Newsletter compiled by Jonathan Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Did you update all of your Microsoft products after Patch Tuesday earlier this month? If not, what are you waiting for? Listen to the latest Beers with Talos episode about why that’s stupid, and then immediately update.
Last week marked the one-year anniversary of VPNFilter. What has the security community learned since then? And how did this wide-reaching malware shape attacks since then? Find out in our blog post looking back on VPNFilter.
If you haven’t already, there’s still plenty of time to sign up for our upcoming spring Quarterly Threat Briefing. Talos researchers will be running down recent DNS manipulation-based attacks, and outline why your organization needs to be worried about them.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Upcoming public engagements with Talos
Event: Bsides London
Location: ILEC Conference Centre, London, England
Date: June 5
Speaker: Paul Rascagnères
Synopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker.
Event: Cisco Connect Norway
Location: X Meeting Point, Skjetten, Norway
Date: June 6
Speaker: Vanja Svajcer
Synopsis: Vanja will offer a glimpse at how Cisco Talos analyzes the modern threat landscape and what customers can do to achieve a greater level of security.
Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Location: ILEC Conference Centre, London, England
Date: June 5
Speaker: Paul Rascagnères
Synopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker.
Event: Cisco Connect Norway
Location: X Meeting Point, Skjetten, Norway
Date: June 6
Speaker: Vanja Svajcer
Synopsis: Vanja will offer a glimpse at how Cisco Talos analyzes the modern threat landscape and what customers can do to achieve a greater level of security.
Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Cyber Security Week in Review
- The city of Baltimore estimates the cost of a recent ransomware attack is approximately $18.2 million. Officials have refused to pay the ransom to retrieve its data.
- The latest version of the HawkEye keylogger was used in a recent attack against several different industries. HawkEye Reborn, which was discovered by Cisco Talos in April, was spotted being used against several companies, including those in the health care, agriculture and marketing industries.
- Secure email provider ProtonMail pushed back on claims that it offers assistance to law enforcement agencies in tracking suspects. The company called statements made by a Swiss lawyer on his blog “factually incorrect.”
- Apple released updates to iTunes and iCloud for Windows. The patches fix vulnerabilities recently disclosed in SQLite and WebKit.
- Chinese tech company Huawei asked a court to declare a ban on its products in the U.S. unconstitutional. A summary issued by the company states that the ban came without concrete facts that it poses a national security risk to Americans.
- Parts of New Zealand’s national budget were released early as part of an alleged cyberattack. The country’s treasury secretary contacted law enforcement after his agency discovered 2,000 attempts to access secret budget documents.
- The fast-food chain Checkers says its restaurants in at least 20 states were hit with credit card-skimming malware. An unknown number of customers had their names, payment card numbers and card expiration dates stolen as part of the attack.
- A school district in New York will start testing facial recognition technology next week. The system is expected to be fully operational by the start of the next school year on Sept. 1.
Notable recent security issues
Title: Vulnerability could allow JavaScript to be injected into Internet Explorer 11
Description: Researchers uncovered another Microsoft zero-day vulnerability. One of the critical bugs could allow an attacker to inject a DLL into Internet Explorer 11. After the injection, the exploit opens a filepicker and an HTML page that contains JavaScript that executes in a lower security context. There is also a zero-day privilege escalation vulnerability in Windows Error Reporting.
Snort SIDs: 50183, 50184
Title: Winnti malware now appears on Linux
Description: A new variant of the Winnti malware has been spotted in the wild being exploited on Linux machines. The malware acts as a backdoor for attackers. There are two different files — a main backdoor and a library that can hide the malware’s activity. Winnti’s primary role is to handle communications and deploy other modules directly from the command and control (C2) server.
Snort SIDs: 50164 - 50167
Description: Researchers uncovered another Microsoft zero-day vulnerability. One of the critical bugs could allow an attacker to inject a DLL into Internet Explorer 11. After the injection, the exploit opens a filepicker and an HTML page that contains JavaScript that executes in a lower security context. There is also a zero-day privilege escalation vulnerability in Windows Error Reporting.
Snort SIDs: 50183, 50184
Title: Winnti malware now appears on Linux
Description: A new variant of the Winnti malware has been spotted in the wild being exploited on Linux machines. The malware acts as a backdoor for attackers. There are two different files — a main backdoor and a library that can hide the malware’s activity. Winnti’s primary role is to handle communications and deploy other modules directly from the command and control (C2) server.
Snort SIDs: 50164 - 50167
Most prevalent malware files this week
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: f08f4374674a8993ddaf89dcaf216bc6952d211763b8489366b0835f0eda1950
MD5: b9a5e492a6c4dd618613b1a2a9c6a4fb
Typical Filename: maf-task.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::221862.in02
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: f08f4374674a8993ddaf89dcaf216bc6952d211763b8489366b0835f0eda1950
MD5: b9a5e492a6c4dd618613b1a2a9c6a4fb
Typical Filename: maf-task.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::221862.in02
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG