Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Are you heading to Vegas next week for Hacker Summer Camp? Talos will. We’ll be at Black Hat and DEFCON holding a series of talks, taking resumes, answering questions and hosting a number of challenges. Check out our talk lineup for Black Hat here and a rundown of our activities at DEFCON here.
Everyone on the internet has seen the ads on web pages that suck you in with enticing headlines, too-good-to-be-true sales or highly specific offers. But many times, these ads can lead to malware. We took a deep dive into adware to talk about a slew of recent campaigns we’ve seen that have targeted some of the most popular sites on the web.
If you work with Snort rules at all, you have to check out our new Re2PCAP tool, which allows you to generate a PCAP file in seconds just from a raw HTTP request or response.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. ============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: "DNS on Fire" at Black Hat USA\
Location:
Mandalay Bay, Las Vegs, Nevada\
Date: Aug. 7\
Speaker: Warren Mercer\
Synopsis: In this talk, Warren will go over two recent malicious
threat actors targeting DNS protocol along with the methodology used to
target victims, timeline, and technical details. The first is a piece of
malware, "DNSpionage," targeting government agencies in the Middle
East and an airline. The second actor, more advanced and aggressive than
the previous one, is behind the campaign we named “Sea Turtle.”
Event: “It’s never DNS...It was DNS: How adversaries are abusing
network blind
spots”
at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network
protocols in most corporate networks, many organizations don’t give it
the same level of scrutiny as other network protocols present in their
environments. DNS has become increasingly attractive to both red teams
and malicious attackers alike to easily subvert otherwise solid security
architectures. This presentation will provide several technical
breakdowns of real-world attacks that have been seen leveraging DNS for
a variety of purposes such as DNSMessenger, DNSpionage, and more.
============================================================
CYBER SECURITY WEEK IN REVIEW
Capital One was hit with a data breach that affected more than 100 million customers. Information stolen include names, addresses, ZIP codes, credit scores, creidt limits, contact information and more.
The person behind the breach is a former Amazon Web Services employee who made little attempt to hide after the attack. She even went as far to boast about the data she had stolen in a Slack room.
The Federal Trade Commission warned consumers that Equifax will not be able to meet the $125 per person payout it promised as part of a settlement over a 2016 data breach. More consumers requested the payment than expected, and only $31 million of the total $700 million settlement was set aside for cash payments.
The latest Google Chrome update automatically blocks Adobe Flash Player and makes it harder for sites to detect Incognito mode. The new Incognito feature will make it possible for users to bypass paywalls on many sites, which had developed scripts to detect the secret browsing mode.
Honda Motor Co. left an ElasticSearch database containing critical information about its global systems exposed. The server included information on which devices aren’t up to date or protected by security solutions, as well as approximately 134 million documents.
Democratic lawmakers are going after Senate Majority Leader Mitch McConnell for sitting on election security bills. FBI head Christopher Wray and former special counsel Robert Mueller recently testified to Congress that Russia will likely attempt to disrupt the 2020 presidential election.
The cyber threats posed to the oil and gas industry are “high and rising.” A new report also states that these companies are at “high risk” for a cyber attack that could lead to potential loss of life.
Apple patched five vulnerabilities in iMessage that could allow an attacker to read iPhone users’ messages without their interaction. One of the bugs could only be fixed by completely restoring the device to factory settings.
A new Android malware is being spread through malicious Reddit posts. The ransomware attempts to spread to the contacts on victims’ phones, and then encrypting all files on a device.
============================================================
NOTABLE RECENT SECURITY ISSUES
Title: New coverage available for Godlua
malware
Description: Attackers recently targeted Linux and Windows machines
with respective versions of the Godlua malware. The backdoor secures its
communication via DNS over HTTPS. The attackers primarily use Godlua as
a distributed denial-of-service bot, even launching an HTTP flood attack
against one domain.
Snort SIDs: 50808 - 50811 (Written by Kristen Houser)
Title: New protection rolled out for Microsoft vulnerability
exploited in the
wild
Description: The OceanLotus APT recently launched a new malware
known as "Ratsnif," which comes in four different variant forms. These
rules fire when Ratsnif attempts to make an outbound connection to a
command and control (C2) server, or if the malware attempts to download
any files. Ratsnif remained undetected after its C2 went online back in
August 2018, though researchers believe it’s low level of infection kept
it under the radar.
Snort SIDs: 50800 - 50802 (Written by Kristen Houser)
============================================================
MOST PREVALENT MALWARE FILES FROM THIS WEEK
SHA 256:
3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256:
8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
Typical Filename: r2
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos
SHA 256:
2f4e7dba21a31bde1192ca03b489a9bd47281a28e206b3dcf245082a491e8e0a
MD5: cc0f21a356dfa1b7ebeb904ce80d9ddf
Typical Filename: f1cf1595f0a6ca785e7e511fe0df7bc756e8d66d.xls
Claimed Product: Microsoft Excel
Detection Name: W32.2F4E7DBA21-100.SBX.TG
SHA 256:
7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256:
46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
============================================================
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.