Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
This wasn’t your average Patch Tuesday. Microsoft’s monthly security update was notable for a few reasons. For starters, it’s really time to give up Windows 7, since this is the last free update Microsoft will issue for the operating system.
There was also a vulnerability that made headlines for leaving Windows open to cryptographic spoofing, which could allow an attacker to sign a malicious file as if it came from a trusted source. The bug was so severe that Microsoft even reached out to the U.S. military ahead of time to issue them an early patch. For more on Patch Tuesday, you can check out our roundup here and our Snort rule release here.
Elsewhere in the vulnerability department, we also released new Snort rules to protect users against some notable Citrix bugs that have been used in the wild.
And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.
**Event:**Talos Insights: The State of Cyber Security at Cisco Live Barcelona
**Location:**Fira Barcelona, Barcelona, Spain
Date: Jan. 27 - 31 **Speakers: **Warren Mercer **Synopsis: **Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. We are responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.
Title:Microsoft patches 49 vulnerabilities as part of Patch Tuesday
**Description:**Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. Patch Tuesday covers 49 vulnerabilities, eight of which are considered critical. This month’s security update is particularly important for its disclosure of two vulnerabilities related to a core cryptographic component in all versions of Windows. CVE-2020-0601 could allow an attacker to use cryptography to sign a malicious executable, making the file appear as if it was from a trusted source. The victim would have no way of knowing if the file was malicious. Cyber security reporter Brian Krebs says the vulnerability is so serious, Microsoft secretly deployed a patch to branches of the U.S. military prior to today.
**Snort SIDs:**52593 - 51596, 52604, 52605
Title:ZeroCleare wiper malware deployed on oil refinery
**Description:**ZeroCleare, a wiper malware connected to an Iranian hacker group, was recently deployed against a national oil refinery in Bahrain. An upgraded version has been spotted in the wild, according to security researchers, which can delete files off infected machines. The latest attacks match previous attacks using this malware family, which have gone after other targets connected to Saudi Arabia. Concerns over Iranian cyber attacks have spiked since the U.S. killed a high-profile Iranian general in a drone strike.
**Snort SIDs:**52572 – 52581
SHA 256:1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
**MD5:**c2406fc0fce67ae79e625013325e2a68
**Typical Filename:**SegurazoIC.exe
**Claimed Product:Digital Communications Inc.
Detection Name:PUA.Win.Adware.Ursu::95.sbx.tg
** ****SHA 256:d73ea76f6f07f96b337335213418b58e3fbc7e4b519fec0ef3fbd19c1d335d81 **MD5: **5142c721e7182065b299951a54d4fe80 **Typical Filename: **FlashHelperServices.exe **Claimed Product: **Flash Helper Service **Detection Name: **PUA.Win.Adware.Flashserv::1201
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f****
**MD5:**e2ea315d9a83e7577053f52c974f6a5a
Typical Filename:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin **Claimed Product: **N/A **Detection Name: W32.AgentWDCR:Gen.21gn.1201 **
****SHA 256:15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
**MD5:**799b30f47060ca05d80ece53866e01cc
**Typical Filename:**mf2016341595.exe
**Claimed Product:**N/A
**Detection Name:W32.Generic:Gen.22fz.1201
** ****SHA 256:da231330efd623bc7d116ed233828be88951b9df7cc889e747d31279bdf2c2a0
**MD5:**4a4ee4ce27fa4525be327967b8969e13
**Typical Filename:**4a4ee4ce27fa4525be327967b8969e13.exe
Claimed Product: N/A **Detection Name: **PUA.Win.File.Coinminer::tpd
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.