Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Are you heading to Vegas next week for Hacker Summer Camp? Talos will. We’ll be at Black Hat and DEFCON holding a series of talks, taking resumes, answering questions and hosting a number of challenges. Check out our talk lineup for Black Hat here and a rundown of our activities at DEFCON here.
Everyone on the internet has seen the ads on web pages that suck you in with enticing headlines, too-good-to-be-true sales or highly specific offers. But many times, these ads can lead to malware. We took a deep dive into adware to talk about a slew of recent campaigns we’ve seen that have targeted some of the most popular sites on the web.
If you work with Snort rules at all, you have to check out our new Re2PCAP tool, which allows you to generate a PCAP file in seconds just from a raw HTTP request or response.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. ============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: "DNS on Fire" at Black Hat USA\
Location: Mandalay Bay, Las Vegs, Nevada\
Date: Aug. 7\
Speaker: Warren Mercer\
Synopsis: In this talk, Warren will go over two recent malicious threat actors targeting DNS protocol along with the methodology used to target victims, timeline, and technical details. The first is a piece of malware, "DNSpionage," targeting government agencies in the Middle East and an airline. The second actor, more advanced and aggressive than the previous one, is behind the campaign we named “Sea Turtle.”
Event: “It’s never DNS...It was DNS: How adversaries are abusing
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
CYBER SECURITY WEEK IN REVIEW
Capital One was hit with a data breach that affected more than 100 million customers. Information stolen include names, addresses, ZIP codes, credit scores, creidt limits, contact information and more.
The person behind the breach is a former Amazon Web Services employee who made little attempt to hide after the attack. She even went as far to boast about the data she had stolen in a Slack room.
The Federal Trade Commission warned consumers that Equifax will not be able to meet the $125 per person payout it promised as part of a settlement over a 2016 data breach. More consumers requested the payment than expected, and only $31 million of the total $700 million settlement was set aside for cash payments.
The latest Google Chrome update automatically blocks Adobe Flash Player and makes it harder for sites to detect Incognito mode. The new Incognito feature will make it possible for users to bypass paywalls on many sites, which had developed scripts to detect the secret browsing mode.
Honda Motor Co. left an ElasticSearch database containing critical information about its global systems exposed. The server included information on which devices aren’t up to date or protected by security solutions, as well as approximately 134 million documents.
Democratic lawmakers are going after Senate Majority Leader Mitch McConnell for sitting on election security bills. FBI head Christopher Wray and former special counsel Robert Mueller recently testified to Congress that Russia will likely attempt to disrupt the 2020 presidential election.
The cyber threats posed to the oil and gas industry are “high and rising.” A new report also states that these companies are at “high risk” for a cyber attack that could lead to potential loss of life.
Apple patched five vulnerabilities in iMessage that could allow an attacker to read iPhone users’ messages without their interaction. One of the bugs could only be fixed by completely restoring the device to factory settings.
A new Android malware is being spread through malicious Reddit posts. The ransomware attempts to spread to the contacts on victims’ phones, and then encrypting all files on a device.
NOTABLE RECENT SECURITY ISSUES
Title: New coverage available for Godlua
Description: Attackers recently targeted Linux and Windows machines with respective versions of the Godlua malware. The backdoor secures its communication via DNS over HTTPS. The attackers primarily use Godlua as a distributed denial-of-service bot, even launching an HTTP flood attack against one domain.
Snort SIDs: 50808 - 50811 (Written by Kristen Houser)
Title: New protection rolled out for Microsoft vulnerability
exploited in the
Description: The OceanLotus APT recently launched a new malware known as "Ratsnif," which comes in four different variant forms. These rules fire when Ratsnif attempts to make an outbound connection to a command and control (C2) server, or if the malware attempts to download any files. Ratsnif remained undetected after its C2 went online back in August 2018, though researchers believe it’s low level of infection kept it under the radar.
Snort SIDs: 50800 - 50802 (Written by Kristen Houser)
MOST PREVALENT MALWARE FILES FROM THIS WEEK
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
Typical Filename: r2
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos
Typical Filename: f1cf1595f0a6ca785e7e511fe0df7bc756e8d66d.xls
Claimed Product: Microsoft Excel
Detection Name: W32.2F4E7DBA21-100.SBX.TG
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.