Thursday, December 12, 2019

Threat Source newsletter (Dec. 12, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re entering our Year in Review period. Now’s the time to look back on the top stories from 2019 and think about what we learned.

In the vulnerability space, Talos researchers were just as busy as always. We disclosed more than one vulnerability per working day this year, many of which were in internet-of-things and ICS devices. For more on what we can take away from the year in vulnerability disclosures, check out our post here.

Speaking of vulnerabilities, we had many more to add to the yearly count this week. There’s too many to name here, but some highlights include a remote code execution bug in Apple’s Safari web browser and a denial-of-service in the Linux kernel.

Microsoft also disclosed its own set of vulnerabilities as part of the last Patch Tuesday of 2019. Check out our breakdown of the most notable bugs here and our Snort rules to protect against exploitation of them here. Talos discovered two of the bugs patched this month, both in Windows Remote Desktop Protocol in older versions of Windows.

Cyber Security Week in Review

  • Adobe released its monthly security update Tuesday, fixing 14 critical vulnerabilities across its suite of products. Among the bugs disclosed are 14 critical vulnerabilities in Adobe Acrobat Reader. 
  • A series of news reports this week revealed Ring security cameras are open to serious exploits. In Florida, an attacker took over a Ring’s speaker and shouted racial slurs at the owners. And in Tennessee, another man took over a family’s device after only owning it for four days, potentially spying on three young girls and talking to one of them, saying he was santa. 
  • A new report from the U.S. National Infrastructure Advisory Council warned the White House that a cyber attack on America’s infrastructure poses an “existential threat” to the country. The group also urged U.S. President Donald Trump to take “bold action” to protect ICS systems. 
  • A new decryptor from the makers of the Ryuk ransomware may actually damage larger files. The program is meant to help a victim recover their files after paying the proposed ransom. 
  • The new “Snatch” ransomware evades detection by rebooting Windows machines mid-infection. The malware forces the victim machine to boot in safe mode, and then begin the encryption process. 
  • The city of Pensacola, Florida continues to recover from a ransomware attack, just days after a shooting at a local military base. The city’s phone lines, some email services and other online platforms were still down as of Thursday. 
  • Iran says it fended off a large cyber attack on unspecified “electronic infrastructure.” One government official said he could not provide specific details on the malware, but called the threat actors “very organized” and “governmental.” 
  • U.S. President Donald Trump says he discussed election security with Russian officials during a private meeting this week. Russian Foreign Minister Sergei Lavrov said in a press conference after the meeting Russia has wanted to publish information that would allegedly clear it of any wrongdoing during the 2016 U.S. presidential election, but the U.S. has blocked that release. 
  • Apple released the newest version of iOS this week, which provides new security features for Safari. The mobile version of the web browser now supports NFC, USB and Lightning-complaint keys so users don’t have to rely only on passwords. 
  • A new feature in Google Chrome will alert users if their login credentials were exposed in a data breach. Each time the user logs into a site using the browser, it will check those credentials against a database of known leaked information.

Notable recent security issues

Title: Microsoft discloses two critical bugs as part of monthly security update
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 25 vulnerabilities, two of which are considered critical. This month’s security update covers security issues in a variety of Microsoft services and software, including Remote Desktop Protocol, Hyper-V and multiple Microsoft Office products.
Snort SIDs: 52402, 52403, 52410, 52411, 52419, 52420

Title: AMD ATI Radeon ATIDXX64.DLL shader functionality sincos denial-of-service vulnerability
Description: Cisco Talos recently discovered a denial-of-service vulnerability in a specific DLL inside of the AMD ATI Radeon line of video cards. This vulnerability can be triggered by supplying a malformed pixel shader inside a VMware guest operating system. Such an attack can be triggered from VMware guest usermode to cause an out-of-bounds memory read on vmware-vmx.exe process on host, or theoretically through WEBGL.
Snort SIDs: 51461, 51462 (By Tim Muniz)

Most prevalent malware files this week

SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b
MD5: 42143a53581e0304b08f61c2ef8032d7
Typical Filename: myfile.exe
Claimed Product: N/A
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin 
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment