Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
LockerGoga, a malware that straddles the line between a wiper and ransomware, dominated the headlines this week. We’ve got a breakdown of the malware, covering some of its main features and where attackers may be headed with it.
We also have a new method of unmasking IPv6 addresses. In this post, we outline a technique that uses the properties of Universal Plug and Play (UPnP) protocol to get specific IPv4 hosts to divulge their IPv6 address. This allows us to enumerate a particular subset of active IPv6 hosts which can then be scanned.
On a much less technical note, the latest episode of the Beers with Talos podcast is here to deliver hot takes to our listeners. Once the hosts have had their Pop-Tarts, of course.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
###Event: Kaspersky Security Analyst Summit ###Location: Swissôtel The Stamford, Singapore ####Date: April 8 - 11 ####Speaker: Warren Mercer and Paul Rascagneres ####Synopsis: Paul and Warren will deliver an overview of Bahamut, a threat actor that we’ve connected to a variety of malware. Most recently, we believe they could be involved with a mobile device management malware in India that targeted smartphones. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * Norwegian aluminum company Norsk Hydro was hit with a “severe” ransomware attack. The malware affected production operations in the U.S. and Europe. The company says they do not know the origin of the attack and are still working to contain the effects. * Cisco disclosed several vulnerabilities in some of its IP phones. The bugs could allow an attacker to carry out a cross-site request forgery attack or write arbitrary files to the filesystem. Cisco’s IP Phone 8800 series, a desk phone for businesses that includes HD video features, and the 7800 series, which are mainly used in conference rooms at businesses. * A new variant of the Mirai botnet is in the wild targeting televisions hosting signage and presentation systems. The malware uses 27 different exploits to infect systems, 11 that are completely new to Mirai. * A health care vendor in Singapore mistakenly exposed the personal information of 800,000 blood donors. The vendor reportedly used an unsecured database on an internet-facing server without properly protecting it from authorized access. All affected donors have been notified by Singapore’s government. * Google patched a bug in its Photos app that could have allowed an attacker to track users. The vulnerability opened mobile devices to browser-based timing attacks that could produce information about when, where and with whom a user had taken a photo. * The European Union hit Google with another fine, this time worth roughly $1.7 billion. A recent report from the European Commission found that Google “shielded itself from competitive pressure” by blocking rivals from placing advertisements on third-party websites by adding certain clauses in AdSense contracts. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Latest WordPress version fixes critical vulnerability Description: The latest update from WordPress fixes a crtiical vulnerabilit that could allow an attacker to completely take over a site. The bug opened sites to be attacked via malicious comments that contain corss-site scripting if sites had the comments module enabled. Around 20,000 sites have already been impacted by this exploit. ####Reference: Snort SIDs: 49448
###Title: Multiple vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud Description: Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems. Snort SIDs: 47234, 47663, 47809, 47811, 47842, 48261, 48262 *** ##MOST PREVALENT MALWARE FILES March 14 - 21:
- **SHA 256: aae728ffb953cfcc573c82b63eef7603c9b29c95f42bb032b790d6d51813f7c3
- MD5: ee445f9fa6296b611c72bc81d8f6c19a
- Typical Filename: wusa.exe
- Claimed Product: Microsoft® Windows® Operating System
- Detection Name: W32.aae728ffb9.Malspam.MRT.Talos
- SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
- MD5: b89b37a90d0a080c34bbba0d53bd66df
- Typical Filename: ups.rar
- Claimed Product: Orgs ps
- Detection Name: W32.GenericKD:Trojangen.22ek.1201
- SHA 256: fea935d2d0fb1abadb900f009b4c40bb8a91fd9e25cc76ed4f9dae08960566d5
- MD5: bc7fc83ce9762eb97dc28ed1b79a0a10
- Typical Filename: max.exe
- Claimed Product: WPS Office
- Detection Name: W32.Agent:Malwaregen.22em.1201
- SHA 256: dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b
- MD5: f22a024b4c98534e8ba7a1c03b0b6132
- Typical Filename: unpacknw.zip
- Claimed Product: N/A
- Detection Name: Osx.Malware.Bpbw::agent.tht.talos
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
** ##SPAM STATS FOR March 14 - 21:
####TOP SPAM SUBJECTS OBSERVED - “[EXTERNAL] AGL electricity bill” - “[BULK] AGL electricity bill” - “RE: Earning Statement for March 2019.” - “Your new BT bill” - “Payment Form”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 8075 Microsoft Corporation - 16276 OVH SAS - 46606 Unified Layer - 29873 The Endurance International Group, Inc. - 15169 Google LLC ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.