Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
You never want to fall behind on Beers with Talos. So make sure to listen to the latest episode on your commute home today. This episode — featuring special guest and Talos Threat Research Summit keynote speaker Liz Wharton — was recorded live in San Diego as part of Cisco Live. So yes, there’s audience participation, and no, you are not prepared for it.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: “It’s never DNS...It was DNS: How adversaries are abusing
network blind
spots”
at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network
protocols in most corporate networks, many organizations don’t give it
the same level of scrutiny as other network protocols present in their
environments. DNS has become increasingly attractive to both red teams
and malicious attackers alike to easily subvert otherwise solid security
architectures. This presentation will provide several technical
breakdowns of real-world attacks that have been seen leveraging DNS for
a variety of purposes such as DNSMessenger, DNSpionage, and more.
============================================================
CYBER SECURITY WEEK IN REVIEW
============================================================
NOTABLE RECENT SECURITY ISSUES
Title: Netwire malware delivered through Firefox
vulnerability
Description: Attackers are exploiting a now-patched Mozilla Firefox
vulnerability to deliver the Netwire malware. At the time of first
exploitation, there was no fix for the bug. Netwire uses two separate
functions to persist — once as a launch agent and again as a login
item. New Snort rules prevent the malware from downloading its final
payload.
Snort SIDs: 50498, 50500
Title: Cisco patches critical bugs in DNA Center,
SD-WAN
Description: Cisco has patched a slew of critical and high-severity
flaws in its DNA Center and SD-WAN. In all, the company issued fixes for
25 vulnerabilities last week across a variety of its products. Two of
the most severe bugs exist on access ports necessary for Cisco Digital
Network Architecture (DNA) Center. There is another critical
vulnerability in SD-WAN's command line interface.
Snort SIDs: 50467, 50469 – 50472, 50485 – 50489, 50492
============================================================
MOST PREVALENT MALWARE FILES FROM THIS WEEK
SHA 256:
3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256:
c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256:
15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename:
15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256:
7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256:
f118e52a73227b85fbb0cb7d202c3753916e518c516286c441a2dc92ede1f023
MD5: 4f551cb9a7c7d24104c19ac85e55defe
Typical Filename: watchdog.exe
Claimed Product: N/A
Detection Name: W32.Trojan:Trojangen.22hu.1201
============================================================
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.