Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope everyone had a safe and happy Thanksgiving in the U.S. The holiday shopping season is now in full swing, and there are plenty of deals to be had in stores and online. This also makes it a prime time for attackers to strike. For tips of how to stay safe when shopping this holiday season, check out our full blog post here.

This was also a busy week for vulnerabilities. We disclosed, and released protection, for bugs in the Forma learning management system, Accusoft ImageGear and EmbedThis’ GoAhead Web Server.

We also have a special surprise for you tomorrow. You’ll want to keep an eye on our blog, social media and your podcast feeds.

Upcoming public engagements with Talos Event: “Signed, Sealed, Compromised: The Past, Present, and Future of Supply Chain Attacks” at CactusCon
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Dec. 6 - 7
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: This talk will discuss the common techniques we’re seeing in supply chain attacks. Supply chain attacks are a broad topic, but one that has continued to evolve and mature over the last decade. Nick and Edmund will walk through what a supply chain attack constitutes, the history of how these attacks have evolved, and where we see this attack technique moving in the future.

Cyber Security Week in Review

  • Italian spyware firm Hacking Team is back under new ownership after cratering in 2015. The new management says they are working toward ensuring the company’s technology isn’t abused.
  • A popular dark web site for selling spying tools was taken down after an international investigation. U.K. law enforcement officials said more than 14,500 people had purchased software from the site, many of whom are being charged with computer misuse crimes.
  • RCS, a messaging standard meant to replace SMS, is open to several different types of attacks. Despite the advertisement of RCS being more advanced, attackers could still exploit it to steal text messages and listen in on phone calls.
  • HackerOne, a bug bounty startup, awarded $20,000 to an independent security researcher who the company mistakenly gave inappropriate access to. An analyst sent a cURL command to the community member, which actually gave the user access to all of the bug reports the analyst had worked on.
  • The actors behind the Magecart credit card-skimming malware used Salesforce’s Heroku platform to host their scripts and stolen information. The group registered for a free Heroku account, using it as a free web hosting service.
  • Chinese hackers reportedly stole $1 million from a venture capital firm when it was attempting to wire transfer money to an Israeli startup. The group used man-in-the-middle techniques to impersonate emails from the two sides.
  • American data center provider CyrusOne was hit with a ransomware attack, believed to be in the Sodinokibi family. While the company had not publicly disclosed anything as of Thursday morning, it reportedly is working with law enforcement agencies to recover from the attack.
  • Pharmaceutical company Merck is still locked in a battle with the company that supplies its cyber insurance over who should pay for the recovery in the aftermath of the NotPetya infection in 2017. The question of whether the attack is covered could boil down to whether NotPetya should be considered an act of war.
  • The iPhone 11 Pro attempts to access the user’s location data, even if the user has forbidden all apps from accessing that information. However, Apple says this is simply part of the device’s design.
  • The FBI released a warning advising users that their new smart TVs could be open to cyber attacks. The advisory states an attacker could gain access to the TV and then begin changing the device’s settings or even display inappropriate content.

Notable recent security issues Title: Forma LMS open-source program open to SQL injection attacks
Description: There are three SQL injection vulnerabilities in the authenticated portion of the Forma Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization. An attacker can send a web request with parameters containing SQL injection attacks to trigger these bugs.
Snort SIDs: 51611 – 51619 (By Marcos Rodriguez)
 Title: Accusoft ImageGear PNG IHDR width code execution vulnerability
Description: Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit.
Snort SIDs: 3132, 32889, 50806, 50807, 51530, 51531, 52033, 52034 (By Kristen Houser and Mike Bautista)

Most prevalent malware files this week

SHA 256: f917be677daab5ee91dd3e9ec3f8fd027a58371524f46dd314a13aefc78b2ddc
MD5: c5608e40f6f47ad84e2985804957c342
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA:2144FlashPlayer-tpd
 SHA 256:a97e5396d7dcd103138747ad09486671321fb75e01a70b26c908e7e0b727fad1
MD5: ef048c07855b3ef98bd991c413bc73b1
Typical Filename: xme64-501.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Razy::tpd
 SHA 256:49b9736191fdb2eb62b48e8a093418a2947e8d288f39b98d65a903c2ae6eb8f5
MD5: df432f05996cdd0973b3ceb48992c5ce
Typical Filename: xme32-501-gcc.exe
Claimed Product: N/A
Detection Name: W32.49B9736191-100.SBX.TG
 SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6
MD5: f7145b132e23e3a55d2269a008395034
Typical Filename: 8c0b271744bf654ea3538c6b92aa7bb9819de3722640796234e243efc077e2b6.bin
Claimed Product: N/A
Detection Name: Unix.Exploit.Lotoor::other.talos