Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Oracle Releases Quarterly Critical Patch Update for Various Products, Including Java
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos: Cisco's Secret Weapon in Understanding Today's Threat Landscape @ Cisco Security Week - St. Louis Date: 2016-05-10 - 2016-05-12 Speaker: William Largent, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~STL
Event: Emerging Threats - The State of Cyber Security @ Cisco Connect - Toronto Date: 2016-05-18 - 2016-05-19 Speaker: Earl Carter, Threat Researcher Description: The security threat landscape is constantly in flux as attackers evolve their skills and tactics. Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary to help secure a network in light of this ever changing and growing threat landscape. Talos advances the overall efficacy of all Cisco security platforms by analyzing data feeds, collaborating with teams of security experts, and developing cutting-edge big data technology to identify security threats. In this talk we will perform deep analysis of recent threats and see how Talos leverages large data intelligence feeds to deliver product improvements and mitigation strategies. Reference: http://ciscoconnecttoronto.ca/
Event: Exploit Kits: Hunting the Hunters @ 2016 HITBSecConf AMS Date: 2016-05-26 Speaker: Nick Biasini Description: Exploit kits are one of the threats that is ever present on the Internet. Indiscriminately compromising users that are simply surfing websites. As ransomware has exploded so has the proliferation of these exploit kits. This combination of ransomware, tor, and bitcoin has created a financially lucrative monster. For the last year Talos has been systematically diving into each exploit kit trying to find nuggets of gold from a sea of compromise. Thus far the results have been promising, with some extremely successful outcomes related to Angler and Rig exploit kits specifically. This talk will outline the process that was followed, what we found and how we leveraged it to inflict damage on the users of these exploit kits. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/exploit-kits-hunting-the-hunters/
Event: Go Speed Tracer: Guided Fuzzing @ 2016 HITBSecConf AMS Date: 2016-05-27 Speaker: Richard Johnson Description: The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms. Reference: http://conference.hitb.org/hitbsecconf2016ams/sessions/go-speed-tracer-guided-fuzzing/
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Oracle Releases Quarterly Critical Patch Update for Various Products, Including Java Description: Oracle has released their quarterly set of security bulletins for vulnerabilities that have been identified in various Oracle products. This month's release addresses 136 security flaws for products such as Oracle Database Server, Fusion Middleware, Java, MySQL, Sun Products, and more. Java had 9 security flaws patched with all of them "remotely exploitable without authentication." Reference: http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html Snort SID: 37505-37506. Additional detection pending release of vulnerability information
Title: NTP Project Releases Update for NTPd, Addressing Various Security Issues Description: The NTP Project has released a new version of NTPd to address various reported security issues. This release addresses 11 low- and medium-severity security vulnerabilities. Two of the 11 flaws are listed as "Mitigation only" with forthcoming patches that fully address the issue in a later release. In addition, two other flaws that were fixed in prior releases (CVE-2015-7974, CVE-2015-7704/CVE-2015-7705) of NTPd have been improved. Reference: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities Snort SID: 36536, 37841-37843. Additional rules pending release of vulnerability information
Title: Cisco Releases Five Advisories for Various Denial of Service Vulnerabilities Description: Cisco has released five advisories for various denial of service vulnerabilities that have been identified in various products. Four of the five advisories are rated as high-impact while the fifth, CVE-2016-1363, is rated critical. CVE-2016-1363 manifests due to improperly handling HTTP URL redirects and could allow an unauthenticated, remote attacker to trigger the flaw "by sending a crafted HTTP request to an affected device." This crafted request could cause "a buffer overflow condition" to occur and result in a DoS condition or arbitrary code execution. Cisco has released updated software that addresses this vulnerability as well as the others. Reference: https://tools.cisco.com/security/center/publicationListing.x Snort SID: 38590-38591, 36558
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Threat Spotlight: Exploit Kit Goes International Hits 150+ Countries http://blog.talosintel.com/2016/04/nuclear-exposed.html
Verizon Releases 2016 Data Breach Investigations Report http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files) http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html
The road to hell is paved with SAML Assertions - Office 365 authentication bypass disclosure and write-up http://www.economyofmechanism.com/office365-authbypass.html
Breaking Steam Client Cryptography https://steamdb.info/blog/breaking-steam-client-cryptography/
Talos Blog - Vulnerability Spotlight: Further NTPD Vulnerabilities http://blog.talosintel.com/2016/04/vulnerability-spotlight-further-ntpd_27.html
Oracle OIT Image Export SDK libvs_pdf XREF Index Code Execution Vulnerability http://blog.talosintel.com/2016/04/oracle-oit-image-export-sdk-libvspdf.html
=========================================================
MOST PREVALENT MALWARE FILES 2016-04-19 - 2016-04-26: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: E09DF5361B870DC27568F78014BCD3AE25214A3E4F59931D96E2E0713474E825 MD5: ae8811f5dedd877ba325e7d843647716 VirusTotal: https://www.virustotal.com/file/E09DF5361B870DC27568F78014BCD3AE25214A3E4F59931D96E2E0713474E825/analysis/#additional-info Typical Filename: SetupFileViewPro2016.exe Claimed Product: File Viewer Pro Detection Name: W32.Trojan.NM
SHA 256: 96B4D770C86EA397D56BEC1C6A015C1559ECBC8E4A436CD48CF2BC32E258A977 MD5: 29d141bf592697122d87e16c1db673a5 VirusTotal: https://www.virustotal.com/file/96B4D770C86EA397D56BEC1C6A015C1559ECBC8E4A436CD48CF2BC32E258A977/analysis/#additional-info Typical Filename: CuteWriter.exe Claimed Product: CutePDF Writer Detection Name: W32.96B4D770C8-100.SBX.VIOC
SHA 256: F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E MD5: de04a6ee625c7b8dd09ce22cd5cfb2e9 VirusTotal: https://www.virustotal.com/file/F5D3F9B1A9C4B59DBCF34782A3B5AB3A89EB47EE3195364E54CC2845502E020E/analysis/#additional-info Typical Filename: ApplicationManager Claimed Product: (none) Detection Name: OSX.Variant:SpigotD.19d2.1201
SHA 256: 83CEC41170390E5E6D49ED7BF4FA76DDFB581C9E39D9EFE7ED9382957DE152DD MD5: c913d292a9a907799526695c9ad3bfac VirusTotal: https://www.virustotal.com/file/83CEC41170390E5E6D49ED7BF4FA76DDFB581C9E39D9EFE7ED9382957DE152DD/analysis/#additional-info Typical Filename: helperamc Claimed Product: (none) Detection Name: OSX.83CEC41170.agent.tht.Talos
SHA 256: 4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76 MD5: 781a020ee3641da19fe4eba0fbab1444 VirusTotal: https://www.virustotal.com/file/4205D56A46820C3C340854CE67A31F32EED8D6A7BBDD2C134BE4DA2BB6A77F76/analysis/#additional-info Typical Filename: nwngb.exe Claimed Product: (none) Detection Name: Trojan:Sality-tpd
============================================================
SPAM STATS FOR 2016-04-19 - 2016-04-26:
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM