Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
This week also saw the rise of an old favorite — exploit kits. While we don’t see them as often as we used to, Talos recently discovered a campaign using the infamous “Heaven’s Gate” technique to deliver a series of remote access trojans and information-stealers.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: “It’s never DNS...It was DNS: How adversaries are abusing
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
CYBER SECURITY WEEK IN REVIEW
NOTABLE RECENT SECURITY ISSUES
Title: Spelevo exploit kit pops up to deliver banking
Description: Researchers at Cisco Talos discovered a new exploit kit known as “Spelevo.” While exploit kit activity has quieted down over the past few years, this new campaign uses some old tricks — such as exploiting Adobe Flash Player vulnerabilities — to infect victims. It then delivers various payloads, but mainly banking trojans such as IcedID and Dridex. The actors behind Spelevo seem to be strictly financially motivated.
Snort SIDs: 50509 - 50511
Title: Firefox patches critical zero-day used to target
Snort SIDs: 50518, 50519
MOST PREVALENT MALWARE FILES FROM THIS WEEK
Typical Filename: SafeInstaller
Claimed Product: SafeInstaller
Detection Name: PUA.Win.Downloader.Installiq::tpd
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
Typical Filename: N/A
Claimed Product: JPMorganChase Instructions SMG 82749206.pdf
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.