Newsletter compiled by Jonathan Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit— our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!
We made waves this week with an article on malicious groups on Facebook. We discovered thousands of users who were offering to buy and sell various malicious services, such as carding, spamming and the creation of fake IDs. News outlets across the globe covered this story, including NBC News, Forbes and WIRED.
There’s also new research on the Gustuff malware. Researchers discovered this banking trojan earlier this year, and recently, we tracked it targeting Australian users in the hopes of stealing their login credentials to financial services websites.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Upcoming public engagements with Talos
Event: Cisco Connect Salt Lake City
Location: Salt Lake City, Utah
Date: April 25
Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.
Cyber Security Week in Review
- WikiLeaks founder Julian Assange was arrested in London on Thursday after being extradited from the Ecuadorian embassy. Hours later, the U.S. formally charged him with conspiracy to commit computer intrusion. WikiLeaks is responsible for leaking thousands of classified government documents over the years.
- Amazon workers reportedly listen to some conversations with Alexa devices in order to improve the software’s voice recognition technology. A handful of employees transcribe the recordings, annotate them and then feed it back into the software.
- Yahoo agreed to a $118 million settlement with users over a 2013 data breach. The company, which is now owned by Verizon, affected 3 billion users worldwide, but Yahoo kept it quiet for years.
- The U.S. government released a warning regarding the new “HOPLIGHT” malware that appears to originate from North Korea. According to a report from the FBI and Department of Homeland Security, the malware has the ability to read, write and move files, connect to a remote host, and upload and download files, among other functions.
- Verizon patched a vulnerability in some of its routers that could have allowed an attacker to gain root privileges. This could allow them to target other devices on the network, such as internet-of-things equipment.
- Security researchers bypassed the Samsung Galaxy S10’s fingerprint scanner with a 3-D printed model. This means that attackers could potentially steal users’ fingerprints and then be able to gain physical access to their devices.
- Three recent spam campaigns are spreading the TrickBot malware via malicious attachments that disguise themselves as tax documents. The attackers spoof ADP and Paychex, two producers of human resources and payment software.
- Cybersecurity companies are pledging to help users remove so-called "stalkerware" from users' smartphones. The companies say they will send alerts to users if this software, which is traditionally used to track other users, is dected on their device.
Notable recent security issues
Title: Microsoft patches 74 vulnerabilities, 14 critical
Description: Microsoft released its monthly security update Tuesday, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated “critical” and 58 that are considered “important.” This release also includes a critical advisory covering a security update to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine, Microsoft Office and Windows 10.
Snort SIDs: 45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755
Title:Adobe fixes vulnerabilities in Flash Player, Acrobat
Description: Adobe patched vulnerabilities in 15 of its products this week as part of its monthly security update. The vulnerabilities disclosed include critical memory corruption bugs in Shockwave, as well as remote code execution vulnerabilities in Acrobat Reader.
Snort SIDs: 48293, 49294
Description: Microsoft released its monthly security update Tuesday, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated “critical” and 58 that are considered “important.” This release also includes a critical advisory covering a security update to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine, Microsoft Office and Windows 10.
Snort SIDs: 45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755
Title:Adobe fixes vulnerabilities in Flash Player, Acrobat
Description: Adobe patched vulnerabilities in 15 of its products this week as part of its monthly security update. The vulnerabilities disclosed include critical memory corruption bugs in Shockwave, as well as remote code execution vulnerabilities in Acrobat Reader.
Snort SIDs: 48293, 49294
Most prevalent malware files this week
SHA 256:d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed
MD5: 6372f770cddb40efefc57136930f4eb7
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd
SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256:8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
Typical Filename: max.exe
Claimed Product:易语言程序
Detection Name: Win.Dropper.Armadillo::1201
SHA 256:46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
Typical Filename: cab.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201
SHA 256:790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
MD5: 147ba798e448eb3caa7e477e7fb3a959
Typical Filename: ups.exe
Claimed Product: TODO: <产品名>
Detection Name: W32.Variant:XMRig.22fc.1201
MD5: 6372f770cddb40efefc57136930f4eb7
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd
SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256:8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
Typical Filename: max.exe
Claimed Product:易语言程序
Detection Name: Win.Dropper.Armadillo::1201
SHA 256:46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
Typical Filename: cab.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201
SHA 256:790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
MD5: 147ba798e448eb3caa7e477e7fb3a959
Typical Filename: ups.exe
Claimed Product: TODO: <产品名>
Detection Name: W32.Variant:XMRig.22fc.1201
Top spams stats for this week
Top 5 spam subjects observed
- "Help Desk: Planned maintenance for Tuesday 9th"
- "Iron Mountain Australia Group Pty Ltd - Invoice Number AUS402803"
- "Fwd: Netflix statement Of Payment."
- "Please approve - Allina"
- "Your Netflix Membership Has Been Suspended"
Top 5 most used ASNs for sending spam
- 8075 Microsoft Corporation
- 3136 State of WI Dept. of Administration
- 6276 OVH SAS
- 8560 1&1 Internet SE
- 16509 Amazon.com, Inc.