Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

A lot of people may think that cyber insurance is this new, unexplored field that carries a lot of questions. But did you know that these policies have actually been around since Y2K fever? There are many more misconceptions about these policies, so we aimed to clear some of these up with this cyber insurance FAQ.

If you came out and saw us at DEFCON, chances are you got your hands on our super sweet badges. Unfortunately, there were a few small bugs, but we have a step-by-step guide that shows you how to fix those problems, and we walk through how to set it up to get your own Digispark clone.

This was also a busy week for vulnerabilities. Our discovery of several bugs in Google’s Nest camera has made headlines, since an attacker could use these to leak sensitive information. We also have a breakdown of multiple remote code execution vulnerabilities in different Aspose APIs.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

============================================================

UPCOMING PUBLIC ENGAGEMENTS WITH TALOS

Event: “DNS on Fire” at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

============================================================

CYBER SECURITY WEEK IN REVIEW

• Attackers behind a series of ransomware campaigns targeting more than 20 Texas cities are asking for a combined extortion payment of $2.5 million. One of the towns’ mayors say they will not give into the attackers’ demands.
  

• This recent wave of ransomware attacks has cities across the U.S. bracing for similar attempts on their systems.
  

• Controversial data-collection and surveillance company Palantir renewed its contract with U.S. Immigration and Customs Enforcement. The roughly $50 million contract will provide software to ICE used to manage, secure and analyze data, mainly used to identify individuals as they attempt to enter the U.S.
  

• Security researchers discovered a new type of attack on Bluetooth devices called “KNOB.” If exploited successfully, this vulnerability could allow attackers to spy on the data being shared between two devices via Bluetooth, even if they’ve been paired previously.
  

• Instagram expanded its bug bounty program to reward researchers who discover third-party apps that steal users’ login information. The program also covers apps that help users get bot followers and produce likes and comments on their posts.
  

• Bernie Sanders is the first 2020 presidential candidate to formally reject law enforcement agencies’ use of facial recognition technology. Sanders called it “the latest example of Orwellian technology that violates our privacy and civil liberties under the guise of public safety” as part of his formal proposal to overhaul the criminal justice system.
  

• Twitter banned state-run news agencies from purchasing ads on the platform. The new policy comes after a Chinese news organization ran ads condemning the recent protests in Hong Kong.
  

• Movie ticket subscription service MoviePass exposed thousands of customers’ MoviePass card and credit card numbers. The company left a critical server unprotected without a password and was found at one point to contain 161 million records.
  

============================================================

NOTABLE RECENT SECURITY ISSUES

Title: Nest Cam IQ camera open to takeover, data disclosure
Description: Cisco Talos recently discovered multiple vulnerabilities in the Nest Cam IQ Indoor camera. One of Nest Labs’ most advanced internet-of-things devices, the Nest Cam IQ Indoor integrates Security-Enhanced Linux in Android, Google Assistant, and even facial recognition all into a compact security camera. It primarily uses the Weave protocol for setup and initial communications with other Nest devices over TCP, UDP, Bluetooth and 6lowpan. Most of these vulnerabilities lie in the weave binary of the camera, however, there are some that also apply to the weave-tool binary. It is important to note that while the weave-tool binary also lives on the camera and is vulnerable, it is not normally exploitable as it requires a local attack vector (i.e. an attacker-controlled file) and the vulnerable commands are never directly run by the camera.
Snort SIDs: 49843 - 49855, 49797, 49798, 49801 - 49804, 49856, 49857, 49813 - 49816, 49912 (Written by Josh Williams)

Title: Aspose APIs contain bugs that could lead to remote code execution Description: Cisco Talos recently discovered multiple remote code execution vulnerabilities in various Aspose APIs. Aspose provides a series of APIs for manipulating or converting a large family of document formats. These vulnerabilities exist in APIs that help process PDFs, Microsoft Word files and more. An attacker could exploit these vulnerabilities by sending a specially crafted, malicious file to the target and trick them into opening it while using the corresponding API. Snort SIDs: 49756, 49757, 49760, 49761, 49852, 49853 (Written by Cisco Talos analysts)

============================================================

MOST PREVALENT MALWARE FILES FROM THIS WEEK

SHA 256: b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a
MD5: 125ef5dc3115bda09d2cef1c50869205
Typical Filename: helpermcp
Claimed Product: N/A
Detection Name: PUA.Osx.Trojan.Amcleaner::sbmt.talos

SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: invoice.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG

============================================================

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.