Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
The only news we’re going to cover this week is the biggest news we’ve had in a while. Tuesday, we announced that Cisco Incident Response was becoming part of the Talos family. We’ve been working together for years, but now we’ll be closer than ever, so Incident Response can benefit from Talos’ intelligence, while their boots-on-the-ground experience will only add to Talos’ portfolio.
Check out our announcement blog post for more information. The Talos Incident Response at-a-glance also provides an overview of the services IR provides. And the new IR page on TalosIntelligence.com gives you an easy way to contact IR, should you need their services.
We also have a special edition of the Beers with Talos podcast, where Amy Henderson of Talos’ Threat Interdiction team joins us to talk about the benefits of this new relationship.
Upcoming public engagements with Talos
Event: “It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots” at SecureWV/Hack3rCon XLocation: Charleston Coliseum & Convention Center, Charleston, WV
Date: Nov. 15 - 17
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Event: “Reading Telegram messages abusing the shadows” at BSides Lisbon
Location: Auditorio FMD-UL, Lisbon, Portugal
Date: Nov. 28 - 29
Speakers: Vitor Ventura
Synopsis: One of the cornerstones of privacy today is secure messaging applications like Telegram, which deploy end-to-end encryption to protect the communications. But several clone applications have been created and distributed with the intent of spying on their users. In this talk, Vitor will demonstrate how the Telegram registration process became abused, allowing message interception on non-rooted Android devices without replacing the official application. This is another example on how encryption is not a panacea, and that side-channel attacks like this are a real problem for otherwise secure applications.
Event: “Signed, Sealed, Compromised: The Past, Present, and Future of Supply Chain Attacks” at CactusCon
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Dec. 6 - 7
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: This talk will discuss the common techniques we’re seeing in supply chain attacks. Supply chain attacks are a broad topic, but one that has continued to evolve and mature over the last decade. Nick and Edmund will walk through what a supply chain attack constitutes, the history of how these attacks have evolved, and where we see this attack technique moving in the future.
Cyber Security Week in Review
- The first public exploitation of the BlueKeep vulnerability hit over the weekend. Security researchers noticed the attacks in honeypots installing cryptocurrency miners, far from the worst possible outcome from these kinds of attacks.
- The U.S. and Taiwan held cyber war exercises this week being touted as the first of their kind. Taiwanese officials say the two countries focused on attacks that could come from North Korean-linked adversaries and other nation-state actors.
- The head of Russia’s State Security Service recently said at a conference Russia and the U.S. have resumed cooperation on cyber security. Russia is maintaining contact between their security experts and the CIA, FBI and DEA in the U.S., he said.
- Google is teaming up with three private cyber security firms to scan the Google Play store for malicious apps. Malware authors have been able to create ways to bypass the traditional protections Google put in place to stop malicious apps before they are posted on the store.
- Two former Twitter employees were charged with spying on behalf of Saudi Arabia. American prosecutors say the two men used their privileged access to gather information on Saudi political dissidents.
- Voting machines in one Indiana country reportedly switched users’ votes, one of a few reports of malfunctioning machines on election day in the U.S. Several voters reported that the touchscreen machines would not select the candidate they wanted to choose, errors that are backed up with video evidence.
- Apple released updates for its Catalina operating system and iOS to patch several critical remote code execution vulnerabilities. The U.S. Department of Homeland Security urged users to update their devices as soon as possible.
- Malware authors are starting to unleash a wave of politically themed malware. Talos recently discovered malware families using the likenesses of U.S. Donald Trump and Russian leader Vladimir Putin in a series of ransomware, RATs and screenlockers.
Notable recent security issues
Description: Google Chrome is urging users to update their web browsers as soon as possible due to a critical use-after-free vulnerability. The company says it will be releasing updates this week to protect against exploitation of the bug. The vulnerability, identified as CVE-2019-13720, exists in Chrome’s audio component, and could allow an attacker to execute arbitrary code or enable full remote code execution capabilities.
Snort SIDs: 52068, 52069
Title: Two remote code execution vulnerabilities in Investintech Able2Extract
Description: Cisco Talos recently discovered two remote code execution vulnerabilities in Investintech’s Able2Extract Professional. This software is a cross-platform PDF tool for Windows, Mac and Linux that converts PDFs and allows users to create and edit them. Other features include PDF signing, redactions and annotations. An attacker could exploit these vulnerabilities to execute arbitrary code on the victim machine.
Snort SIDs: 50864 - 50869
Most prevalent malware files this week
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854
MD5: 74f4e22e5be90d152521125eaf4da635
Typical Filename: jsonMerge.exe
Claimed Product: ITSPlatform
Detection Name: W32.GenericKD:Attribute.22lk.1201
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854
MD5: 74f4e22e5be90d152521125eaf4da635
Typical Filename: jsonMerge.exe
Claimed Product: ITSPlatform
Detection Name: W32.GenericKD:Attribute.22lk.1201
SHA 256: 46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f
Typical Filename: xme32-2141-gcc.exe
Claimed Product: N/A
Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.WNCryLdrA:Trojan.22k2.1201