Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Point-of-sale malware tends to grab headlines — any time Target credit card records get breached, the news is on it. We’ve discovered a new PoS malware, called “GlitchPOS” that the creator is selling online. Based on the information we discovered, it would be possible for nearly anyone to buy the malware and set up their own botnet with relative ease.
On the vulnerability front, besides Microsoft Patch Tuesday (more on that below), we discovered a privilege escalation vulnerability in CleanMyMac X by MacPaw. The bug could allow an attacker to elevate their privileges and execute commands at the level of the current user.
If you missed us at RSA, we have a wrap-up on our blog, complete with an interview with our vice president, Matt Watchinski, and Liz Centoni, a senior vice president at Cisco and head of the IoT business group. There’s also some photos from around the conference and a look at the Cisco Security booth.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Kaspersky Security Analyst Summit ###Location: Swissôtel The Stamford, Singapore ####Date: April 8 - 11 ####Speaker: Warren Mercer and Paul Rascagneres ####Synopsis: Paul and Warren will deliver an overview of Bahamut, a threat actor that we’ve connected to a variety of malware. Most recently, we believe they could be involved with a mobile device management malware in India that targeted smartphones. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * The U.S. warned Germany that using Huawei’s 5G technology could result in a drop in information-sharing. American officials have consistently criticized the use of the Chinese company’s technology, saying they pose a national security risk. If other countries were to use Huawei’s 5G network, the U.S. says it would fear its intelligence was not being kept safe. * It is reported that a hacking group stole an estimated six terabytes of data from the Citrix enterprise network. The company said it took steps to contain this data breach after it was alerted by the FBI, but thousands of customers’ information could still be at risk. It is not yet known what the nature of the information taken was. * Adobe fixed multiple remote code execution vulnerabilities in Photoshop and Digital Editions. The company released its monthly security update earlier this week. Two of the vulnerabilities were classified as critical, as an attacker could exploit them to execute code under the context of the current user. * Video app TikTok paid a $5.7 million fine to the Federal Trade Commission this week as part of a settlement. The FTC rules that the app, which allows users to upload short videos of them performing songs, improperly handled the data of users who are under the age of 13. * Two U.S. Senators introduced a new bill that would overhaul the country’s child privacy laws. The new bill would give parents complete control over their children’s data online, and even allow them to completely erase information from certain websites. It would also ban targeted ads toward anyone under the age of 13. * Security researchers discovered a critical flaw in Switzerland’s new voting system that would allow attackers to manipulate votes. The group is now urging the Swiss government to halt the rollout of the online system. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Patch Tuesday includes 17 critical Microsoft vulnerabilities Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 64 vulnerabilities, 17 of which are rated “critical,” 45 that are considered “important” and one “moderate” and “low” vulnerability each. This release also includes two critical advisories — one covering security updates to Adobe Flash Player and another concerning SHA-2. Snort SIDs: 45142, 45143, 46554, 46555, 48051, 48052, 49172, 49173, 49364 - 49369, 49371, 49372, 49378 - 49395, 49400 - 49403
###Title: Multiple vulnerabilities in Pixar Renderman Description: The MacOS version of Pixar Renderman contains three local vulnerabilities in its install helper tool. An attacker could exploit these bugs to escalate their privileges to root. Renderman is a rendering application used in animation and film production produced by Pixar, a well-known film studio. When installing the application, a helper tool is installed and launched as root. This service continues to listen even after installation is complete. These vulnerabilities lie in the
Dispatch function of this helper tool.
Snort SIDs: 48450 - 48453, 49088, 49089
##MOST PREVALENT MALWARE FILES March 7 - 14:
- **SHA 256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f
- MD5: 38de5b216c33833af710e88f7f64fc98
- Typical Filename: SECOH-QAD.exe
- Claimed Product: N/A
- Detection Name: W32.Hacktool.22ei.1201
- SHA 256: 225bb8a1bdcd0132a3624fde62f109a4d59056bc7418a7838b6ac0997127259b
- MD5: f953dd9537961aa72648f39379b7ff51
- Typical Filename: SOA.doc
- Claimed Product: N/A
- Detection Name: W32.225BB8A1BD-95.SBX.TG
- SHA 256: 6d36f92ee3f1a7be56e00118cebf62fc4f3f127e307f5a4e7f008793ca549671
- MD5: b23f736c46d9fa238b02c9eb0cea37cf
- Typical Filename: CONFIGURETGN.EXE
- Claimed Product: N/A
- Detection Name: Win.Malware.Generic::in03.talos
- SHA 256: 18042540b39d543e9e648e5d0b059d2e8c74889bb9353674be59c94da265f393
- MD5: 1a5a7532854ab45ac74b1c657fe47941
- Typical Filename: helperamc.zip
- Claimed Product: Advanced Mac Cleaner
- Detection Name: W32.18042540B3-95.SBX.TG
- SHA 256: 60c5f5f3b78b151fe6a01d4957ad536496b646e9d8288703d10fb8a03afb3b64
- MD5: efcaf7a94501ad0c9a37f459a91e493f
- Typical Filename: 1SOAJAN19_exe.bin
- Claimed Product: MONARCHOMACHIC9
- Detection Name: W32.60C5F5F3B7-100.SBX.T
** ##SPAM STATS FOR March 7 - 14:
####TOP SPAM SUBJECTS OBSERVED - “Your UPS Invoice is Ready” - “ATTENTION NEEDED” - “UPS Shipment Notification” - “UPS Invoice Notification” - “débloquer votre carte n26”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 46606 Unified Layer - 29873 The Endurance International Group, Inc. - 16276 OVH SAS - 36351 SoftLayer Technologies Inc. ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.