Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
It’s that time again to update all your Microsoft products. The company released its monthly update Tuesday, disclosing more than 60 vulnerabilities in a variety of its products. This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software. We’ve got a rundown of the most important bugs here, and all our Snort coverage here.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
P.S., we have to give ourselves a pat on the back for the researchers who took home the top honors at the Virus Bulletin conference, winning the Péter Ször Award.
Event:“It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots” at SecureWV/Hack3rCon X
**Location:**Charleston Coliseum & Convention Center, Charleston, WV
**Date:**Nov. 15 - 17
**Speakers:**Edmund Brumaghin and Earl Carter
**Synopsis:**While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
** ****Event:**Talos at BSides Belfast**** **Location: **Titanic Belfast, Belfast, Northern Ireland **Date: **Oct. 31 **Synopsis: **Several researchers from Talos will be on hand at BSides Belfast to deliver four different talks. Martin Lee will provide a general overview of the benefits of threat hunting, Nick Biasini and Edmund Brumaghin will walk through a recent wave of supply chain attacks, then, Brumahin and Earl Carter will deliver their “It’s Never DNS…It Was DNS” talk, and, finally, Paul Rascagneres walks through his recent research into attacks on iOS.
Title: Microsoft discloses 60 vulnerabilities as part of monthly security update **Description: **Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered “critical,” with the rest being deemed “important.”
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
**Snort SIDs:51733 - 51736, 51739 - 51742, 51781 - 51794
** ****Title:Multiple vulnerabilities in Schneider Electric Modicon M580
**Description:**There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, the majority of which can cause a denial of service. The Modicon M580 is the latest in Schneider Electric’s Modicon line of programmable automation controllers. The majority of the bugs exist in the Modicon’s use of FTP. Schneider Electric Modicon M580, BMEP582040 SV2.80, is affected by these vulnerabilities.
**Snort SIDs:**49982, 49983
SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3**** **MD5: **47b97de62ae8b2b927542aa5d7f3c858 **Typical Filename: **qmreportupload.exe **Claimed Product: **qmreportupload **Detection Name: Win.Trojan.Generic::in10.talos **
****SHA 256:7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
**MD5:**4a50780ddb3db16ebab57b0ca42da0fb
**Typical Filename:**xme64-2141.exe
**Claimed Product:**N/A
**Detection Name:**W32.7ACF71AFA8-95.SBX.TG
SHA 256:ce8cb7c8dc29b9e4feab463fdf53b569b69e6a5c4ab0e50513b264563d74a6ac
**MD5:**0e02555ede71bc6c724f9f924320e020
**Typical Filename:**dllhostex.exe
**Claimed Product:**Microsoft® Windows® Operating System
**Detection Name:W32.CoinMiner:CryptoMinerY.22k3.1201
** ****SHA 256:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
**Claimed Product:**N/A
**Detection Name:W32.AgentWDCR:Gen.21gn.1201 **
SHA 256:15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
**MD5:**799b30f47060ca05d80ece53866e01cc
**Typical Filename:**mf2016341595.exe
**Claimed Product:**N/A
**Detection Name:**W32.Generic:Gen.22fz.1201