Good afternoon, Talos readers.
We are back this week with new content, mainly around Microsoft Patch Tuesday. We have our complete breakdown of all the vulns here, as well as in-depth information on two remote code execution vulnerabilities one of our researchers discovered in Excel.
We also have new dates for Cisco Live, which will take place on June 15 - 17. You can see the full signup details below, and after the 17th, you can access Talos’ two talks on-demand.
Upcoming public engagements
Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Streaming on the conference's website
Date: June 10 - 12
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.
Event: Cisco Live U.S.
Location: Streaming online
Date: June 15 - 17
Speakers: Craig Williams and Sean Mason
Synopsis: Join the free, virtual Cisco Live U.S. conference. There will be many talks spread across two days. Specific to Talos, Craig Williams of the Outreach team will give an overview of recent threats and provide viewers with an update on Talos’ latest research efforts. Sean Mason, the head of Cisco Talos Incident Response, will also give a separate talk on IR’s advancements over the past year and go over how CTIR can help you prepare for the worst.
Cyber Security Week in Review
- Given the recent wave of Black Lives Matter demonstrations and protests across the U.S., foreign actors are likely to try and play off America’s racial divide. Experts say that as the nation edges closer to the November General Election, fake social media accounts will attempt to capitalize on disagreements over the protests.
- Human rights groups who have seen an uptick in donations and interest during the demonstrations have also become popular targets of cyber attacks. Specifically, there’s been an increase in attempted distributed denial-of-service attacks against these organizations.
- The U.S. Department of Homeland Security issued a warning regarding a newly discovered wormable bug in Windows 10. Microsoft patched the vulnerability as part of this month’s Patch Tuesday.
- A ransomware attack took down some of Honda’s international production this week. However, the car maker says no personal information is in jeopardy.
- Federal and state law enforcement agencies are investing in new cell phone tracking tech known as “Crossbow.” The device is an improved version of the Stringray, which is used among many local police departments.
- Online voting software used in five U.S. states contains inadequate security protections. Researchers from MIT pointed out the flaws in the software, which was recently used in three primary elections.
- An Alabama city agreed to pay a quarter-million-dollar ransom payment to a group that infected its systems and encrypted many files. The town’s government seemed to be infected with the DopplePaymer ransomware.
- The Defense Advanced Research Projects Agency (DARPA) launched a new bug bounty program this year, asking researchers to look for hardware vulnerabilities. The devices are designed to defend against cyber attacks.
- Amazon is putting a one-year hold on police departments being able to use its facial-recognition software. The company says it hopes to give the federal government time to develop new regulations.
- A cyber security firm set up a honeypot disguised as fake critical infrastructure systems — and it took a very short amount of time for attackers to swarm to it.
Notable recent security issues
Title: Remote code execution bugs in Word, SMB disclosed as part of Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. While none of the vulnerabilities disclosed have been exploited in the wild, users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation. The security updates cover several different products including the VBScript engine, SharePoint file-sharing service and GDI+.
Snort SIDs: 52213 - 52217, 54191 - 54194, 54219, 54220, 54230 - 54240, 54245 - 54250, 54270 and 54271
Title: Cisco patches vulnerabilities in IOS XE, affecting some industrial routers
Description: Cisco disclosed three critical vulnerabilities in its IOS and IOS XE software and industrial router group. Many of the alerts concern a command injection vulnerability that would allow an adversary to execute arbitrary code on the affected operating system. One of the most severe bugs could allow a remote attacker to obtain an authorization token on the affected system and execute their choice of IOx API commands on the device.
Snort SIDs: 53497 – 53504, 54155, 54159 - 54164
Most prevalent malware files this week
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc