Lucene search

K
talosblog[email protected] (Jon Munshaw)TALOSBLOG:02A78D6B13F66FBEAB2455A025752712
HistoryJan 10, 2020 - 7:13 a.m.

Threat Source newsletter (Jan. 9, 2019)

2020-01-1007:13:41
[email protected] (Jon Munshaw)
feedproxy.google.com
97

0.967 High

EPSS

Percentile

99.6%


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We’re back after a long break for the holidays. And 2020 is already off to a fast start as tensions continue to rise in the Middle East.

We’ve gotten a lot of questions about whether customers and users should be concerned about cyber attacks from Iran after they’ve exchanged missile strikes with the U.S. But the reality of the situation is, if you haven’t already been preparing from attacks for state-sponsored actors, it’s already too late. We run down our thoughts on the situation here.

We also have our first Beers with Talos episode of the new year out, where the guys run down the top threats of 2019 and talk about what lessons we learned.

Upcoming public engagements

**Event:**Talos Insights: The State of Cyber Security at Cisco Live at Cisco Live Barcelona
**Location:**Fira Barcelona, Barcelona, Spain
Date: Jan. 27 - 31 **Speakers: **Warren Mercer **Synopsis: **Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Cyber Security Week in Review

  • The U.S. Department of Homeland Security issued a warning this week asking American organizations to prepare for potential cyber attacks from Iran. State-sponsored actors from the region were expected to respond after the U.S. killed a high-profile Iranian general in a drone strike.
  • Even though the U.S. and Iran seemed to walk back from their threats of physical retaliation against one another Wednesday, the threat of a cyber attack still lingers. Many researchers are using this discussion as an opportunity to remind defenders that a proxy cyber war has been raging for years between the two countries.
  • International currency exchange marketplace Travelex is still recovering from a ransomware attack earlier this month. The attackers, believed to be Sodinokibi, have requested a $6 million extortion payment.
  • The city of Las Vegas says it successfully thwarted a cyber attack that could have shut down many of its government operations. Officials said they first detected an intrusion on Jan. 7 and removed the malware before any damage could be done.
  • Mozilla released an emergency update for the Firefox web browser that fixes a bug attackers were exploiting in the wild. CVE-2019-17026 is a type confusion vulnerability that could allow an attacker to write data to or from memory locations that are normally closed off.
  • The popular social media app TikTok puts users at risk of having their accounts completely taken over with just an SMS message. A chain of vulnerabilities could allow an attacker to infect a user’s mobile device, then gain access to the user’s TikTok account and remove, add or edit videos.
  • California’s privacy law went into effect at the start of the new year, leaving many massive companies scrambling to clean up some of their privacy policies. Under the new law, a user may ask most major internet companies to disclose what personal information they store on the individual and how the company may profit off it.
  • A new update to Google Chrome is expected to cut down on notification spam. Chrome is changing its notifications API so the notifications are less intrusive, and to make it more difficult for cybercrime groups to exploit them.
  • The FBI is once again asking Apple to unlock iPhones for them. The agency is attempting to access the devices, which belonged to a man who committed a mass shooting at an American naval base.

Notable recent security issues

Title:Cisco patches dozen vulnerabilities in Data Center Network Manager
**Description:**Cisco released multiple security advisories last week announcing patches for 12 vulnerabilities in the Data Center Network Manager software. The software allows users to manage their Cisco switches and fabric extenders. Three of the vulnerabilities disclosed (CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977) could allow an unauthenticated, remote attacker to bypass authentication and carry out a variety of malicious tasks with administrative privileges on an affected device.
**Snort SIDs:52530 - 52547
** ****Title:
Buffer overflow vulnerabilities in OpenCV **** **Description: **Cisco Talos recently discovered two buffer overflow vulnerabilities in the OpenCV libraries. An attacker could potentially exploit these bugs to cause heap corruptions and potentially code execution. Intel Research originally developed OpenCV in 1999, but it is currently maintained by the non-profit organization OpenCV.org. OpenCV is used for numerous applications, including facial recognition technology, robotics, motion tracking and various machine learning programs. **Snort SIDs: **50774, 50775 (By Dave McDaniel)

Most prevalent malware files this week

SHA 256:d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81**** **MD5: **5142c721e7182065b299951a54d4fe80 **Typical Filename: **FlashHelperServices.exe **Claimed Product: **Flash Helper Service **Detection Name: **PUA.Win.Adware.Flashserv::1201 **
**SHA 256: 5fc600351bade74c2791fc526bca6bb606355cc65e5253f7f791254db58ee7fa **MD5: **121e1634bf18768802427f0a13f039a9 **Typical Filename: **AA_v3.exe **Claimed Product: **Ammyy Admin **Detection Name: W32.SPR:Variant.22fn.1201 **
****SHA 256:
1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
**MD5:**c2406fc0fce67ae79e625013325e2a68
**Typical Filename:**SegurazoIC.exe
**Claimed Product:**Digital Communications Inc.
**Detection Name:PUA.Win.Adware.Ursu::95.sbx.tg
** ****SHA 256:
d8b594956ed54836817e38b365dafdc69aa7e07776f83dd0f706278def8ad2d1
**MD5:**56f11ce9119632ba360e5b3dd0a89acd
**Typical Filename:**xme64-540.exe
**Claimed Product:**N/A
**Detection Name:PUA.Win.Tool.Coinminer::100.sbx.tg
** SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

**MD5:**e2ea315d9a83e7577053f52c974f6a5a
Typical Filename:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin **Claimed Product: **N/A **Detection Name: **W32.AgentWDCR:Gen.21gn.1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.