Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
It’s that time again to update all your Microsoft products. The company released its monthly update Tuesday, disclosing more than 60 vulnerabilities in a variety of its products. This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software. We’ve got a rundown of the most important bugs here, and all our Snort coverage here.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
P.S., we have to give ourselves a pat on the back for the researchers who took home the top honors at the Virus Bulletin conference, winning the Péter Ször Award.
Event: “It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots” at SecureWV/Hack3rCon X
Location: Charleston Coliseum & Convention Center, Charleston, WV
Date: Nov. 15 - 17
Speakers: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
*Event: *Talos at BSides Belfast
Location: Titanic Belfast, Belfast, Northern Ireland
Date: Oct. 31
Synopsis: Several researchers from Talos will be on hand at BSides Belfast to deliver four different talks. Martin Lee will provide a general overview of the benefits of threat hunting, Nick Biasini and Edmund Brumaghin will walk through a recent wave of supply chain attacks, then, Brumahin and Earl Carter will deliver their “It’s Never DNS....It Was DNS” talk, and, finally, Paul Rascagneres walks through his recent research into attacks on iOS.
Title: Microsoft discloses 60 vulnerabilities as part of monthly security update
Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Snort SIDs: 51733 - 51736, 51739 - 51742, 51781 - 51794
*Title: *Multiple vulnerabilities in Schneider Electric Modicon M580
Description: There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, the majority of which can cause a denial of service. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs exist in the Modicon's use of FTP. Schneider Electric Modicon M580, BMEP582040 SV2.80, is affected by these vulnerabilities.
Snort SIDs: 49982, 49983
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
*SHA 256: *7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
Typical Filename: xme64-2141.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256: ce8cb7c8dc29b9e4feab463fdf53b569b69e6a5c4ab0e50513b264563d74a6ac
Typical Filename: dllhostex.exe
Claimed Product: Microsoft® Windows® Operating System
Detection Name: W32.CoinMiner:CryptoMinerY.22k3.1201
*SHA 256: *c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201