Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
It’s that time again to update all your Microsoft products. The company released its monthly update Tuesday, disclosing more than 60 vulnerabilities in a variety of its products. This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software. We’ve got a rundown of the most important bugs here, and all our Snort coverage here.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
P.S., we have to give ourselves a pat on the back for the researchers who took home the top honors at the Virus Bulletin conference, winning the Péter Ször Award.
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: “It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots” at SecureWV/Hack3rCon X
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Nov. 15 - 17
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Event: Talos at BSides Belfast
Location: Titanic Belfast, Belfast, Northern Ireland
Date: Oct. 31
Synopsis: Several researchers from Talos will be on hand at BSides Belfast to deliver four different talks. Martin Lee will provide a general overview of the benefits of threat hunting, Nick Biasini and Edmund Brumaghin will walk through a recent wave of supply chain attacks, then, Brumahin and Earl Carter will deliver their “It’s Never DNS.…It Was DNS” talk, and, finally, Paul Rascagneres walks through his recent research into attacks on iOS.
CYBER SECURITY WEEK IN REVIEW
Apple released the new Catalina operating system this week, and it comes with several new security features. However, researchers have already discovered a series of vulnerabilities, including memory corruption and buffer overflow.
The U.S. government is increasingly using the exploitation of minors as an argument for anti-encryption measures. But security experts are concerned this could mislead the general public about the benefits of encryption.
An Iranian hacker group believed to be behind an attack on a U.S. presidential candidate is now turning their attention toward the researchers who outed them. The group known as “Charming Kitten” set up a web-mail page designed to compromise security experts.
Twitter says it’s used emails and phone numbers attached to two-factor authentication to deliver targeted ads. The social media site says it does not know how many users were affected.
Apple removed an app from its store that protestors in Hong Kong used to track Chinese police presence. This was just the latest move from the Chinese government to put pressure one U.S. businesses in relation to the ongoing unrest in Hong Kong.
The FBI misused its own data to vet their own employees and other American citizens. A recently unsealed court document revealed several instances where the agency improperly used information to run queries on certain individuals, all eventually discovered by the United States Foreign Intelligence Surveillance Court.
The GitHub code repository is currently facing backlash from its employees over its partnership with the U.S. Immigration and Customs Enforcement (ICE). GitHub is reportedly preparing to renew a contract for ICE to license its GitHub Enterprise Server.
Security researchers found another swath of apps on the Google Play store that deployed malware onto users’ devices. The apps, which disguised themselves as video games and photo editing services, were actually trojans, adware, spyware and data stealers.
A new report from the U.S. Senate’s Intelligence Committee states
that Russia’s misinformation campaign to influence U.S. elections is
The study also points out that many of these campaigns specifically
target the African American community.
NOTABLE RECENT SECURITY ISSUES
Title: Microsoft discloses 60 vulnerabilities as part of monthly
Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important." This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Snort SIDs: 51733 - 51736, 51739 - 51742, 51781 - 51794
Title: Multiple vulnerabilities in Schneider Electric Modicon
Description: There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, the majority of which can cause a denial of service. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs exist in the Modicon's use of FTP. Schneider Electric Modicon M580, BMEP582040 SV2.80, is affected by these vulnerabilities.
Snort SIDs: 49982, 49983
MOST PREVALENT MALWARE FILES FROM THIS WEEK
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
Typical Filename: dllhostex.exe
Claimed Product: Microsoft® Windows® Operating System
Detection Name: W32.CoinMiner:CryptoMinerY.22k3.1201
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.