Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
It’s rare that iOS jailbreaks make it onto the scene. Apple is usually able to patch them out quickly. But a recent exploit is actually unpatchable, and researchers are racing to release tools that can allow users to jailbreak their phone. But malicious attackers are also trying to capitalize on this opportunity. We recently discovered a malicious site that promises to offer a jailbreaking tool, but it actually just conducts click fraud and installs a malicious profile onto the user’s device.
This week, Adobe released its third patch for a vulnerability we discovered earlier this year in Acrobat Reader. An attacker could exploit this bug to gain the ability to execute arbitrary code on the victim machine.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Upcoming public engagements with Talos Event: Talos at BSides Belfast
Location: Titanic Belfast, Belfast, Northern Ireland
Date: Oct. 31
Synopsis: Several researchers from Talos will be on hand at BSides Belfast to deliver four different talks. Martin Lee will provide a general overview of the benefits of threat hunting, Nick Biasini and Edmund Brumaghin will walk through a recent wave of supply chain attacks, then, Brumaghin and Earl Carter will deliver their “It’s Never DNS....It Was DNS” talk, and, finally, Paul Rascagneres walks through his recent research into attacks on iOS.
Event: “It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots” at SecureWV/Hack3rCon X
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Nov. 15 - 17
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Cyber Security Week in Review
- Postage service provider Pitney Bowes was hit with the Ryuk ransomware, briefly taking some of their systems offline. The attack also impacted some U.S. Postal Service services.
- Baltimore plans to buy a $20 million cyber insurance policy in the wake of a ransomware attack earlier this year. The policy includes incident response coverage, business interruption loss and ransom payments.
- The U.S. reportedly carried out a cyber attack against Iran on Sept. 14 in response to an attack on a Saudi Arabian oil facility. Military officials say the attack was meant to reduce Iran’s ability to spread what they called “propaganda.”
- Two Moroccan activists were targeted by the Pegasus spyware. The human rights defenders received numerous SMS messages containing links to malicious websites, relying on zero-days in iOS to exploit their devices.
- Google’s new line of Pixel phones will allow its AI to automatically transcribe voice notes — even if the device is offline. The company said all translation happens directly on the device.
- An ATM malware that forces the machines to spit out all the cash they contain is spreading across the globe. A new report suggests that these so-called “jackpotting” attacks are on the rise this year, though they are not widely reported on.
- Mozilla says it is beefing up Firefox’s security to protect users from code injection attacks. The web browser will no longer utilize inline scripts, improving the “about” protocol.
- The Chinese government is promoting a mobile app that may allow them to spy on more than 100 million citizens. The app is even mandatory among government workers and communist party officials.
- An underground, online marketplace selling stolen credit card numbers was hacked. Roughly 26 million credit card numbers were rescued from “BriansClub,” 8 million of which were uploaded this year.
Notable recent security issues Title: Apple WebKit opens users up to malicious advertising
Description: Multiple vulnerabilities in Apple's WebKit are allowing attackers to serve users' malicious advertisements. This campaign affected the Google Chrome and Safari web browsers on iOS and MacOS, but the vulnerabilities were all patched out in Apple's latest series of security updates. All the ads centered around the user's specific mobile carrier, hoping to entice them to visit malicious websites. The vulnerabilities would allow the ads to break out of any sandboxes in place.
Snort SIDs: 51821 - 51824, 51831, 58132 (By John Levy)
Title: Remote code execution bug in vBulletin
Description: A now-patched vulnerability in the popular service vBulletin is allowing attackers to completely take over sites that use the software. vBulletin powers the commenting functions for many popular sites. An attacker could exploit this vulnerability to gain the ability to remotely execute malicious code on any vBulletin server running versions 5.0.0 through 5.5.4. This bug was initially dropped as a zero-day by an anonymous user, but has since been patched by the company. The Snort rules below prevent any attempt to inject code into the server using this bug. Marcos Rodriguez wrote these rules.
Snort SIDs: 51834 – 51837 (By Marcos Rodriguez)
Most prevalent malware files this week
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG