Lucene search

talosblog[email protected] (Jon Munshaw)TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E
HistoryJan 30, 2020 - 11:00 a.m.

Threat Source newsletter (Jan. 30, 2020)

[email protected] (Jon Munshaw)





Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Be sure to pay close attention Tuesday for some changes we have coming to We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event:A World of Threats: When DNS becomes the new weapon for governments at Swiss Cyber Security Days **Location: **Forum Fribourg, Granges-Paccot, Switzerland **Date: **Feb. 12 - 13 **Speakers: **Paul Rascagnères **Synopsis: **In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named “Sea Turtle.” This actor is more advanced and more aggressive than others we’ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims.

Cyber Security Week in Review

  • State-sponsored actors linked to Turkey are believed to be behind a recent wave of cyber attacks targeting governments in the Middle East and Asia. The attackers are using a technique called DNS hijacking that shows similarities to the Sea Turtle actor Cisco Talos discovered last year.
  • Facebook executives backed the security of its WhatsApp messaging software, saying it could not have been at fault for the hacking of Amazon CEO Jeff Bezos’ phone. Reports state Bezos was sent a malicious video through WhatsApp and opened it, leading to the installation of spyware. However, Facebook laid the blame at the feet of Apple and iOS’ security.
  • The Bezos incident has led to many wealthy individuals reaching out to cyber security vendors for private assistance with security. For example, one group is working on an information-sharing platform for cyber attacks targeting members of royal families across the globe.
  • Dozens of United Nations servers and user accounts were breached during an August cyber attack, according to new leaked reports. Staff members working in the UN’s Geneva, Switzerland office were reportedly told to change their passwords but were not made aware of the breach.
  • The Japanese government adopted a series of new policies this week designed to protect government services from a cyber attack during the upcoming Summer Olympics. A special panel called on infrastructure and public transportation services to investigate any potential vulnerabilities in their systems due to the use of internet-of-things devices, and report those flaws immediately to an administrator.
  • Cisco launched a new security architecture platform for IoT devices this week. Cisco Cyber Vision provides users with software and services backed by Talos’ intelligence to identify threats and vulnerabilities in IoT assets in real-time.
  • Facebook agreed to pay $550 million as part of a settlement of a class-action lawsuit in Illinois. The suit alleged Facebook violated a state law by using facial recognition technology to auto-tag users in photos without obtaining their consent.
  • The actor behind the Maze ransomware dumped a large amount of victim data online this week, including information from an Ohio community college and a grocery store chain in Michigan. Administrators of Maze’s website said in a message that they were sparing recent victim Parkland, Florida, but still leaked some data to prove that they were hacked.
  • The latest security update to iOS allows users to disable a location-tracking feature used by many apps. The latest patches also fixed a critical remote code execution vulnerability in the WebKit browsing engine.

Notable recent security issues

Title:Cisco urging users to update Firepower Management Center immediately to fix severe bug
**Description:**Cisco disclosed a high-severity vulnerability in its Firepower Management Center last week that could allow an attacker to bypass the usual authentication steps. The vulnerability — which was assigned a 9.8 severity score out of 10 — exists in the way Firepower handles LDAP authentication responses from an external authentication server. An attacker could exploit this flaw by sending a specially crafted HTTP request to the device. Users are also encouraged to turn off LDAP configuration on their devices. Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues in some of its other products, including Smart Software Manager.
**Snort SIDs:52627 – 52632, 52641 - 52646
** ****Title:
Exploitation of Citrix vulnerability spikes after POC released, patches followed
**Description:**Citrix rushed out a patch for its Application Delivery Controller (ADC) and Citrix Gateway products after proof of concept code leaked for a major vulnerability. The company first disclosed CVE-2019-19781 in December, saying a patch was forthcoming. But security researchers have noticed an uptick in exploitation attacks, forcing Citrix to move up its timeline.
**Snort SIDs:**52620

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5 **MD5: **8c80dd97c37525927c1e549cb59bcbf3 **Typical Filename:**eternalblue-2.2.0.exe **Claimed Product: **N/A **Detection Name: **

SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
**Typical Filename:**qmreportupload.exe
Claimed Product: qmreportupload **Detection Name: **Win.Trojan.Generic::in10.talos

SHA 256:c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94**** **MD5: **7c38a43d2ed9af80932749f6e80fea6f **Typical Filename: **xme64-520.exe Claimed Product: N/A
**Detection Name:**PUA.Win.File.Coinminer::1201

SHA 256:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a **Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f **Claimed Product: N/A Detection Name:W32.AgentWDCR:Gen.21gn.1201 **
****SHA 256:
**MD5:**a917d39a8ef125300f2f38ff1d1ab0db **Typical Filename: **FFChromeSetters **Claimed Product: **N/A **Detection Name: **PUA.Osx.Adware.Macsearch::agent.tht.talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.