Threat Source newsletter (May 9)

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit — our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

This was a heavy week for vulnerability discovery. Snort rules are loaded up withprotections against a recent wave of attackscentered around a critical Oracle WebLogic bug. We also discovered vulnerabilities inSQLiteandthree different Jenkins plugins.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: Copenhagen Cybercrime ConferenceLocation: Industriens Hus, Copenhagen, DenmarkDate: May 29Speaker: Paul RascagnèresSynopsis: Paul will give an overview of an espionage campaign targeting the Middle East that we called “DNSpionage.” First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security.

Event: Bsides LondonLocation: ILEC Conference Centre, London, EnglandDate: June 5Speaker: Paul RascagnèresSynopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker.

Cyber Security Week in Review

The city of Baltimore’s online government operations were completely stalled this week after a ransomware attack. The city’s IT director said the RobinHood malware forced the government to go “manual” with many tasks. Emergency services have not been impacted.
A group of hackers stole information from three American antivirus companies. The group is offering source code and network access to the companies for $300,000. The companies affected have not been named yet but were recently contacted by the federal government to alert them of the breach.
Attackers stole $41 million worth of Bitcoin from cryptocurrency exchange Binance. A representative from Binance said hackers used a variety of techniques, “including phishing, viruses and other attacks.”
The tax services of Danish mega company Wolters Kluwer were taken offline this week as the result of a cyber attack. The outage specifically affected CCH, a cloud-based company, that caused “network and service interruptions.”
WordPress’ latest update includes a few long-awaited security updates. Each of the content management system’s updates will now include digital signatures, and there is a new “Site Health” page for users.
Google’s latest security update fixed a number of vulnerabilities in the Android operating system, including several critical- and high-severity bugs. The most notable fix is for a vulnerability in Media framework that could “enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”
Cisco released security updates for a critical vulnerability in the Elastic Services Controller. An unauthenticated, remote attacker could exploit this flaw to obtain admin privileges.
Israel bombed the cyber headquarters of Hamas in retaliation for an alleged cyber attack. Military involvement, in this case, has brought up several questions surrounding how cyber warfare could begin intersecting with physical retaliation.
A power supplier on the West Coast was hit with a cyberattack last week. The attack did not cause any loss of power for customers but did prevent visibility in some parts of the country.
Cyber firms are increasingly turning to non-traditional sources of recruiting as the industry looks to fill a talent gap. Some companies are training researchers on the go, even if they do not have a traditional security degree.

Notable recent security issues

Title: Attacks using WebLogic bugs expand, evolve
Description: Attackers continue to spread malware by exploiting a critical vulnerability in Oracle WebLogic. The bug, identified as CVE-2019-2725, was disclosed and patched last week. However, as users have been slow to update, attackers are still able to exploit this vulnerability to deliver ransomware, specifically Gandcrab and XMRig.
Snort SIDs: 50014 - 50025
Title: Cisco discloses 41 bugs, one of them critical
Description: Cisco released a security update for several of its products, including one critical bug in the SSH key management for the Nexus 9000 series Application Centric Infrastructure (ACI) mode switch software. An attacker could exploit this vulnerability by connecting to a machine via SSH, which could allow them to connect to the system with the same privileges as a root user.
Snort SIDs: 49992 - 49996, 50006, 50007

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: 9d48f382ec11bd9b35488a2c2b878e5401c2be43f00bcbae30d1619e6e2bf0c1
MD5: dd46d0260a6cdf5625d468398bae1f60
Typical Filename: N/A
Claimed Product: N/A
Detection Name: Win.Dropper.Undefined::tpd

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

What can we learn from the passwords used in brute-force attacks?

The private sector probably isn’t coming to save the NVD

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

Intelligence Center

Vulnerability Research

Incident Response