Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
A recent uptick in Brushaloader shows us that the actors behind it are not slowing down. We’ve recently seen a massive uptick in the malware loader delivering Danabot. In this post, we go over the history of Brushaloader and break down what’s new this time.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
###Event: RSA Conference
Location: Moscone Center, San Francisco, Calif.
####Date: March 4 - 8
####Speaker: Matt Watchinski
Synopsis: Matt Watchinksi, the vice president of Cisco Talos, will partake in one of the keynote addresses at this year’s RSA conference. Watchinski, along with Liz Centoni of Cisco, will discuss how to defend against internet-of-things attacks. As more automated devices are added to our homes every day, it just creates more attack vectors. Watchinski and Centoni will talk about successful defense strategies Cisco has employed in the past.
###Event: SecIT Location: Hannover Congress Center, Hanover, Germany ####Date: March 3 - 4 ####Speaker: Holger Unterbrink Synopsis: The pressure on IT security officers to compete for resistant IT security never ends. Attackers are trying to penetrate companies’ networks with new methods and to monetize deducted data every day. Unterbrink sits at the front and will provide insights into the current threat situation and attack scenarios. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * U.S. officials charged a former member of the Air Force with defecting in order to help an Iranian cyber espionage unit. The Department of Justice say the woman collected information on former colleagues, and then the Iranian hackers attempted to target those individuals and install spyware on their computers. * The U.S. Department of Justice is dismantling two task forces aimed at protecting American elections. The groups were originally created after the 2016 presidential election to prevent foreign interference but after the 2018 midterms, the Trump administration shrunk their sizes significantly. * Facebook and the U.S. government are closing in on a settlement over several privacy violations. Sources familiar with the discussions say it will likely result in a multimillion-dollar fine, likely to be the largest the Federal Trade Commission has ever imposed on a technology company. * The U.S. is reviving a secret program to carry out supply-chain attacks against Iran. The cyber attacks are targeted at the country’s missile program. Over the past two months, two of Iran’s efforts to launch satellites have failed within minutes, though it’s difficult to assign those failures to the U.S. * Australia says a “sophisticated state actor” carried out a cyber attack on its parliament. The ruling Liberal-National coalition parties say their systems were compromised in the attack. Since then, the country says it’s put “a number of measures” in place to protect its election system. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: New SpeakUp trojan goes after Linux machines, servers Description: A new backdoor trojan known as “SpeakUp,” named after its command and control server, is targeting Linux machines to install cryptocurrency miners. While the attack has so far only targeted servers in East Asia and Latin America, security researchers believe it has the potential to expand. Snort SIDs: 49188
###Title: Additional coverage for Adobe Acrobat vulnerabilities Description: Cisco Talos released additional coverage for a slew of security vulnerabilities that Adobe disclosed in Acrobat and Reader. Forty-three of the bugs Adobe disclosed were considered “critical.” The release impacts Acrobat DC and Reader DC, versions 2019.010.20069 and earlier. Snort SIDs: 49201 - 49204, 49192, 49193, 49196, 49197 *** ##MOST PREVALENT MALWARE FILES Feb. 14 - 21:
- **SHA 256: e4cef790c953b769c08472ace6d6f3321851fb701882ebcb76a78a413ed85505
- MD5: 2c5d83f7abe17e9ccdd6dcc0622a22aa
- Typical Filename: $RECYCLE.BIN.scr
- Claimed Product: N/A
- Detection Name: W32.Generic:Pitin.20ie.1201
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 3573bf742920655ec2c28c9ec4ac04194e38096f54c63f0ceb02d366c1034f56
- MD5: b6ca0e72b072f40f5544b9fd054d6ed1
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: Auto.3573BF7429.Sbmt.tht.Talos
- SHA 256: d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0
- MD5: d8461f2978de84045e7ad6bea7a60418
- Typical Filename: dwm.exe
- Claimed Product: N/A
- Detection Name: W32.CoinMiner:FileRepMalware.22de.1201
- SHA 256: 83cec41170390e5e6d49ed7bf4fa76ddfb581c9e39d9efe7ed9382957de152dd
- MD5: c913d292a9a907799526695c9ad3bfac
- Typical Filename: 83cec41170390e5e6d49ed7bf4fa76ddfb581c9e39d9efe7ed9382957de152dd.file
- Claimed Product: Advanced Mac Cleaner
- Detection Name: PUA.Osx.Trojan.Amcleaner::other.talos
** ##SPAM STATS FOR Feb. 14 - 21:
####TOP SPAM SUBJECTS OBSERVED - “Your Parcel Delivery Information” - “Your personal discount” - “hi” - “Re: TREAT AS URGENT” - “Pharmacy Discounts”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 11878 tzulo, inc. - 206043 Irontec Internet Y Sistemas Sobre Gnu Linux S.l - 16276 OVH SAS - 35017 Swiftway Sp. z o.o. - 29873 The Endurance International Group, Inc. ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.