Thursday, August 15, 2019

Threat Source newsletter (Aug. 15)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Sorry we missed you last week, we were all away at Hacker Summer Camp. If you missed us at Black Hat, we have a roundup up on the blog of some of the “flash talks” from our researchers and analysts.

Patch Tuesday was also this week, and we’ve got you covered with Snort rules and coverage of some of the most critical bugs. 

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

  • The United Nations says it is investigating 35 different North Korean state-sponsored cyber attacks in 17 countries. A new report states the attacks hoped to raise money to fund the country’s atomic weapons program. 
  • Police in South Wales, U.K. are starting to use facial recognition apps to identify suspects without having to take them to a station. The department plans to start testing the app over the next few months on 50 different officers’ phones, but privacy groups are already pushing back. 
  • A sponsored presentation at Black Hat regarding the “Time AI” program was taken down after researchers attacked the talk online and in person. At least one attendee interrupted the talk and accused the speaker of misleading people by pitching this new form of encryption. 
  • Adobe disclosed dozens of vulnerabilities as part of its monthly security update this week, including 76 bugs in Acrobat and Reader. There were also 22 critical vulnerabilities patched in Photoshop. 
  • Google says it is working on replacing passwords for Google services for 1.7 billion Android users. Engineers at the company say the goal is to allow Android users to log into Google sites and services using their fingerprint or other methods because “new security technologies are surpassing passwords in terms of both strength and convenience." 
  • Facebook disclosed that they previously allowed contractors to listen in on and transcribe users’ conversations. The social media site says it recently discontinued the practice, but the Irish Data Protection Commission is still looking into the practice for possible GDPR violations. 
  • A bug in the Steam video game store could open Windows’ users to attacks, but the company says it is not within its scope to fix. 
  • The FBI released a report warning Americans of a recent uptick in dating scams. The agency says malicious actors are using data apps to convince victims to open up new bank accounts to send them money under the guise of a fake user. 
  • Security researchers at the DEFCON conference discovered a critical vulnerability in the F-15, a popular fighter jet used by the U.S. military. If exploited, the bug could shut down a portion of the plane’s cameras and sensors, preventing the transmission of data during missions. 

Notable recent security issues

Title: 31 critical vulnerabilities addressed in latest Microsoft security update
Description: Microsoft released its monthly security update Tuesday, disclosing more than 90 vulnerabilities in several of its products. The latest Patch Tuesday covers 97 vulnerabilities, 31 of which are rated “critical," 65 that are considered "important" and one "moderate." This month’s security update covers security issues in a variety of Microsoft services and software, including certain graphics components, Outlook and the Chakra Scripting Engine.
Snort SIDs: 35190, 35191, 40851, 40852, 45142, 45143, 50936 - 50939, 50969 - 50974, 50987, 50988, 50940, 50941, 50998, 50999, 51001 - 51006 (Written by Cisco Talos analysts)

Title: Cisco releases security patches for multiple products, including high-severity bugs in WebEx Teams
Description: Cisco released security updates to address vulnerabilities in multiple Cisco products. An attacker could exploit the more critical bugs to take control of an affected system. Some of the most severe vulnerabilities exist in Cisco WebEx Network Recording for Microsoft Windows and Cisco Webex Player for Windows. These bugs, identified across five different CVEs, could allow a remote attacker to execute arbitrary code on an affected system.
Snort SIDs: 50902, 50904 - 50907 (Written by Amit Raut) 

Most prevalent malware files this week

SHA 256: b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a  
MD5: 125ef5dc3115bda09d2cef1c50869205 
Typical Filename: helpermcp 
Claimed Product: N/A 
Detection Name: PUA.Osx.Trojan.Amcleaner::sbmt.talos  

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3  
MD5: 47b97de62ae8b2b927542aa5d7f3c858 
Typical Filename: qmreportupload.exe 
Claimed Product: qmreportupload 
Detection Name: Win.Trojan.Generic::in10.talos  

SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6 
MD5: f7145b132e23e3a55d2269a008395034  
Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin 
Claimed Product: N/A 
Detection Name: Unix.Exploit.Lotoor::other.talos 

SHA 256: 39a875089acaa37c76dd333c46c0072c6db0586c03135153fe6c15ac453ab750  
MD5: df61f138409416736d9b6f4ec72ac0af 
Typical Filename: cslast.gif  
Claimed Product: N/A  
Detection Name: W32.39A875089A-100.SBX.TG 
  
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510  
MD5: 4a50780ddb3db16ebab57b0ca42da0fb 
Typical Filename: xme64-2141.exe 
Claimed Product: N/A 
Detection Name: W32.7ACF71AFA8-95.SBX.TG 

No comments:

Post a Comment