Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Adobe Releases Security Advisory for Flash Vulnerability Under Active Exploitation; Forthcoming Patch To Be Released Apr 7
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Emerging Threats @ AtlSecCon 2016 Date: 2016-04-07 & 2016-04-08 Speaker: Earl Carter, Threat Researcher Description: Cisco Talos has a unique view into the ever evolving and changing threat landscape. We constantly research and identify how threat actors are evolving their skills and tactics by analyzing massive data feeds and working with teams of security experts. During this talk we will provide detailed analysis of the current threat landscape by examining the major threats that we have researched over the past 6-9 months. Some of the threats we plan to cover include SSHPsychos, the evolution of the Cryptowall ransomware, the Angler Exploit Kit, Rombertik, and phishing campaigns. Reference: https://atlseccon.com/
Event: Talos: Threat Intelligence and the Emerging Threat Landscape @ Cisco Geekfest Date: 2016-04-13 @ 10:30am Speaker: William Largent, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://cisco.cvent.com/events/2016-cisco-geekfest/event-summary-77abe9b97e3f414da87b3bfd8c1300ee.aspx
Event: Threat Mitigation @ Cisco Live Local Edition - Boxborough Date: 2016-04-14 Speaker: Jaeson Schultz, Technical Leader Description: In this presentation you will get a behind-the-scenes peek inside how Cisco's Talos Security Intelligence & Research Group gathers, processes, and disseminates threat intelligence data to counter emerging attacks. As a part of this presentation we will also discuss some of the hottest, inventive research coming out of Talos Group. Reference: http://demand.cisco.com/CS04141601_CiscoLiveLocalEdition
Event: Talos: Cisco's Secret Weapon in Understanding Today's Threat Landscape @ Cisco Security Week - St. Louis Date: 2016-05-10 - 2016-05-12 Speaker: William Largent, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~STL
Event: Emerging Threats - The State of Cyber Security @ Cisco Connect - Toronto Date: 2016-05-18 - 2016-05-19 Speaker: Earl Carter, Threat Researcher Description: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape. Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies. Reference: http://ciscoconnecttoronto.ca/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Adobe Releases Security Advisory for Flash Vulnerability Under Active Exploitation; Forthcoming Patch To Be Released Apr 7 Description: Adobe has released a security advisory for a Flash Player vulnerability that is under active exploitation in the wild. CVE-2016-1019 is a critical vulnerability that affects Flash Player versions 20.0.0.306 and earlier. Flash Player versions 21.0.0.197 and later are not affected due to a mitigation introduced in 21.0.0.182. Users are advised to either update their Flash Player installations to the most up to date version or to disable Flash Player in their browser to reduce the risk of compromise. Adobe has scheduled a security update to be release that will address this vulnerability on Thurs, Apr 7. Reference: https://helpx.adobe.com/security/products/flash-player/apsa16-01.html Snort SID: Detection pending
Title: Google Releases Monthly Security Bulletin for Android and Nexus Devices; Multiple Critical Flaws Patched Description: Google has released its monthly security bulletin for the Android OS and Nexus devices. This month's bulletin addresses 39 vulnerabilities within the mobile operating system with 15 flaws identified as "Critical," 16 identified as "High," and 8 identified as "Important." The majority of the "Critical" severity vulnerabilities are remote code execution flaws within the DHCPCD, Media Codec, Mediaserver, and libstagefright libraries/components. Google has released an over-the-air update to address these flaws in Nexus devices. In addition, Android partners have been notified of these flaws with source code addressing these flaws being released. Reference: https://source.android.com/security/bulletin/2016-04-02.html
Title: Cisco Releases Security Advisory Addressing Flaw in FirePower Software Description: Cisco has released a security advisory to address a flaw that manifests in the "malicious file detection and blocking features of Cisco Firepower System Software." CVE-2016-1345 manifests as a result of improperly validating HTTP headers, allowing an attacker to send a specifically crafted HTTP request that would bypass malicious file detection and blocking policies. This vulnerability impacts both FirePOWER appliances as well as any device that utilizes FirePower System Software such as ASAs. Cisco has released a software update that addresses this vulnerability. Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160330-fp
Title: Multiple Vulnerabilities Identified in Quanta LTE routers Description: An independent security researcher (known as Pierre Kim) has identified multiple vulnerabilities in Quanta LTE routers ranging from hard coded SSH keys and backdoor accounts to network eavesdropping. In total, over 20 security vulnerabilities or issues were identified by Kim. Per the advisory Kim posted, Quanta has indicated that the router is End-of-Life and will not work on addressing the security vulnerabilities that have been identified. Reference: https://pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
WhatsApp Now Includes End-to-End Encryption of Messages and Calls https://www.whispersystems.org/blog/whatsapp-complete/
Tax Day Extortion: PowerWare Crypto-ransomware Targets Tax Files http://blog.trendmicro.com/trendlabs-security-intelligence/tax-day-extortion-powerware-crypto-ransomware-targets-tax-files/
How Reporters Pulled Off the Panama Papers, the Biggest Leak in Whistleblower History http://www.wired.com/2016/04/reporters-pulled-off-panama-papers-biggest-leak-whistleblower-history/
Open Source GPS Tracking System: Traccar https://n0where.net/open-source-gps-tracking-system-traccar/
Domino's: Pizza and Payments http://www.ifc0nfig.com/dominos-pizza-and-payments/
Research Spotlight: Enabling Evil for Pocket Change http://blog.talosintel.com/2016/04/enabling-evil.html?f_l=ts
=========================================================
MOST PREVALENT MALWARE FILES 2016-03-29 - 2016-04-05: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E MD5: de04a6ee625c7b8dd09ce22cd5cfb2e9 VirusTotal: https://www.virustotal.com/file/F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E/analysis/#additional-info Typical Filename: ApplicationManager Claimed Product: N/A Detection Name: OSX.Variant:SpigotD.19d2.1201
SHA 256: 8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A MD5: cc9e1075db0645f1032f8c4b4412deba VirusTotal: https://www.virustotal.com/file/8897F94710F3CA65AF0E52F6E2B76E6319DD5FB0DD6AD0968F8ACC0D25EE783A/analysis/#additional-info Typical Filename: windkuh.exe Claimed Product: N/A Detection Name: W32.Crypt:SalityGR.18i0.1201
SHA 256: F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55 MD5: 51e63633487f9180ec8031980684bf86 VirusTotal: https://www.virustotal.com/file/F4AE1A3D610A57547F014215A5D7AAED8572CD36AA77A9567C183F11430A6B55/analysis/#additional-info Typical Filename: nidmp.exe Claimed Product: N/A Detection Name: W32.Malware:Pramro.19cf.1201
SHA 256: 3041609F9A5A8DDF6336C044D95DED232F14D07C2A50ACEC692EB785F04C32E4 MD5: ea397c683289f02e4f5fe09327e03962 VirusTotal: https://www.virustotal.com/file/3041609F9A5A8DDF6336C044D95DED232F14D07C2A50ACEC692EB785F04C32E4/analysis/#additional-info Typical Filename: hiycf.exe Claimed Product: N/A Detection Name: Trojan:Sality-tpd
SHA 256: F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B MD5: 0612402ad98c8c31cd6f2b914a419039 VirusTotal: https://www.virustotal.com/file/F9B8F7F285F811EE720CCE7BCCD98A421A26FB90DD7B022118D4B4E1F340036B/analysis/#additional-info Typical Filename: rlng.exe Claimed Product: N/A Detection Name: W32.Malware:Pramro.19di.1201
============================================================
SPAM STATS FOR 2016-03-29 - 2016-04-05:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM