Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Did you update all of your Microsoft products after Patch Tuesday earlier this month? If not, what are you waiting for? Listen to the latest Beers with Talos episode about why that’s stupid, and then immediately update.
Last week marked the one-year anniversary of VPNFilter. What has the security community learned since then? And how did this wide-reaching malware shape attacks since then? Find out in our blog post looking back on VPNFilter.
If you haven’t already, there’s still plenty of time to sign up for our upcoming spring Quarterly Threat Briefing. Talos researchers will be running down recent DNS manipulation-based attacks, and outline why your organization needs to be worried about them.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Location: ILEC Conference Centre, London, England
Synopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker.
Location: X Meeting Point, Skjetten, Norway
Synopsis: Vanja will offer a glimpse at how Cisco Talos analyzes the modern threat landscape and what customers can do to achieve a greater level of security.
Location: Metro Toronto Convention Center, Toronto, Canada
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Description: Researchers uncovered another Microsoft zero-day vulnerability. One of the critical bugs could allow an attacker to inject a DLL into Internet Explorer 11. After the injection, the exploit opens a filepicker and an HTML page that contains JavaScript that executes in a lower security context. There is also a zero-day privilege escalation vulnerability in Windows Error Reporting. Snort SIDs: 50183, 50184
Description: A new variant of the Winnti malware has been spotted in the wild being exploited on Linux machines. The malware acts as a backdoor for attackers. There are two different files — a main backdoor and a library that can hide the malware’s activity. Winnti’s primary role is to handle communications and deploy other modules directly from the command and control (C2) server.
Snort SIDs: 50164 - 50167
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.