Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We’re all still trying to shake off the summer. Gone are the early Fridays, beach vacations and days by the pool. Turns out, attackers may be brushing the same things off. The ever-present Emotet went quiet over the summer, but it’s back now with a slew of new campaigns. While this may sound concerning, the same protections and coverage you’ve always used will keep you safe.
And, speaking of things that won’t stay down, cryptocurrency miners still aren’t going anywhere. We've discovered a new threat actor we’re calling “Panda” that is rapidly spreading miners, even as digital currencies decline in value.
This was also a busy week for vulnerability discovery. We’ve got three new vulnerability spotlights out: the Aspose PDF API, Atlassian’s Jira software and the AMD ATI Radeon line of graphics cards.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Upcoming public engagements with TalosEvent: “DNS on Fire” at Virus Bulletin 2019
Location: Novotel London West hotel, London, U.K.
Date: Oct. 2 - 4
Speaker: Warren Mercer and Paul Rascagneres
Synopsis: In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.
Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Cyber Security Week in Review
- Windows rolled out a new updater tool that is designed to make it easier for users to apply patches. But researchers have already found a string of bugs and flaws.
- The LastPass password manager contained a security vulnerability that could have leaked users’ login information to sites they previously visited while utilizing LastPass. The company says it’s released an update to fix this flaw.
- An advanced threat group has compromised the networks of at least 11 information technology service providers, likely with the hopes of gaining access to their customers’ systems. At least two of the attacks allowed the malicious actors to gain admin-level access to the victims’ networks.
- Facebook plans to assemble a “court” to make the final decision on content restrictions. The social media giant says both the company itself and users will be able to appeal decisions to this board.
- The FBI attempted to install a backdoor on mobile devices sold by an encrypted cellular company. Phantom Secure, which is known for selling encrypted phones to some drug cartel members, was later shut down in 2018 for data leaks and its connection to criminal operations.
- Many popular smart TV manufacturers collect and sell users’ viewing habits and other personal information, including their IP address.
- Australia believes China is behind an attack from earlier this year on its parliament and three largest political parties. However, leaders there have been reticent to publicly call China out at the risk of disrupting Australia’s economy.
- A global cyber security trade group suspended Huawei from its board. Huawei blamed the United States for the disruption, saying American influence led the group to making this decision.
- New banking regulations in Europe could leave financial institutions more open to cyber attacks, according to a new report. Known as “Open Banking,” these new policies are aimed at giving customers more control over the information they share with banks, but it also brings third-party financial technology companies into the fold.
Notable recent security issues Title: Remote code execution vulnerability in some AMD Radeon cards
Description: A line of AMD Radeon cards contains a remote code execution vulnerability in their ATIDXX64.DLL driver. AMD produces the Radeon line of hardware, which includes graphics cards and graphics processing units. This specific vulnerability exists on the Radeon RX 550 and the 550 Series while running VMWare Workstation 15. An attacker could exploit this vulnerability by supplying a malformed pixel shared inside the VMware guest operating system to the driver. This could corrupt memory in a way that would allow the attacker to gain the ability to remotely execute code on the victim machine.
Snort SIDs: 49978, 49979 (Written by Tim Muniz)
Title: Atlassian Jira service contains multiple vulnerabilities, including remote JavaScript execution
Description: Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.
Snort SIDs: 50110, 50111 (Written by Amit Raut), 50114 (Written by Josh Williams)
Most prevalent malware files this week
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 26da22347f1d91f6ca56b7c47644a776b72251d3de11c90d9fd77556d5236f5e
MD5: f6f6039fc64ad97895142dc99554e971
Typical Filename: CSlast.gif
Claimed Product: N/A
Detection Name: W32.26DA22347F-100.SBX.TG
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
MD5: 3c7be1dbe9eecfc73f4476bf18d1df3f
Typical Filename: sayext.gif
Claimed Product: N/A
Detection Name: W32.093CC39350-100.SBX.TG
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201