Talos Threat Source is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We’re scared of stalkerware, and you should be, too. These spyware apps are becoming more popular among everyone from nation-states to suspicious spouses who may be wanting to track their partner’s locations. These apps live in a gray area, where they’re not explicitly deemed illegal, but they can be used for illegal purposes.
How can you make sure your mobile device isn’t infected with this type of software? And why is it so popular? Find out in our new post from this week.
The second entry in our CISO Advisory series went up this week, too, this time focusing on security architecture.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: “It’s Never DNS…. It Was DNS: How Adversaries Are Abusing
Network Blind Spots” at SecureWV/Hack3rCon X
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Nov. 15 - 17
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Event: “Reading Telegram messages abusing the shadows” at BSides
Location: Auditorio FMD-UL, Lisbon, Portugal
Date: Nov. 28 - 29
Speakers: Vitor Ventura
Synopsis: One of the cornerstones of privacy today is secure messaging applications like Telegram, which deploy end-to-end encryption to protect the communications. But several clone applications have been created and distributed with the intent of spying on their users. In this talk, Vitor will demonstrate how the Telegram registration process became abused, allowing message interception on non-rooted Android devices without replacing the official application. This is another example on how encryption is not a panacea, and that side-channel attacks like this are a real problem for otherwise secure applications.
CYBER SECURITY WEEK IN REVIEW
The infamous Fancy Bear Russian hacking group may be targeting the 2020 Summer Olympics. New reports suggest the group has disrupted anti-doping agencies to varying degrees of success.
A major nuclear power plant in India confirms it was breached. A North Korea-linked hacking group gained access to the plant’s administrative network, though it has not yet said whether data was stolen.
A massive cyber attack took down web sites across the country of Georgia, along with the country’s national television station. Most of the sites were replaced with images of a former president of Georgia, with him holding a sign that reads “I’ll be back.”
A new malware family has been discovered on Android devices installed on more than 75,000 devices. However, the malware can reinstall itself even after its removed, including after a full device factory reset.
The WhatsApp messaging app now has biometric support for Android devices. Users can now access their profiles using their fingerprint. The feature had been available on iOS devices.
A new report suggests a cyber attack on Asian ports could cost upward of $110 billion. An insurance firm conducted a study, estimating what would happen if an attack hit 15 ports across Japan, Malaysia, Singapore, South Korea and China.
The U.K. has begun work on a new National Cyber Security Strategy, as their previous one nears the end of its life. However, this milestone has brought several critics to the forefront, including one report that says the original program only achieved one of its 12 stated goals.
A non-profit group is preparing to launch its free cyber security program for U.S. political campaigns. Defending Digital Campaigns announced its first group of services, including email security, encrypted messaging and security training for staff.
NOTABLE RECENT SECURITY ISSUES
Title: Nation-state actors are behind new slew of mobile
Description: A new report highlights how nation-state-backed APTs are utilizing the mobile malware space to conduct espionage activities on their own citizens. Security researchers at BlackBerry discovered new campaigns from actors linked to the Chinese, Iranians, Vietnamese and North Koreans. Among these attackers is the infamous OceanLotus group, which has launched a new attack that contains both mobile and desktop components. OceanLotus is deploying malicious apps onto mobile stores that “spy” on the user’s device.
Snort SIDs: 52004, 52005
Title: Denial of service in VMWare
Description: VMware Fusion 11 contains an exploitable denial-of-service vulnerability. VMWare Fusion is an application for Mac operating systems that allows users to run other OSs in a virtual environment, such as Windows and Linux. An attacker could exploit this vulnerability by supplying a malformed pixel shader inside of a VMware guest OS. This vulnerability can be triggered from a VMware guest and the VMware host will be affected, leading to a VMware fusion process crash on the host.
Snort SIDs: 50502, 50503
MOST PREVALENT MALWARE FILES FROM THIS WEEK
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
Typical Filename: qmreportupload
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08 MD5: db69eaaea4d49703f161c81e6fdd036f Typical Filename: xme32-2141-gcc.exe Claimed Product: N/A Detection Name: W32.46B241E3D3-95.SBX.TG
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201
Typical Filename: jsonMerge.exe
Claimed Product: ITSPlatform
Detection Name: W32.GenericKD:Attribute.22lk.1201
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast, which comes out bi-weekly, here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.