Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Did you update all of your Microsoft products after Patch Tuesday earlier this month? If not, what are you waiting for? Listen to the latest Beers with Talos episode about why that’s stupid, and then immediately update.
Last week marked the one-year anniversary of VPNFilter. What has the security community learned since then? And how did this wide-reaching malware shape attacks since then? Find out in our blog post looking back on VPNFilter.
If you haven’t already, there’s still plenty of time to sign up for our upcoming spring Quarterly Threat Briefing. Talos researchers will be running down recent DNS manipulation-based attacks, and outline why your organization needs to be worried about them.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
##UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
###Event: Bsides London
Location: ILEC Conference Centre, London, England
####Date: June 5
####Speaker: Paul Rascagnères
Synopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker.
###Event: Cisco Connect Norway
Location: X Meeting Point, Skjetten, Norway
####Date: June 6
####Speaker: Vanja Svajcer
Synopsis: Vanja will offer a glimpse at how Cisco Talos analyzes the modern threat landscape and what customers can do to achieve a greater level of security.
###Event: “It’s never DNS…It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
####Date: Oct. 7 - 10
####Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
*
##CYBERSECURITY WEEK IN REVIEW
* The city of Baltimore estimates the cost of a recent ransomware attack is approximately $18.2 million. Officials have refused to pay the ransom to retrieve its data.
* The latest version of the HawkEye keylogger was used in a recent attack against several different industries. HawkEye Reborn, which was discovered by Cisco Talos in April, was spotted being used against several companies, including those in the health care, agriculture and marketing industries.
* Secure email provider ProtonMail pushed back on claims that it offers assistance to law enforcement agencies in tracking suspects. The company called statements made by a Swiss lawyer on his blog “factually incorrect.”
* Apple released updates to iTunes and iCloud for Windows. The patches fix vulnerabilities recently disclosed in SQLite and WebKit.
* Chinese tech company Huawei asked a court to declare a ban on its products in the U.S. unconstitutional. A summary issued by the company states that the ban came without concrete facts that it poses a national security risk to Americans.
* Parts of New Zealand’s national budget were released early as part of an alleged cyberattack. The country’s treasury secretary contacted law enforcement after his agency discovered 2,000 attempts to access secret budget documents.
* The fast food chain Checkers says its restaurants in at least 20 states were hit with credit card-skimming malware. An unknown number of customers had their names, payment card numbers and card expiration dates stolen as part of the attack.
* A school district in New York will start testing facial recognition technology next week. The system is expected to be fully operational by the start of the next school year on Sept. 1.
***
##NOTABLE RECENT SECURITY ISSUES
###Title: Vulnerability could allow JavaScript to be injected into Internet Explorer 11
Description: Researchers uncovered another Microsoft zero-day vulnerability. One of the critical bugs could allow an attacker to inject a DLL into Internet Explorer 11. After the injection, the exploit opens a filepicker and an HTML page that contains JavaScript that executes in a lower security context. There is also a zero-day privilege escalation vulnerability in Windows Error Reporting.
Snort SIDs: 50183, 50184
###Title: Winnti malware now appears on Linux
Description: A new variant of the Winnti malware has been spotted in the wild being exploited on Linux machines. The malware acts as a backdoor for attackers. There are two different files — a main backdoor and a library that can hide the malware’s activity. Winnti’s primary role is to handle communications and deploy other modules directly from the command and control (C2) server.
Snort SIDs: 50164 - 50167
***
##MOST PREVALENT MALWARE FILES FROM THIS WEEK
- **SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
- MD5: 47b97de62ae8b2b927542aa5d7f3c858
- Typical Filename: qmreportupload.exe
- Claimed Product: qmreportupload
- Detection Name: Win.Trojan.Generic::in10.talos
- SHA 256: f08f4374674a8993ddaf89dcaf216bc6952d211763b8489366b0835f0eda1950
- MD5: b9a5e492a6c4dd618613b1a2a9c6a4fb
- Typical Filename: maf-task.zip
- Claimed Product: N/A
- Detection Name: PUA.Osx.Adware.Gt32supportgeeks::221862.in02
- SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
- MD5: e2ea315d9a83e7577053f52c974f6a5a
- Typical Filename: Tempmf582901854.exe
- Claimed Product: N/A
- Detection Name: W32.AgentWDCR:Gen.21gn.1201
- SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
- MD5: 799b30f47060ca05d80ece53866e01cc
- Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
- Claimed Product: N/A
- Detection Name: W32.Generic:Gen.22fz.1201
- SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
- MD5: 4a50780ddb3db16ebab57b0ca42da0fb
- Typical Filename: wup.exe
- Claimed Product: N/A
- Detection Name: W32.7ACF71AFA8-95.SBX.TG
***
Keep up with all things Talos by following us on Twitter and Facebook. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.