Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
First up, an announcement. This will be the last edition of the Threat Source newsletter in its current form. Anyone receiving this email today will begin receiving a broader Cisco Security newsletter each week. It will still contain links to Talos, but will also promote other content across the Cisco Security portfolio.
We will be converting the Talos Threat Source newsletter into a regular post on the Talos blog. Please bookmark blog.talosintelligence.com to check for regular updates and our latest research. We will eventually be returning Threat Source to its newsletter form, but please be patient with us in the meantime.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
If you want to see one of our researchers out and about, be sure to check below for upcoming public engagements where they will represent Talos.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Kaspersky Security Analyst Summit ###Location: Swissôtel The Stamford, Singapore ####Date: April 8 - 11 ####Speaker: Warren Mercer and Paul Rascagneres ####Synopsis: Paul and Warren will deliver an overview of Bahamut, a threat actor that we’ve connected to a variety of malware. Most recently, we believe they could be involved with a mobile device management malware in India that targeted smartphones. * ##INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY * ASUS had to release an emergency fix for a malware that may have accidentally deployed to their machines. Attackers may have implanted the backdoor, “known as ShadowHammer” and disguised it as a legitimate ASUS update. ASUS released a new firmware version that promises “multiple security verification mechanisms” to reduce the chance of future attacks, and started using an “enhanced end-to-end encryption mechanisms. * Facebook kept hundreds of thousands of users’ passwords stored in plaintext for years. The social media site says it has no information to indicate employees with access to that data abused the privileges. Reportedly, between 200 million and 600 million users may have had their passwords stored in plaintext and searchable by more than 20,000 Facebook employees. * The U.S. Federal Emergency Management Agency mistakenly leaked the personal identifiable information of disaster survivors. The agency says it has no information that would indicate the information was being used maliciously. At one time, the agency said it shared more information with a third-party contractor than necessary, including the PIIs. * Norwegian aluminum producer Norsk Hydro lost an estimated $40 million in the one week after it was struck with a ransomware attack. The company says its Building Systems unit is still almost completely shut down, and its Extruded Solutions unit was, at one point, running at 50 percent of its normal capacity. * Cisco released patches for 27 vulnerabilities in IOS XE. The company also warned that two small office routers, the RV320 and RV325, are still open to attack. As of Thursday morning, no patches were available for those two routers. Snort users should use rules 49606 - 49612 and 49588 - 49591 to protect themselves from these bugs. * iOS 12.2 included fixes for more than 50 vulnerabilities in Apple products. The bugs fixed existed in some high-profile apps, including Contacts, FaceTime, Mail and Messages. There was also a vulnerability in WebKit when using Safari that could have allowed sites to access the user’s microphone without any notification. *** ##NOTABLE RECENT SECURITY ISSUES
###Title: Two serious bugs in WordPress affect popular plugins Description: WordPress patched two vulnerabilities in two of the most popular plugins available on the content management system. They both could allow an attacker to run extensions on top of affected websites. While WordPress has patched these bugs, the two plugins still appear to be downloaded often. Snort SIDs: 49541 - 49543
###Title: Trickbot dropping IcedID banking trojan Description: Security researchers recently discovered that the IcedID banking trojan and the Trickbot dropper may be more closely related than once thought. Ties between the two malware families may even date back to six years ago, although they were discovered about a year apart. Researchers with IBM’s X-Force say there’s been a recent uptick in threat actors working together to deliver different kinds of banking trojans. Snort SIDs: 49544 - 49547, 49549 - 49551 *** ##MOST PREVALENT MALWARE FILES March 21 - 28:
- **SHA 256: dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b
- MD5: f22a024b4c98534e8ba7a1c03b0b6132
- Typical Filename: unpacknw.zip
- Claimed Product: N/A
- Detection Name: Osx.Malware.Bpbw::agent.tht.talos
- SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 4958c38ba2d7def9ba44c5382f2c5a41c619d5a5eedfb8ac4697dbf75c306933
- MD5: 6b62b380b8b14b261c5bfdfe7b017cdd
- Typical Filename: csrs.exe
- Claimed Product: Microsoft® Windows® Operating System
- Detection Name: Win.Dropper.Shelma::1201
- SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
- MD5: 4cf6cc9fafde5d516be35f73615d3f00
- Typical Filename: ok.exe
- Claimed Product: 易语言程序
- Detection Name: W32.Trojangen:TR.22ew.1201
- SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
- MD5: b89b37a90d0a080c34bbba0d53bd66df
- Typical Filename: u.exe
- Claimed Product: Orgs ps
- Detection Name: W32.GenericKD:Trojangen.22ek.1201
** ##SPAM STATS FOR March 21 - 28:
####TOP SPAM SUBJECTS OBSERVED - “Microsoft account team” - “[EXTERNAL] AGL electricity bill” - “[BULK] AGL electricity bill” - “AGL electricity bill” - “Reminder | Your Expertise is Required!”
####MOST FREQUENTLY USED ASNs FOR SENDING SPAM - 135905 VIETNAM POSTS AND TELECOMMUNICATIONS GROUP - 16276 OVH SAS - 8075 Microsoft Corporation - 46606 Unified Layer - 20792 VISTEC Internet Service GmbH ** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.