Newsletter compiled by Jonathan Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit— our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!
Weeks after our initial DNSpionage post, we published an update on the malware, including outlining new malware the actors are distributing and a growth in the number of targets.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Upcoming public engagements with Talos
Event: Cisco Connect Salt Lake City
Location: Salt Lake City, Utah
Date: April 25
Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.
Cyber Security Week in Review
- Facebook says it may have accidentally uploaded more than 1.5 million users’ emails without their permission. However, the contact information was not shared with anyone outside of Facebook, according to company officials, and all the email addresses have been deleted.
- The source code for the Carbank backdoor has appeared on VirusTotal alongside builders and other code from the group behind the malware. The group behind Carbank launched the malware against an estimated 100 U.S. companies.
- The U.S. says a cyber attack on Japan could count as an act of war under a mutual protection agreement between the two countries. A defense leader from Japan called it “significant from the perspective of deterrence.”
- Leaders from Singapore say they will not be deterred from modernizing despite a recent wave of data breaches. The country, which prides itself on incorporating technology into its government services, recently had data leaks of several federal databases, including a list of HIV patients.
- A recent study found that the password “123456” was the most popular password among users who had their accounts hacked last year. The second most popular string was “123456789.”
- The Weather Channel was taken off-air for more than an hour last week due to a ransomware attack. The FBI launched an investigation into the attack.
- A well-known security researcher pled guilty to charges of creating malware between 2012 and 2015. Known as MalwareTech online, the man helped bring down the WannaCry ransomware attack in 2017.
Notable recent security issues
Title: Sea Turtle campaign highlights dangers of DNS hijacking
Description: Cisco Talos discovered a new cyber threat campaign called "Sea Turtle," which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. The investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. Talos assesses with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.
Title: Cisco discloses 31 vulnerabilities, including some critical
Description: Cisco released advisories for 31 vulnerabilities last week, including “critical” patches for its IOS and IOS XE Software Clusterm management and IOS software for the Cisco ASR 9000 series of routers. Other vulnerabiliites also deal with Cisco Wireless LAN Controllers. If unpatched, an attacker could exploit these vulnerabilities to carry out denial-of-service attacks or gain the ability to remotely execute code.
Snort SIDs: 49858, 49859, 49866, 49867, 49879
Description: Cisco Talos discovered a new cyber threat campaign called "Sea Turtle," which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. The investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. Talos assesses with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.
Snort SIDs: 2281, 31975 - 31978, 31985, 32038, 32039, 32041 - 32043, 32069, 32335, 32336, 41909, 41910, 43424 - 43432, 44531, 46897, 46316
Description: Cisco released advisories for 31 vulnerabilities last week, including “critical” patches for its IOS and IOS XE Software Clusterm management and IOS software for the Cisco ASR 9000 series of routers. Other vulnerabiliites also deal with Cisco Wireless LAN Controllers. If unpatched, an attacker could exploit these vulnerabilities to carry out denial-of-service attacks or gain the ability to remotely execute code.
Snort SIDs: 49858, 49859, 49866, 49867, 49879
Most prevalent malware files this week
SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256:8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
Typical Filename: max.exe
Claimed Product:易语言程序
Detection Name: Win.Dropper.Armadillo::1201
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256:15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201
SHA 256:46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
Typical Filename: u.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256:8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
Typical Filename: max.exe
Claimed Product:易语言程序
Detection Name: Win.Dropper.Armadillo::1201
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256:15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201
SHA 256:46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
Typical Filename: u.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201