Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
A lot of people may think that cyber insurance is this new, unexplored field that carries a lot of questions. But did you know that these policies have actually been around since Y2K fever? There are many more misconceptions about these policies, so we aimed to clear some of these up with this cyber insurance FAQ.
If you came out and saw us at DEFCON, chances are you got your hands on our super sweet badges. Unfortunately, there were a few small bugs, but we have a step-by-step guide that shows you how to fix those problems, and we walk through how to set it up to get your own Digispark clone.
This was also a busy week for vulnerabilities. Our discovery of several bugs in Google’s Nest camera has made headlines, since an attacker could use these to leak sensitive information. We also have a breakdown of multiple remote code execution vulnerabilities in different Aspose APIs.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: “DNS on
Fire”
at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two
campaigns Talos discovered targeted DNS. The first actor developed a
piece of malware, named “DNSpionage,” targeting several government
agencies in the Middle East, as well as an airline. During the research
process for DNSpionage, we also discovered an effort to redirect DNSs
from the targets and discovered some registered SSL certificates for
them. The talk will go through the two actors’ tactics, techniques and
procedures and the makeup of their targets.
Event: “It’s never DNS...It was DNS: How adversaries are abusing
network blind
spots”
at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network
protocols in most corporate networks, many organizations don’t give it
the same level of scrutiny as other network protocols present in their
environments. DNS has become increasingly attractive to both red teams
and malicious attackers alike to easily subvert otherwise solid security
architectures. This presentation will provide several technical
breakdowns of real-world attacks that have been seen leveraging DNS for
a variety of purposes such as DNSMessenger, DNSpionage, and more.
============================================================
CYBER SECURITY WEEK IN REVIEW
Attackers behind a series of ransomware campaigns targeting more
than 20 Texas cities are asking for a combined extortion payment of
$2.5
million.
One of the towns’ mayors say they will not give into the attackers’
demands.
This recent wave of ransomware attacks has cities across the U.S.
bracing
for similar attempts on their systems.
Controversial data-collection and surveillance company Palantir
renewed its
contract
with U.S. Immigration and Customs Enforcement. The roughly $50
million contract will provide software to ICE used to manage, secure
and analyze data, mainly used to identify individuals as they
attempt to enter the U.S.
Security researchers discovered a new type of attack on
Bluetooth
devices called “KNOB.” If exploited successfully, this vulnerability
could allow attackers to spy on the data being shared between two
devices via Bluetooth, even if they’ve been paired previously.
Instagram expanded its bug bounty
program
to reward researchers who discover third-party apps that steal
users’ login information. The program also covers apps that help
users get bot followers and produce likes and comments on their
posts.
Bernie Sanders is the first 2020 presidential candidate to formally
reject law enforcement agencies’ use of facial recognition
technology.
Sanders called it “the latest example of Orwellian technology that
violates our privacy and civil liberties under the guise of public
safety” as part of his formal proposal to overhaul the criminal
justice system.
Twitter banned state-run news
agencies
from purchasing ads on the platform. The new policy comes after a
Chinese news organization ran ads condemning the recent protests in
Hong Kong.
Movie ticket subscription service MoviePass exposed thousands of
customers’ MoviePass card and credit card
numbers.
The company left a critical server unprotected without a password
and was found at one point to contain 161 million records.
============================================================
NOTABLE RECENT SECURITY ISSUES
Title: Nest Cam IQ camera open to takeover, data disclosure
Description: Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs’ most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera.
Snort SIDs: 49843 - 49855, 49797, 49798, 49801 - 49804, 49856, 49857, 49813 - 49816, 49912 (Written by Josh Williams)Title: Aspose APIs contain bugs that could lead to remote code execution Description: Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API. Snort SIDs: 49756, 49757, 49760, 49761, 49852, 49853 (Written by Cisco Talos analysts)
============================================================
MOST PREVALENT MALWARE FILES FROM THIS WEEK
SHA 256:
b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a
MD5: 125ef5dc3115bda09d2cef1c50869205
Typical Filename: helpermcp
Claimed Product: N/A
Detection Name: PUA.Osx.Trojan.Amcleaner::sbmt.talos
SHA 256:
8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
Typical Filename:
8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos
SHA 256:
7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256:
c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename:
c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256:
46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: invoice.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
============================================================
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.