Thursday, January 9, 2020

Threat Source newsletter (Jan. 9, 2019)


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re back after a long break for the holidays. And 2020 is already off to a fast start as tensions continue to rise in the Middle East.

We’ve gotten a lot of questions about whether customers and users should be concerned about cyber attacks from Iran after they’ve exchanged missile strikes with the U.S. But the reality of the situation is, if you haven’t already been preparing from attacks for state-sponsored actors, it’s already too late. We run down our thoughts on the situation here.

We also have our first Beers with Talos episode of the new year out, where the guys run down the top threats of 2019 and talk about what lessons we learned.

Upcoming public engagements

Event: Talos Insights: The State of Cyber Security at Cisco Live at Cisco Live Barcelona
Location: Fira Barcelona, Barcelona, Spain
Date: Jan. 27 - 31
Speakers: Warren Mercer
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Cyber Security Week in Review

  • The U.S. Department of Homeland Security issued a warning this week asking American organizations to prepare for potential cyber attacks from Iran. State-sponsored actors from the region were expected to respond after the U.S. killed a high-profile Iranian general in a drone strike. 
  • Even though the U.S. and Iran seemed to walk back from their threats of physical retaliation against one another Wednesday, the threat of a cyber attack still lingers. Many researchers are using this discussion as an opportunity to remind defenders that a proxy cyber war has been raging for years between the two countries.  
  • International currency exchange marketplace Travelex is still recovering from a ransomware attack earlier this month. The attackers, believed to be Sodinokibi, have requested a $6 million extortion payment. 
  • The city of Las Vegas says it successfully thwarted a cyber attack that could have shut down many of its government operations. Officials said they first detected an intrusion on Jan. 7 and removed the malware before any damage could be done. 
  • Mozilla released an emergency update for the Firefox web browser that fixes a bug attackers were exploiting in the wild. CVE-2019-17026 is a type confusion vulnerability that could allow an attacker to write data to or from memory locations that are normally closed off. 
  • The popular social media app TikTok puts users at risk of having their accounts completely taken over with just an SMS message. A chain of vulnerabilities could allow an attacker to infect a user’s mobile device, then gain access to the user’s TikTok account and remove, add or edit videos. 
  • California’s privacy law went into effect at the start of the new year, leaving many massive companies scrambling to clean up some of their privacy policies. Under the new law, a user may ask most major internet companies to disclose what personal information they store on the individual and how the company may profit off it.  
  • A new update to Google Chrome is expected to cut down on notification spam. Chrome is changing its notifications API so the notifications are less intrusive, and to make it more difficult for cybercrime groups to exploit them. 
  • The FBI is once again asking Apple to unlock iPhones for them. The agency is attempting to access the devices, which belonged to a man who committed a mass shooting at an American naval base. 

Notable recent security issues

Title: Cisco patches dozen vulnerabilities in Data Center Network Manager
Description: Cisco released multiple security advisories last week announcing patches for 12 vulnerabilities in the Data Center Network Manager software. The software allows users to manage their Cisco switches and fabric extenders. Three of the vulnerabilities disclosed (CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977) could allow an unauthenticated, remote attacker to bypass authentication and carry out a variety of malicious tasks with administrative privileges on an affected device.
Snort SIDs: 52530 - 52547

Title: Buffer overflow vulnerabilities in OpenCV  
Description: Cisco Talos recently discovered two buffer overflow vulnerabilities in the OpenCV libraries. An attacker could potentially exploit these bugs to cause heap corruptions and potentially code execution. Intel Research originally developed OpenCV in 1999, but it is currently maintained by the non-profit organization OpenCV.org. OpenCV is used for numerous applications, including facial recognition technology, robotics, motion tracking and various machine learning programs.
Snort SIDs: 50774, 50775 (By Dave McDaniel)

Most prevalent malware files this week

SHA 256: d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81 
MD5: 5142c721e7182065b299951a54d4fe80
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::1201

SHA 256: 5fc600351bade74c2791fc526bca6bb606355cc65e5253f7f791254db58ee7fa
MD5: 121e1634bf18768802427f0a13f039a9
Typical Filename: AA_v3.exe
Claimed Product: Ammyy Admin
Detection Name: W32.SPR:Variant.22fn.1201

SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
Typical Filename: SegurazoIC.exe
Claimed Product: Digital Communications Inc.
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg

SHA 256: d8b594956ed54836817e38b365dafdc69aa7e07776f83dd0f706278def8ad2d1
MD5: 56f11ce9119632ba360e5b3dd0a89acd
Typical Filename: xme64-540.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Coinminer::100.sbx.tg

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f 
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin 
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.