Wednesday, July 3, 2019

Threat Source newsletter (July 3, 2019)


Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We disclosed several vulnerabilities this week, including two in Simple DirectMedia Layer, and a memory corruption bug in the V8 JavaScript engine in Google Chrome.

This week also saw the rise of an old favorite — exploit kits. While we don’t see them as often as we used to, Talos recently discovered a campaign using the infamous “Heaven’s Gate” technique to deliver a series of remote access trojans and information-stealers.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.

Upcoming public engagements with Talos

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more. 

Cyber Security Week in Review

  • The U.S. Food and Drug Administration recalled a line of insulin pumps due to security concerns. The agency cited a vulnerability disclosure from the company behind the pumps that says "an unauthorized person” could exploit a bug to connect to the devices wirelessly and change its settings. 
  • The U.S. Food and Drug Administration recalled a line of insulin pumps due to security concerns. The agency cited a vulnerability disclosure from the company behind the pumps that says "an unauthorized person” could exploit a bug to connect to the devices wirelessly and change its settings.
  • new variant of the Dridex ransomware contains anti-virus evasion techniques that makes it more difficult to detect. Security researchers say the new variant, which first appeared last month, uses Application Whitelisting techniques to disable or bypass Windows Script Host.  
  • A new malware strain known as “Silexbot has bricked more than 4,000 internet-of-things devices so far. Researchers believe a teenager may even be behind the attack. 
  • security breach at a major cloud services provider may have exposed its customers’ emails and other data. PCM Inc. says it discovered the attack earlier this year, and believes malicious actors may have gained access to some of its clients’ email and file-sharing systems. 
  • U.S. Cyber Command urged Microsoft Outlook users to patch their software as soon as possible. The agency says its discovered attacks that exploit a specific Outlook vulnerability that appear to originate from Iran. 
  • Google removed more than 100 adware-infected apps from its store. Security researchers say the apps had been downloaded a combined 9.3 million times, often using victim’s phones to boost advertising revenue. 
  • Hackers took down the network of Georgia’s court system with a ransomware attack this week, though the system was restored relatively quickly. Government leaders say it appears the attack originated from a foreign country. 
  • Facebook removed 30 accounts that have helped spread malware over the past five years. The social media site said the attacks centered around fake Libya news websites, tempting users to open malicious sites and then downloading a remote access trojan. 
  • A Chinese tech company that produces smart home devices has been leaking users’ logs for years. Researchers discovered a database belonging to Orvibo sitting on an ElasticSearch server with no password protection. 

Notable recent security issues

Title: Spelevo exploit kit pops up to deliver banking trojans 
Description: Researchers at Cisco Talos discovered a new exploit kit known as “Spelevo.” While exploit kit activity has quieted down over the past few years, this new campaign uses some old tricks — such as exploiting Adobe Flash Player vulnerabilities — to infect victims. It then delivers various payloads, but mainly banking trojans such as IcedID and Dridex. The actors behind Spelevo seem to be strictly financially motivated.  
Snort SIDs: 50509 - 50511 
  
Title: Firefox patches critical zero-day used to target Macs 
Description: Firefox patched a series of bugs in its latest update, but most notably fixed a vulnerability that attackers exploited to install cryptocurrency miners. Last week, the web browser released a fix for a code-execution vulnerability in a JavaScript programming method known as “Array.pop,” and then a sandbox breakout bug the next day. Two new Snort rules from Talos protect against the Array vulnerability. 
Snort SIDs: 50518, 50519 

Most prevalent malware files this week

SHA 256: 440944ab47cc3140207179f5449ddacb32883a74a9cff11141fdf494eaf21592   
MD5: dd77416ab164d3423b00f33380cf06ca  
Typical Filename: SafeInstaller  
Claimed Product: SafeInstaller  
Detection Name: PUA.Win.Downloader.Installiq::tpd  

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3  
MD5: 47b97de62ae8b2b927542aa5d7f3c858  
Typical Filename: qmreportupload.exe  
Claimed Product: qmreportupload  
Detection Name: Win.Trojan.Generic::in10.talos  

SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b   
MD5: 42143a53581e0304b08f61c2ef8032d7  
Typical Filename: N/A  
Claimed Product: JPMorganChase Instructions SMG 82749206.pdf  
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos  

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f  
MD5: e2ea315d9a83e7577053f52c974f6a5a  
Typical Filename: Tempmf582901854.exe  
Claimed Product: N/A  
Detection Name: W32.AgentWDCR:Gen.21gn.1201  

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b  
MD5: 799b30f47060ca05d80ece53866e01cc  
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin  
Claimed Product: N/A  
Detection Name: W32.Generic:Gen.22fz.1201    

No comments:

Post a Comment