Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
By now, nearly everyone has heard of BlueKeep. It definitely sounds scary, with of this talk of wormable bugs and WannaCry. But so far, no attackers have used it to launch a large-scale attack.
Of course, we knew this wouldn’t stay quiet forever. Last month, Microsoft disclosed more RDP vulnerabilities in what’s being called “DejaBlue.” These are another set of wormable bugs, but we have a walkthrough for how Cisco Firepower customers can stay protected.
Elsewhere on the vulnerability front, we have advisories out for an information disclosure in Blynk-Library and two bugs in Epignosis eFront.
We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Event:“DNS on Fire” at Virus Bulletin 2019
**Location:**Novotel London West hotel, London, U.K.
**Date:**Oct. 2 - 4
**Speaker:**Warren Mercer and Paul Rascagneres
**Synopsis:**In this talk, Paul and Warren will walk through two campaigns Talos discovered targeted DNS. The first actor developed a piece of malware, named “DNSpionage,” targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. The talk will go through the two actors’ tactics, techniques and procedures and the makeup of their targets.
** **Event: “It’s never DNS…It was DNS: How adversaries are abusing network blind spots” at SecTor **Location: **Metro Toronto Convention Center, Toronto, Canada **Date: **Oct. 7 - 10 **Speaker: **Edmund Brumaghin and Earl Carter **Synopsis: **While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Title:New protection fends off password-stealing attacks from popular VPN servicef
**Description:**Last week, attackers began launching password-stealing attacks against the Fortigate and Pulse VPN services. At the time, Cisco Talos released SNORT® rules to protect Pulse VPN, and there is now additional protection for Fortigate. Attackers are attempting to steal encryption keys, passwords and other important data from servers utilizing these two VPN services. These bugs can be exploited by sending the unpatched servers a specialized Web request that contains a special sequence of characters.
**Snort SIDs:**51370 – 51372, 51387 (Written by John Levy)
** ****Title:**Multiple vulnerabilities disclosed in Cisco NX-OS software
**Description:**Cisco disclosed three denial-of-service vulnerabilities in its NX-OS software: CVE-2019-1965, CVE-2019-1964 and CVE-2019-1962. These bugs can cause a variety of conditions, including forced reboots, crashes or disruption of certain processes. All three are considered high-severity vulnerabilities.
**Reference:**https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
**Snort SIDs:**51365 - 51367 (Written by John Levy)
SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3**** **MD5: **47b97de62ae8b2b927542aa5d7f3c858 **Typical Filename: **qmreportupload.exe **Claimed Product: **qmreportupload **Detection Name: **Win.Trojan.Generic::in10.talos
SHA 256: 9a082883ad89498af3ad8ece88d982736edbd46d65908617cf292cf7b5836dbc****
**MD5:**7a6f7f930217521e47c7b8d91fb79649
Typical Filename: DHL Scan File.img **Claimed Product:IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER! Detection Name: W32.9A082883AD-100.SBX.TG **
****SHA 256:7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510 **MD5: **4a50780ddb3db16ebab57b0ca42da0fb **Typical Filename: **xme64-2141.exe **Claimed Product: **N/A **Detection Name: W32.7ACF71AFA8-95.SBX.TG **
****SHA 256:1755c179f08a648a618043a5af2314d6a679d6bdf77d4d9fca5117ebd9f3ea7c
**MD5:**c785a8b0be77a216a5223c41d8dd937f
**Typical Filename:cslast.gif
Claimed Product:N/A
Detection Name: W32.1755C179F0-100.SBX.TG **
****SHA 256: 093cc39350b9dd2630a1b48372abc827251a3d37bd88c35cea2e784359b457d7
**MD5:**3c7be1dbe9eecfc73f4476bf18d1df3f
**Typical Filename:**sayext.gif
**Claimed Product:**N/A
**Detection Name:**W32.093CC39350-100.SBX.TG