Newsletter compiled by Jonathan Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We disclosed several vulnerabilities this week, including two in Simple DirectMedia Layer, and a memory corruption bug in the V8 JavaScript engine in Google Chrome.
This week also saw the rise of an old favorite — exploit kits. While we don’t see them as often as we used to, Talos recently discovered a campaign using the infamous “Heaven’s Gate” technique to deliver a series of remote access trojans and information-stealers.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week. Due to the Fourth of July holiday in the U.S., expect our blog and social media to be fairly quiet over the next few days.
Upcoming public engagements with Talos
Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Cyber Security Week in Review
- The U.S. Food and Drug Administration recalled a line of insulin pumps due to security concerns. The agency cited a vulnerability disclosure from the company behind the pumps that says "an unauthorized person” could exploit a bug to connect to the devices wirelessly and change its settings.
- The U.S. Food and Drug Administration recalled a line of insulin pumps due to security concerns. The agency cited a vulnerability disclosure from the company behind the pumps that says "an unauthorized person” could exploit a bug to connect to the devices wirelessly and change its settings.
- A new variant of the Dridex ransomware contains anti-virus evasion techniques that makes it more difficult to detect. Security researchers say the new variant, which first appeared last month, uses Application Whitelisting techniques to disable or bypass Windows Script Host.
- A new malware strain known as “Silexbot” has bricked more than 4,000 internet-of-things devices so far. Researchers believe a teenager may even be behind the attack.
- A security breach at a major cloud services provider may have exposed its customers’ emails and other data. PCM Inc. says it discovered the attack earlier this year, and believes malicious actors may have gained access to some of its clients’ email and file-sharing systems.
- U.S. Cyber Command urged Microsoft Outlook users to patch their software as soon as possible. The agency says its discovered attacks that exploit a specific Outlook vulnerability that appear to originate from Iran.
- Google removed more than 100 adware-infected apps from its store. Security researchers say the apps had been downloaded a combined 9.3 million times, often using victim’s phones to boost advertising revenue.
- Hackers took down the network of Georgia’s court system with a ransomware attack this week, though the system was restored relatively quickly. Government leaders say it appears the attack originated from a foreign country.
- Facebook removed 30 accounts that have helped spread malware over the past five years. The social media site said the attacks centered around fake Libya news websites, tempting users to open malicious sites and then downloading a remote access trojan.
- A Chinese tech company that produces smart home devices has been leaking users’ logs for years. Researchers discovered a database belonging to Orvibo sitting on an ElasticSearch server with no password protection.
Notable recent security issues
Title: Spelevo exploit kit pops up to deliver banking trojans
Description: Researchers at Cisco Talos discovered a new exploit kit known as “Spelevo.” While exploit kit activity has quieted down over the past few years, this new campaign uses some old tricks — such as exploiting Adobe Flash Player vulnerabilities — to infect victims. It then delivers various payloads, but mainly banking trojans such as IcedID and Dridex. The actors behind Spelevo seem to be strictly financially motivated.
Snort SIDs: 50509 - 50511
Title: Firefox patches critical zero-day used to target Macs
Description: Firefox patched a series of bugs in its latest update, but most notably fixed a vulnerability that attackers exploited to install cryptocurrency miners. Last week, the web browser released a fix for a code-execution vulnerability in a JavaScript programming method known as “Array.pop,” and then a sandbox breakout bug the next day. Two new Snort rules from Talos protect against the Array vulnerability.
Snort SIDs: 50518, 50519
Most prevalent malware files this week
SHA 256: 440944ab47cc3140207179f5449ddacb32883a74a9cff11141fdf494eaf21592
MD5: dd77416ab164d3423b00f33380cf06ca
Typical Filename: SafeInstaller
Claimed Product: SafeInstaller
Detection Name: PUA.Win.Downloader.Installiq::tpd
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b
MD5: 42143a53581e0304b08f61c2ef8032d7
Typical Filename: N/A
Claimed Product: JPMorganChase Instructions SMG 82749206.pdf
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201