Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosblog[email protected] (Jon Munshaw)TALOSBLOG:D1FBF71CB240DC823F33A45836CDCAF9
HistoryOct 24, 2019 - 11:00 a.m.

Threat Source newsletter (Oct. 24, 2019)

2019-10-2411:00:02
[email protected] (Jon Munshaw)
feedproxy.google.com
30
JSON


Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Never assume that a malware family is really dead. We’ve done it time and time again with things like Emotet, and Gustuff is proving it once again. The banking trojan, after we first discovered it earlier this year, is back with a version 2, targeting a new round of victims and deploying new anti-detection techniques.

We also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

**Event:**Talos at BSides Belfast**** **Location: **Titanic Belfast, Belfast, Northern Ireland **Date: **Oct. 31 **Synopsis: Several researchers from Talos will be on hand at BSides Belfast to deliver four different talks. Martin Lee will provide a general overview of the benefits of threat hunting, Nick Biasini and Edmund Brumaghin will walk through a recent wave of supply chain attacks, then, Brumaghin and Earl Carter will deliver their “It’s Never DNS…It Was DNS” talk, and, finally, Paul Rascagneres walks through his recent research into attacks on iOS. **
****Event:“It’s Never DNS…. It Was DNS: How Adversaries Are Abusing Network Blind Spots” at SecureWV/Hack3rCon X
**Location:**Charleston Coliseum & Convention Center, Charleston, WV
**Date:**Nov. 15 - 17
**Speakers:**Edmund Brumaghin and Earl Carter
**Synopsis:**While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

  • Popular VPN service NordVPN confirmed a rumored data breach this week. Researchers first reported that the company left an expired internal private key exposed, which could allow anyone to start their own servers and disguise them as legitimate NordVPN servers.
  • The U.S. military continues to search for skilled hackers as it thinks about the future of cyber warfare. U.S. Cyber Command was even recently elevated to be considered one of America’s 11 “unified combatant commands.”
  • Amazon’s Echo and Kindle devices are open to a Wi-Fi vulnerability that could allow attackers to conduct man-in-the-middle actions. Malicious users could carry out denial-of-service attacks, intercept information sent to the devices and decrypt information processed by the victim machine.
  • Security experts are critical of members of U.S. Congress who entered an ultra-secure area with their cell phones. Republicans were attempting to disrupt a hearing regarding the impeachment of U.S. President Donald Trump, entering an area that has restrictions against using mobile devices.
  • An internal memo says the White House’s wireless network could be open to attack. The Trump administration is forcing out many longstanding IT staff, which a report says could leave the White House vulnerable to a “network compromise.”
  • Researchers discovered a Vietnamese student was behind 42 malicious apps uploaded to the Google Play store. The apps would eventually display malicious apps a few minutes after users initially opened them.
  • Apple removed 17 malicious apps from its iOS store. The apps all contained malicious trojans that would eventually carry out click fraud and delivering malicious web pages.
  • Business-to-business payment provider Billtrust says it is still recovering from a ransomware attack. The company has yet to disclose the exact strain of the malware, but says most of its services are back online roughly a week after initial infection.
  • Democratic Congressional representatives introduced a new bill this week to strengthen the security of internet-of-things devices. The measure would establish a new panel of experts that would create “cyber benchmarks” for IoT devices.

Notable recent security issues

Title:Gustuff V2
**Description:**The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS. The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions.
**Snort SIDs:51908 - 51922
** ****Title:Attackers use malicious GIFs to attack WhatsApp
**Description:**The WhatsApp messaging app contains a double-free vulnerability. An attacker could exploit this vulnerability, identified as CVE-2019-11932, to carry out a variety of malicious activities, including memory leaks and arbitrary code execution. The exploitation of this bug requires the attacker to send a WhatsApp user a specially crafted GIF. These rules prevent attackers from carry out remote code execution through these GIFs. **** **Snort SIDs: **51953 - 51956 (By Tim Muniz)

Most prevalent malware files this week

SHA 256:7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
**MD5:**4a50780ddb3db16ebab57b0ca42da0fb
**Typical Filename:**xme64-2141.exe
**Claimed Product:**N/A
**Detection Name:**W32.7ACF71AFA8-95.SBX.TG

SHA 256:46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08
**MD5:**db69eaaea4d49703f161c81e6fdd036f
**Typical Filename:**xme32-2141-gcc.exe
**Claimed Product:N/A
Detection Name:W32.46B241E3D3-95.SBX.TG **
****SHA 256:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
**MD5:**e2ea315d9a83e7577053f52c974f6a5a
**Typical Filename:**c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
**Claimed Product:**N/A
**Detection Name:**W32.AgentWDCR:Gen.21gn.1201

SHA 256:85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5**** **MD5: **8c80dd97c37525927c1e549cb59bcbf3 **Typical Filename: **Eternalblue-2.2.0.exe **Claimed Product: **N/A **Detection Name: **W32.WNCryLdrA:Trojan.22k2.1201

SHA 256:15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
**MD5:**799b30f47060ca05d80ece53866e01cc
**Typical Filename:**mf2016341595.exe
Claimed Product:N/A **Detection Name: **W32.Generic:Gen.22fz.1201

Related

githubexploit 11
symantec 1
exploitpack 1
thn 1
cve 1
checkpoint_advisories 1
trendmicroblog 1
osv 1
packetstorm 1
prion 1
zdt 2
exploitdb 1
threatpost 1
impervablog 1
githubexploit
githubexploit
Exploit for Double Free in Whatsapp
2020-09-12 07:18:57
Exploit for Double Free in Whatsapp
2019-10-03 09:26:24
Exploit for Double Free in Android-Gif-Drawable Project Android-Gif-Drawable
2019-10-04 13:45:44
symantec
symantec
Android-gif-drawable CVE-2019-11932 Double Free Remote Code Execution Vulnerability
2019-10-04 00:00:00
exploitpack
exploitpack
Whatsapp 2.19.216 - Remote Code Execution
2019-10-16 00:00:00
thn
thn
Just a GIF Image Could Have Hacked Your Android Phone Using WhatsApp
2019-10-03 08:46:00
cve
cve
CVE-2019-11932
2019-10-03 22:15:00
checkpoint_advisories
checkpoint_advisories
WhatsApp For Android Remote Code Execution (CVE-2019-11932)
2019-10-07 00:00:00
trendmicroblog
trendmicroblog
This Week in Security News: Skimming and Phishing Scams Ahead of Black Friday and Polish Hacking Team Wins Capture the Flag Competition
2019-11-27 13:30:48
osv
osv
CVE-2019-11932
2019-10-03 22:15:10
packetstorm
packetstorm
Whatsapp 2.19.216 Remote Code Execution
2019-10-16 00:00:00
prion
prion
Double free
2019-10-03 22:15:00
zdt
zdt
Android-Gif-Drawable Double-Free Vulnerability
2019-11-29 00:00:00
Whatsapp 2.19.216 - Remote Code Execution Exploit
2019-10-17 00:00:00
exploitdb
exploitdb
Whatsapp 2.19.216 - Remote Code Execution
2019-10-16 00:00:00
threatpost
threatpost
WhatsApp Flaw Opens Android Devices to Remote Code Execution
2019-10-03 13:04:23
impervablog
impervablog
The State of Vulnerabilities in 2019
2020-01-23 08:56:58
JSON
Related for TALOSBLOG:D1FBF71CB240DC823F33A45836CDCAF9
githubexploit11symantec1exploitpack1thn1cve1checkpoint_advisories1trendmicroblog1osv1packetstorm1prion1zdt2exploitdb1threatpost1impervablog1