Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Why should your passwords be like your panties? Find out in this week’s episode of the Beers With Talos podcast, where the guys are joined by Michelle Dennedy, Cisco’s chief privacy officer.
If you are running any Elasticsearch clusters, you need to be paying extra close attention. Our researchers found a recent uptick in attackers targeting these clusters for a variety of attacks, deploying several different types of malware.
On the vulnerability front, we just disclosed a heap overflow vulnerability in Antenna House Rainbow PDF Office Server Document Converter. If exploited, an attacker could use this to gain the ability to remotely execute code.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
*
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: RSA Conference
Location: Moscone Center, San Francisco, Calif.
####Date: March 4 - 8
####Speaker: Matt Watchinski
Synopsis: Matt Watchinksi, the vice president of Cisco Talos, will partake in one of the keynote addresses at this year’s RSA conference. Watchinski, along with Liz Centoni of Cisco, will discuss how to defend against internet-of-things attacks. As more automated devices are added to our homes every day, it just creates more attack vectors. Watchinski and Centoni will talk about successful defense strategies Cisco has employed in the past.
###Event: SecIT
Location: Hannover Congress Center, Hanover, Germany
####Date: March 3 - 4
####Speaker: Holger Unterbrink
Synopsis: The pressure on IT security officers to compete for resistant IT security never ends. Attackers are trying to penetrate companies’ networks with new methods and to monetize deducted data every day. Unterbrink sits at the front and will provide insights into the current threat situation and attack scenarios.
***
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Cryptocurrency mining tool Coinhive says it’s shutting down, but not due to malicious use. Attackers have exploited the tool for months as part of malware campaigns, stealing computing power from users to mine cryptocurrencies. However, the company behind the miner says it’s shutting down because it’s no longer economically viable to run.
* Several popular apps unknowingly share users’ personal information with Facebook. In many cases, this can include personal health information, including females’ menstruation cycle, users’ heart rate and recent home buying purchases. The data is sent to Facebook even if the user doesn’t have a Facebook profile.
* A flaw in the Ring doorbell could allow an attacker to spy on users’ homes and even inject falsified video. The vulnerability could open the door for a man-in-the-middle attack against the smart doorbell app since the sound and video recorded by the doorbell is transmitted in plaintext.
* Cisco disclosed a severe bug in some of its routers. The company urged users of its firewall routers and VPN to patch immediately Thursday, warning against a remote code execution vulnerability.
* A new service from Cisco Duo launched a new product recently to scan Google Chrome extensions. CRXcavator provides customers and users by scanning the Chrome store and then delivering reports on different extensions based on their permissions required and potential use of those permissions.
* Google is under fire for allegedly forgetting to inform users of a microphone inside of its Nest smart hub. While the company says it was never supposed to be a secret, users, security researchers and even politicians now are questioning why the microphone was installed in the first place.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Drupal patches critical vulnerability
Description: The Drupal content management system disclosed a critical remote code execution vulnerability that could allow an attacker to completely take over a web server. The bug lies in the way some file types on Drupal improperly sanitize data from non-form sources, such as RESTful web services. This can lead to arbitrary PHP code execution.
Snort SIDs: 49257
###Title: Cisco releases fixes for vulnerabilities in several of its products
Description: Cisco released a round of security updates for several of its products, including WebEx, HyperFlex and Prime Infrastructure. CVE-2019-1659 is a certificate validation vulnerability in Cisco Prime Infrastructure that could allow an attacker to perform a man-in-the-middle attack against the SSL tunnel between Cisco’s Identity Service Engine and Prime Infrastructure.
Snort SIDs: 49240
***
##MOST PREVALENT MALWARE FILES Feb. 21 - 28:
- **SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload
- Claimed Product: qmreportupload.exe
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 3573bf742920655ec2c28c9ec4ac04194e38096f54c63f0ceb02d366c1034f56
- MD5: b6ca0e72b072f40f5544b9fd054d6ed1
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: Auto.3573BF7429.Sbmt.tht.Talos
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
- SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393
- MD5: 1a5a7532854ab45ac74b1c657fe47941
- Typical Filename: helperamc.zip
- Claimed Product: N/A
- Detection Name: W32.18042540B3-95.SBX.TG
**
##SPAM STATS FOR Feb. 21 - 28:
####TOP SPAM SUBJECTS OBSERVED
- “ITHELPDESK: IMPORTANT!”
- “Fw:As a reminder”
- “Your Forex Purchase statement till the month of January 2019”
- “DHL Shipment Notification”
- “UPS Express Domestic”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 16276 OVH SAS
- 8075 Microsoft Corporation
- 33480 Web Werks
- 46606 Unified Layer
- 4134 No.31,Jin-rong Street
**
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.