Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We hope to see everyone this weekend at the Talos Threat Research Summit in San Diego (or throughout the week at Cisco Live). If you’re around, stop by the Talos booth on the Cisco Live floor — who knows, we may have some swag to give out! For those of you who are attending, brush up on the schedule here.
There’s been a lot of talk about a bug in Microsoft RDP that could leave systems open to a “wormable” attack. When Microsoft disclosed the vulnerability last month, there was little guidance on how to defend against an exploit. Now, we have a new method using Cisco Firepower to block any encrypted attacks attempting to use this vulnerability. This means that you’ll be able to protect against attacks that would otherwise go undetected.
This week, we also unveiled our research on Frankenstein, a new campaign that cobbles together several open-source techniques to infect users. While it’s been used with relatively low volume so far, because of its nature, the attackers behind it have the ability to change it on the fly and evolve over time.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: “It’s never DNS…It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
CYBER SECURITY WEEK IN REVIEW
- Security researchers say the EternalBlue exploit was not used in a ransomware attack on the city of Baltimore. Local and state officials in Maryland had demanded answers from the National Security Administration, where the exploit was originally developed.
- Apple unveiled a new sign-on mechanism that will allow users to log in to certain sites using their Apple ID. The company says it will make it more difficult for third-party apps to track and store users’ information.
- Chinese tech company Huawei reached an agreement with Russia to build out the country’s 5G network. Huawei has been locked in a battle with the U.S. recently after the U.S. banned the company’s products.
- The U.S. State Department sent a plan to Congress to establish a new $20.8 million cybersecurity department. The new Bureau of Cyberspace Security and Emerging Technologies (CSET) would “lead U.S. government diplomatic efforts to secure cyberspace and its technologies, reduce the likelihood of cyber conflict, and prevail in strategic cyber competition.”
- A major university in Australia says hackers stole 19 years’ worth of personal information on its students and faculty. Officials with Australian National University say the attack impacted about 200,000 people, including their credit card numbers, names, addresses, dates of birth and more.
- A zero-day vulnerability in Mac Mojave could allow an attacker to bypass security measures and run malicious code. The bug allows malicious users to mimic mouse clicks, bypass security measures, and then run whitelisted apps that have been manipulated to run malicious code.
- Medical testing company LabCorp. says millions of customers had their information leaked as part of a cyberattack at a third-party firm. The company said the American Medical Collection Agency had their information stolen at various times between August 2018 and March 2019.
- Cisco patched two high-severity vulnerabilities in its Industrial Network Director. The bugs could allow an attacker to gain the ability to execute code remotely, or cause a denial-of-service condition.
- The attackers behind the GandCrab ransomware say they are retiring after earning millions of dollars from the attack. The group claims on a forum post they made $2 billion during the malware’s lifecycle.
NOTABLE RECENT SECURITY ISSUES
Snort SIDs: 50299
Title: Cisco Firepower protects against encrypted attacks exploiting Microsoft RDP bug
Description: Researchers at Cisco Talos discovered a new way to protect against encrypted attacks exploiting a recently disclosed vulnerability in Microsoft RDP. Microsoft disclosed the bug in May, but did not provide any guidance on how to mitigate attacks. A new method using Cisco Firepower Management Center allows users to protect themselves from attacks that would otherwise go virtually undetected.
Snort SIDs: 50137
MOST PREVALENT MALWARE FILES FROM THIS WEEK
SHA 256: [3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3]
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 144e4b5a6e99d9e89dae2ac2907c313d253878e13db86c6f5c50dae6e17a015a
Typical Filename: pupdate.exe
Claimed Product: Internet Explorer
Detection Name: W32.144E4B5A6E-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
Keep up with all things Talos by following us on Twitter and Facebook. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.