Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
It was all about the bugs this week. Patch Tuesday was especially busy for us, including our usual recap of all the vulnerabilities Microsoft’s security update this month (two of which we discovered). On top of that, we also disclosed a remote code execution vulnerability in some Intel graphics drivers and another in Exhibitor’s web user interface.
We also recently discovered a wave of actors using living-off-the-land binaries to keep their malware from being detected. We run through how to detect these so-called “LoLBins,” and walk through some campaigns where we’ve seen them being used in the wild.
And, as always, we have our latest Threat Roundup with runs through the top threats we’ve seen (and blocked) over the past week.
Event:“It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots” at SecureWV/Hack3rCon X
**Location:**Charleston Coliseum & Convention Center, Charleston, WV
**Date:**Nov. 15 - 17
**Speakers:**Edmund Brumaghin and Earl Carter
**Synopsis:**While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Event:“Reading Telegram messages abusing the shadows” at BSides Lisbon**** **Location: **Auditorio FMD-UL, Lisbon, Portugal **Date: **Nov. 28 - 29 **Speakers: **Vitor Ventura **Synopsis: **One of the cornerstones of privacy today is secure messaging applications like Telegram, which deploy end-to-end encryption to protect the communications. But several clone applications have been created and distributed with the intent of spying on their users. In this talk, Vitor will demonstrate how the Telegram registration process became abused, allowing message interception on non-rooted Android devices without replacing the official application. This is another example on how encryption is not a panacea, and that side-channel attacks like this are a real problem for otherwise secure applications.
Event:“Signed, Sealed, Compromised: The Past, Present, and Future of Supply Chain Attacks” at CactusCon
**Location:**Charleston Coliseum & Convention Center, Charleston, WV
Date: Dec. 6 - 7 **Speakers: **Edmund Brumaghin and Earl Carter **Synopsis: **This talk will discuss the common techniques we’re seeing in supply chain attacks. Supply chain attacks are a broad topic, but one that has continued to evolve and mature over the last decade. Nick and Edmund will walk through what a supply chain attack constitutes, the history of how these attacks have evolved, and where we see this attack technique moving in the future.
Title:Microsoft disclosed 13 critical bugs as part of monthly security update
**Description:**Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 75 vulnerabilities, 13 of which are considered “critical,” with the rest being deemed “important.” This month’s security update covers security issues in a variety of Microsoft services and software, including the Scripting Engine, the Windows Hyper-V hypervisor, and Win32. Cisco Talos discovered one of these vulnerabilities, CVE-2019-1448 —a remote code execution vulnerability in Microsoft Excel.
**Snort SIDs:**46548, 46549, 52205 - 52209, 52212, 52213, 52216, 52217 - 52225, 52228 - 52234, 52239, 52240
****Title:**LEADTOOLS toolkit contains several vulnerabilities, including remote code execution
**Description:**Cisco Talos recently discovered multiple vulnerabilities in the LEADTOOLS line of imaging toolkits. LEADTOOLS is a collection of toolkits designed to perform a variety of functions aimed at integrating documents, multimedia and imaging technologies into applications. All of the software is produced by LEAD Technologies Inc. LEADTOOLS offers prebuilt and portable libraries with an SDK for most platforms (Windows, Linux, Android, etc.), that are all geared toward building applications for medical systems. Various pieces of LEADTOOLS contain vulnerabilities that could be exploited by malicious actors to carry out a number of actions, including denial-of-service conditions and the execution of code remotely.
**Snort SIDs:**50824 - 50827, 51930-51938, 51447, 51448
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 **MD5:**4a50780ddb3db16ebab57b0ca42da0fb **Typical Filename:**xme64-2141.exe **Claimed Product: **N/A Detection Name: W32.7ACF71AFA8-95.SBX.TG
SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858 **Typical Filename:**qmreportupload **Claimed Product:**qmreportupload Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854 **MD5:**74f4e22e5be90d152521125eaf4da635 **Typical Filename:**jsonMerge.exe **Claimed Product:**ITSPlatform **Detection Name: **W32.GenericKD:Attribute.22lk.1201
SHA 256:46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
MD5: db69eaaea4d49703f161c81e6fdd036f **Typical Filename: **xme32-2141-gcc.exe **Claimed Product:**N/A Detection Name: W32.46B241E3D3-95.SBX.TG
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5 **MD5:**8c80dd97c37525927c1e549cb59bcbf3 **Typical Filename:**Eternalblue-2.2.0.exe **Claimed Product:**N/A Detection Name: W32.WNCryLdrA:Trojan.22k2.1201