Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Election security is a touchy — and oftentimes depressing — topic of conversation. So why not let Beer with Talos bring some levity, and more importantly, expertise, to the conversation? The latest episode focuses solely on election security, as Matt Olney runs down what he’s learned recently from spending time with various governments.
On the research end of things, we released a post earlier this week outlining the details of a new campaign called “BlackWater” that we believe could be connected to the MuddyWater APT.
And since we know everyone was waiting on this, yes, there’s coverage for that wormable Microsoft bug everyone was talking about.
There was no Threat Roundup last week, but it’ll be back tomorrow.
*
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Copenhagen Cybercrime Conference
Location: Industriens Hus, Copenhagen, Denmark
####Date: May 29
####Speaker: Paul Rascagnères
Synopsis: Paul will give an overview of an espionage campaign targeting the Middle East that we called “DNSpionage.” First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security.
###Event: Bsides London
Location: ILEC Conference Centre, London, England
####Date: June 5
####Speaker: Paul Rascagnères
Synopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Coverage available for critical vulnerability in Microsoft Remote Desktop Protocol
Description: Microsoft continues to urge users to update to the latest version of the Remote Desktop Protocol to patch a wormable remote code execution bug. The vulnerability opens up victims to an attack where malware spreads from one machine to another once this bug is exploited only once. The company disclosed this vulnerability last week as part of its monthly security update. The company disclosed this vulnerability as CVE-2019-0708 last week as part of its monthly security update.
Snort SIDs: 50137
###Title: Multiple vulnerabilities in Wacom Update Helper
Description: There are two privilege escalation vulnerabilities in the Wacom update helper. The update helper is a utility installed alongside the macOS application for Wacom tablets. The application interacts with the tablet and allows the user to manage it. These vulnerabilities could allow an attacker with local access to raise their privileges to root.
Snort SIDs: 48850, 48851
***
##CYBERSECURITY WEEK IN REVIEW
* The U.S. Department of Homeland Security issued a warning this week against Chinese-manufactured drones. Some of the drones may be collecting their users’ personal data and transferring it back to China.
* A forum dedicated to hijacking online accounts and carrying out SIM-swapping attacks has been hacked. More than 113,000 users on OGusers had their login information, IP addresses and private messages exposed in an attack.
* Cisco released patches for many of its devices, fixing a vulnerability in its Secure Boot process. However, the patches will only be released in waves, and some devices could remain vulnerable until November.
* Some of the most popular Docker containers are open to attacks. Researchers recently discovered that 20 percent of the 1,000 most used containers are impacted by a misconfiguration, including those belonging to Microsoft, Monsanto and the British government.
* San Francisco recently passed a ban on governmental use of facial recognition technology. The new law is likely to spark debates across the country between privacy advocates and law enforcement agencies.
* The Trump administration is considering blacklisting Hikvision, a Chinese tech company that manufactures surveillance cameras. The move would prevent the company from purchasing American technology and would create another point of tension between the two countries.
* Google disclosed that some G Suite users’ passwords have been mistakenly stored in plaintext for nearly 14 years. The company said the passwords stayed in its secure infrastructure, and the problem has been fixed.
* Ireland opened a GDPR investigation into Google this week, specifically how the company uses personal data for advertising. Regulators say users’ personal information is stored by Google and then sold off to advertisers without their knowledge.
* One year after the GDPR went into effect, Europe has received an estimated 145,000 privacy complaints.
* The latest update to Mozilla Firefox fixes 21 security vulnerabilities, two of them rated “critical.” There are also new options for users to block “digital fingerprinting” on all sites.
***
##MOST PREVALENT MALWARE FILES FROM THIS WEEK
- **SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: 6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310
- MD5: 7054c32d4a21ae2d893a1c1994039050
- Typical Filename: maftask.zip
- Claimed Product: N/A
- Detection Name: PUA.Osx.Adware.Advancedmaccleaner::tpd
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.22fz.1201
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
- MD5: 4a50780ddb3db16ebab57b0ca42da0fb
- Typical Filename: wup.exe
- Claimed Product: N/A
- Detection Name: W32.7ACF71AFA8-95.SBX.TG
***
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.