Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!
Weeks after our initial DNSpionage post, we published an update to the malware, including outlining new malware the actors are distributing and a growth in the number of targets.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Cisco Connect Salt Lake City Location: Salt Lake City, Utah ####Date: April 25 ####Speaker: Nick Biasini Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he’ll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.
*** ##NOTABLE RECENT SECURITY ISSUES
###Title: Sea Turtle campaign highlights dangers of DNS hijacking Description: Cisco Talos discovered a new cyber threat campaign called “Sea Turtle,” which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. The investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. Talos assesses with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems. Snort SIDs: 2281, 31975 - 31978, 31985, 32038, 32039, 32041 - 32043, 32069, 32335, 32336, 41909, 41910, 43424 - 43432, 44531, 46897, 46316
###Title: Cisco discloses 31 vulnerabilities, including some critical Description: Cisco released advisories for 31 vulnerabilities last week, including “critical” patches for its IOS and IOS XE Software Clusterm management and IOS software for the Cisco ASR 9000 series of routers. Other vulnerabiliites also deal with Cisco Wireless LAN Controllers. If unpatched, an attacker could exploit these vulnerabilities to carry out denial-of-service attacks or gain the ability to remotely execute code. Snort SIDs: 49858, 49859, 49866, 49867, 49879 *** ##MOST PREVALENT MALWARE FILES FROM THIS WEEK
- **SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
- MD5: 4cf6cc9fafde5d516be35f73615d3f00
- Typical Filename: max.exe
- Claimed Product: 易语言程序
- Detection Name: Win.Dropper.Armadillo::1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.21ij.1201
- SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
- MD5: b89b37a90d0a080c34bbba0d53bd66df
- Typical Filename: u.exe
- Claimed Product: Orgs ps
- Detection Name: W32.GenericKD:Trojangen.22ek.1201
*** Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.