Thursday, October 10, 2019

Threat Source newsletter (Oct. 10, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

It’s that time again to update all your Microsoft products. The company released its monthly update Tuesday, disclosing more than 60 vulnerabilities in a variety of its products. This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software. We’ve got a rundown of the most important bugs here, and all our Snort coverage here.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

P.S., we have to give ourselves a pat on the back for the researchers who took home the top honors at the Virus Bulletin conference, winning the Péter Ször Award.

Upcoming public engagements with Talos

Event: “It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots”  at SecureWV/Hack3rCon X
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Nov. 15 - 17
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Event: Talos at BSides Belfast 
Location: Titanic Belfast, Belfast, Northern Ireland
Date: Oct. 31
Synopsis: Several researchers from Talos will be on hand at BSides Belfast to deliver four different talks. Martin Lee will provide a general overview of the benefits of threat hunting, Nick Biasini and Edmund Brumaghin will walk through a recent wave of supply chain attacks, then, Brumahin and Earl Carter will deliver their “It’s Never DNS....It Was DNS” talk, and, finally, Paul Rascagneres walks through his recent research into attacks on iOS.

Cyber Security Week in Review

  • Apple released the new Catalina operating system this week, and it comes with several new security features. However, researchers have already discovered a series of vulnerabilities, including memory corruption and buffer overflow. 
  • The U.S. government is increasingly using the exploitation of minors as an argument for anti-encryption measures. But security experts are concerned this could mislead the general public about the benefits of encryption. 
  • An Iranian hacker group believed to be behind an attack on a U.S. presidential candidate is now turning their attention toward the researchers who outed them. The group known as “Charming Kitten” set up a web-mail page designed to compromise security experts. 
  • Twitter says it’s used emails and phone numbers attached to two-factor authentication to deliver targeted ads. The social media site says it does not know how many users were affected. 
  • Apple removed an app from its store that protestors in Hong Kong used to track Chinese police presence. This was just the latest move from the Chinese government to put pressure one U.S. businesses in relation to the ongoing unrest in Hong Kong. 
  • The FBI misused its own data to vet their own employees and other American citizens. A recently unsealed court document revealed several instances where the agency improperly used information to run queries on certain individuals, all eventually discovered by the United States Foreign Intelligence Surveillance Court. 
  • The GitHub code repository is currently facing backlash from its employees over its partnership with the U.S. Immigration and Customs Enforcement (ICE). GitHub is reportedly preparing to renew a contract for ICE to license its GitHub Enterprise Server. 
  • Security researchers found another swath of apps on the Google Play store that deployed malware onto users’ devices. The apps, which disguised themselves as video games and photo editing services, were actually trojans, adware, spyware and data stealers. 
  • A new report from the U.S. Senate’s Intelligence Committee states that Russia’s disinformation campaign to influence U.S. elections is nowhere near over. The study also points out that many of these campaigns specifically target the African American community. 

Notable recent security issues

Title: Microsoft discloses 60 vulnerabilities as part of monthly security update
Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Snort SIDs: 51733 - 51736, 51739 - 51742, 51781 - 51794

Title: Multiple vulnerabilities in Schneider Electric Modicon M580 
Description: There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, the majority of which can cause a denial of service. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs exist in the Modicon's use of FTP. Schneider Electric Modicon M580, BMEP582040 SV2.80, is affected by these vulnerabilities.
Snort SIDs: 49982, 49983

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3 
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

SHA 256: ce8cb7c8dc29b9e4feab463fdf53b569b69e6a5c4ab0e50513b264563d74a6ac
MD5: 0e02555ede71bc6c724f9f924320e020
Typical Filename: dllhostex.exe
Claimed Product: Microsoft® Windows® Operating System
Detection Name: W32.CoinMiner:CryptoMinerY.22k3.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin 
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201 

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b 
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201 

No comments:

Post a Comment