynote addresses at this year’s RSA conference. Watchinski, along with Liz Centoni of Cisco, will discuss how to defend against internet-of-things attacks. As more automated devices are added to our homes every day, it just creates more attack vectors. Watchinski and Centoni will talk about successful defense strategies Cisco has employed in the past.
####Reference:
###Event: SecIT
Location: Hannover Congress Center, Hanover, Germany
####Date: March 3 - 4
####Speaker: Holger Unterbrink
Synopsis: The pressure on IT security officers to compete for resistant IT security never ends. Attackers are trying to penetrate companies’ networks with new methods and to monetize deducted data every day. Unterbrink sits at the front and will provide insights into the current threat situation and attack scenarios.
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Email provider VFEmail says it suffered a “catastrophic” cyber attack. The company warned that about 18 years’ worth of customers’ emails may be permanently gone. “Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail representatives said in a statement.
*Russia is considering isolating itself from the global internet. The Kremlin is experimenting with a new practice of only routing the country’s web requests through the country and not internationally. The country will run a test later this year in an effort to test its cyber defenses.
*Apple released fixes for multiple security flaws in iOS. Two of the vulnerabilities, which were discovered by Google’s threat research team, were being exploited in the wild. The bugs could allow an attacker to escalate their privileges and eventually completely take over a device.
*Blockchain technology could be useful in detecting deepfake videos, specifically in police body cameras. A new tool called Amber Authenticate runs in the background of cameras to record the hashes of the video, which would appear different a second time if the user had edited the video. All of these results are recorded on the public blockchain.
*India requested Facebook give its government a backdoor into the WhatsApp messaging app. This would require Facebook to give the government access to users’ encrypted messages that were originally secret.
*Two U.S. senators are requesting an investigation into foreign VPN services. The senators say the companies could pose a national security risk.
**
##MOST PREVALENT MALWARE FILES Feb. 7 - 14:
- **SHA 256: 04edbb92c51ef022f062305aeb9c94d38ede2af1b303c6f62af44d67a27148af
- MD5: 72722777d66068638c3fad04adfd71cf
- Typical Filename: ipts.exe
- Claimed Product: Traffic Spirit
- Detection Name: W32.04EDBB92C5-95.SBX.TG
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393
- MD5: 1a5a7532854ab45ac74b1c657fe47941
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.18042540B3-95.SBX.TG
- SHA 256: 6d36f92ee3f1a7be56e00118cebf62fc4f3f127e307f5a4e7f008793ca549671
- MD5: b23f736c46d9fa238b02c9eb0cea37cf
- Typical Filename: CONFIGURETGN.EXE
- Claimed Product: N/A
- Detection Name: W32.Auto:6d36f9.in03.Talos
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
**
##SPAM STATS FOR Feb. 7 - 14:
####TOP SPAM SUBJECTS OBSERVED
- “Your personal discount”
- “hi”
- “Pharmacy Discounts”
- “Benefits_Docs#621”
- “This account has been hacked! Change your password right now!”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 30633 Leaseweb USA, Inc.
- 24940 Hetzner Online GmbH
- 203377 Okkes Uzunca trading as Fiberserver Internet Teknolojileri
- 209737 Muhammet Meric trading as Meric Hosting
- 16276 OVH SAS
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.