Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We’ve been busy at the RSA Conference this week. If you’re there, be sure to stop by the Cisco Security and Cisco Talos booths to say hi. Matt Watchinski, our vice president, and Liz Centoni, the head of Cisco’s internet-of-things business group, delivered a keynote address Tuesday on protecting IoT devices. You can read our roundup here and check out a recording of the talk here.
On the vulnerability front, we disclosed three bugs in Pixar Renderman today that could allow an attacker to gain root privileges.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Cisco Connect Portland
####Location: Hilton Portland Downtown, Portland, Ore.
####Date: March 12
####Speaker: Nick Biasini
Synopsis: Nick Biasini will deliver the keynote address at Cisco Connect Portland. Nick will give an overview of Cisco Talos and discuss what separates us from the competition. Then, he’ll give an overview of some recent malware we have discovered and talk about how our research has protected customers.
####Reference:
*
##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
* Chinese tech company Huawei is suing the U.S. government. The company alleges that the federal government violated the Constitution when it banned government agencies from buying Huawei software. The two sides have been locked in a war of words over the past year as U.S. officials raise allegations of spying and security concerns against Huawei.
* The National Security Agency released its reverse-engineering tool, Ghidra, to the public. At the RSA security conference, the agency made the software open source. While there are many reverse-engineering tools on the market, the NSA has spent years refining Ghidra and it’s largely believed one of the most sophisticated decompilers available.
* A new, layered malware has popped up on the popular Pirate Bay torrenting website. Known as PirateMatryoshka, the trojan disguises itself as a legitimate torrent. Once downloaded, it has numerous layers to it and acts as a downloader to several other malicious programs.
* A relatively unknown threat group known as “Whitefly” is allegedly behind an attack on Singapore’s health care database. Security researchers say the group was behind the exposure of 1.5 million patients’ records in July, most likely using DLL load-order attacks.
* “Scarlett Widow,” a hacking group believed to be based out of Nigeria, recently started a new wave of attacks. The actor has sent several malicious to K-12 schools and non-profits, including the Boy Scouts of America. So far the group is believed to have information on 30,000 individuals from 13,000 organizations across 13 different countries.
* More than 300 million private messages in China were exposed on the internet. It is widely believed that the messages, which were transmitted on secure messaging apps, had been collected by the Chinese government. The database made personal identities searchable by anyone who found the IP address.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Cisco patches critical vulnerabilities in RV series of routers
Description: Attackers are carrying out attacks on Cisco small and home office routers after the company patched a critical bug in its RV line of routers. The vulnerability bypasses authentication procedures, allowing attackers to go after routers remotely over the internet. Affected models include the Cisco RV110, RV130 and RV215.
Snort SIDs: 49296
###Title: 19-year-old WinRAR vulnerability finally patched
Description: A micropatch released last week fixes a 19-year-old vulnerability in WinRAR that could allow an attacker to obtain remote code execution privileges. The bug, CVE-2018-20250, could allow an attacker to completely take over a target machine by tricking a user into opening a specially crafted, malicious archive. The latest WinRAR update completely removes support for ACE archives to protect users from this vulnerability.
Snort SIDs: 49289 - 49292
***
##MOST PREVALENT MALWARE FILES March 1 - 7:
- **SHA 256: dfe2fcb006df972edf4f8e721bab26cfec809768a0bfbccf5fc661b6ea85dba9
- MD5: b860cf8c4cb5dc676ef4893a704c9f8d
- Typical Filename: MyMapDirections-14900991.exe
- Claimed Product: IEInstaller
- Detection Name: W32.Auto:dfe2fc.in03.Talos
- SHA 256: d7d80bf3f32c20298cad1d59ca8cb4508bad43a9be5e027579d7fc77a8e47be0
- MD5: d8461f2978de84045e7ad6bea7a60418
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: Auto.3573BF7429.Sbmt.tht.Talos
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Window.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
- MD5: 147ba798e448eb3caa7e477e7fb3a959
- Typical Filename: ups.exe
- Claimed Product: TODO: <产品名>
- **Detection Name**: W32.Variant:Malwaregen.22d1.1201
- **SHA 256**: [15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b](https://www.virustotal.com/#/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details)
- **MD5**: 799b30f47060ca05d80ece53866e01cc
- **Typical Filename**: 799b30f47060ca05d80ece53866e01cc.vir
- **Claimed Product**: N/A
- **Detection Name**: W32.Generic:Gen.21ij.1201
***
##SPAM STATS FOR March 1 - 7:
####TOP SPAM SUBJECTS OBSERVED
- "Get paid to Shop"
- "Unauthorized Login Attempts to you PayPal account "
- "Your UPS Invoice is Ready"
- "DHL Shipment Notification"
- "Mise à jour du compte Microsoft"
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM
- 7506 GMO Internet,Inc
- 27186 Rexnord Industries, LLC
- 8075 Microsoft Corporation
- 46606 Unified Layer
- 4134 No.31,Jin-rong Street
***
Keep up with all things Talos by following us on [Twitter](https://twitter.com/talossecurity?lang=en) and [Facebook](https://www.facebook.com/TalosIntelligence). You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, [here](https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410) (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter [here](https://engage2demand.cisco.com/SubscribeTalosThreatSource).