Threat Source (April 4)

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: Cisco Connect Salt Lake City
Location: Salt Lake City, Utah
Date: April 25
Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.

Cyber Security Week in Review

Some Facebook users are being prompted to enter their email accounts’ password when signing up. Facebook says it will stop the practice, and reiterated that it never stored those passwords on any servers.
Facebook CEO Mark Zuckerberg last week pushed for the U.S. to adopt stronger internet privacy and election laws. Zuckerberg proposed in an interview that the federal government create an independent body that would set definitions for what terrorist content and hate speech are and should, therefore, be banned online.
Google’s latest security bulletin warns of three critical vulnerabilities in the Android operating system. These bugs could allow an attacker to remotely take over a device by tricking the user into opening a malicious file.
Australia and Singapore introduced new laws that impose harsh punishments on websites that do not remove violent content quickly. The countries hope to reduce the amount of pro-terrorist content circulating online.
The parent company behind Planet Hollywood and Buca di Beppo says more than 2 million customers had their credit card information stolen. The restaurants say a credit card skimming malware existed on their point-of-sale system for months.
Bayer, one of the largest chemicals companies in the world, says it suffered a cyber attack, but no data was taken. The German company said an APT spied on its networks for months, but it so far has not discovered any “data outflow.”
Two third-party app developers may have publicly exposed more than 2 million Facebook users’ personal records. Security researchers say they discovered the two data sets on exposed Amazon Web Services S3 servers.
A major cryptocurrency exchange in South Korea says it lost millions of dollars worth of currencies in a heist. Bithumb says it believes the attack was carried out by a group of insiders.
Cisco says two patches released earlier this year for its routers do not work properly. The company says its seen live attacks on the RV320 and RV325 routers and are working on a new fix.

Notable recent security issues

Title: Huawei PCManager could allow attackers to alter Windows kernel
Description: Microsoft recently discovered a serious vulnerability in Huawei’s PCManager that could allow attackers to alter the Windows 10 kernel in Huawei’s line of MateBook machines. The Chinese tech company patched the bug in January, but it was just disclosed last week. An attacker could exploit this vulnerability by tricking the user into running a malicious application.
Snort SIDs: 49628 - 49632
Title: Cisco discloses several vulnerabilities in IOS XE
Description: Cisco released a slew of patches last week to fix 24 vulnerabilities in its IOS operating system. The company also warned customers that two routers in its RV line are open to attack, and no fix is available as of yet. Fifteen of the bugs exist on IOS XE, which runs on Cisco networking gear such as switches, routers and controllers.
Snort SIDs: 49606 - 49616, 49588 - 49591

Most prevalent malware files this week

SHA 256: d98edcaf8acdd135b38ad5d6ce503e59868555f5acb6aaa95017ec758a6603ac
MD5: a7608ce0baea081df610eb9accb4400e
Typical Filename: emotet_e1_d98edcaf8acdd135b38ad5d6ce503e59868555f5acb6aaa95017ec758a6603ac_2019-03-26__175503.exe_
Claimed Product: Advanced PDF Converter
Detection Name: W32.d98edcaf8a.Malspam.MRT.Talos
SHA 256: ec604bc4c6020b69868f14ea05295ac7c27e0ec01c288657199d8917850f3443
MD5: 97911a1da380f874393cf15982c6b1b9
Typical Filename: spoolsv.exe
Claimed Product: Microsoft® Windows® Operating System
Detection Name: W32.GenericKD:Trojan.22co.1201
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
Typical Filename: max.exe
Claimed Product: 易语言程序
Detection Name: Win.Dropper.Armadillo::1201
SHA 256: 46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
Typical Filename: u.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

The internet is already scary enough without April Fool’s jokes

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office

Intelligence Center

Vulnerability Research

Incident Response