Newsletter compiled by Jonathan Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit— our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!
This week was stacked with original research. First up was the Sodinokibi ransomware, which we saw being distributed via a zero-day vulnerability in Oracle WebLogic. Today, we also released our findings on a new variant of Qakbot, which is more difficult to detect than older versions.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Upcoming public engagements with Talos
Location: Industriens Hus, Copenhagen, Denmark
Date: May 29
Speaker: Paul Rascagnères
Synopsis: Paul will give an overview of an espionage campaign targeting the Middle East that we called “DNSpionage.” First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security.
Cyber Security Week in Review
- Cisco disclosed a critical vulnerability in the Nexus 9000 Series Application Centric Infrastructure (ACI) Mode data-center switch that could allow an attacker to secretly access system-level resources. The company disclosed 39 other bugs, as well, on Thursday.
- The latest version of Google Chrome fixed two vulnerabilities in the web browser. One is considered to be of “high” severity: An out-of-bounds vulnerability in SQLite.
- Citrix says attackers were able to obtain persistence on their systems for about six months and may have stolen employees’ personal data. The software company says the breadth of the attack is not yet known but could involve stolen Social Security numbers, names and financial information.
- Financial data from several large companies were leaked online after a technology company refused to pay a ransom. German IT provider Citycomp had data stolen in an attack, including information on Oracle, Porsche and Toshiba.
- Magecart launched a renewed attack on OpenCart websites. The credit card-stealing malware is going after the e-commerce platform, which is one of the three most popular shopping interfaces for sites to use.
- Slack warned potential investors that it could be the target of a nation-state-backed cyber attack. The group messaging platform revealed the ongoing threats ahead of its expected IPO.
- An exposed database holds sensitive information on more than 80 million American households — but no one seems to know who owns it.
- Apple removed several parental control apps from its store. The company said the programs were utilizing illicit, “highly invasive” mobile device management techniques.
- Norwegian aluminum maker Norsk Hydro estimates a recent ransomware attack cost the company the equivalent of $52 million in the first quarter.
Notable recent security issues
Title: Oracle vulnerability opens users to remote code execution attacks
Description: Oracle released an out-of-band pouch for WebLogic servers that could allow an attacker to carry out remote code execution attacks. Security researchers discovered the bug being exploited earlier this month by attackers in the wild. Oracle assigned the bug CVE-2019-2725 and gave it a CVSS score of 9.8/10, highlighting how serious the issue is. WebLogix server owners are urged to update as soon as possible.
Title: JasperLoader targets Europe with Gootkit banking trojan
Description: A loader known as "JasperLoader" has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries, with a particular focus on Germany and Italy. JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process.
Snort SIDs: 49914, 49915
Description: Oracle released an out-of-band pouch for WebLogic servers that could allow an attacker to carry out remote code execution attacks. Security researchers discovered the bug being exploited earlier this month by attackers in the wild. Oracle assigned the bug CVE-2019-2725 and gave it a CVSS score of 9.8/10, highlighting how serious the issue is. WebLogix server owners are urged to update as soon as possible.
Snort SIDs: 49942, 49943
Description: A loader known as "JasperLoader" has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries, with a particular focus on Germany and Italy. JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process.
Snort SIDs: 49914, 49915
Most prevalent malware files this week
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201
SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed
MD5: 6372f770cddb40efefc57136930f4eb7
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 799b30f47060ca05d80ece53866e01cc.vir
Claimed Product: N/A
Detection Name: W32.Generic:Gen.21ij.1201
SHA 256: d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed
MD5: 6372f770cddb40efefc57136930f4eb7
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd