Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
TOP VULNERABILITY THIS WEEK: Cisco Releases Security Advisory for Authentication Bypass Vulnerability in Meeting Server Client
============================================================
UPCOMING PUBLIC ENGAGEMENTS WITH TALOS
Event: Talos - Cisco's Key to Understanding the Threat Landscape @ Cisco On The Road - King of Prussia, PA Date: 2016-11-15 Speaker: Earl Carter, Technical Leader Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://demand.cisco.com/CiscoOnTheRoad
Event: Talos - Cisco's Key to Understanding the Threat Landscape @ Cisco Security Week - Minneapolis Date: 2016-11-15 - 2016-11-16 Speaker: William Largent, Threat Researcher Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Minneapolis
Event: Talos - Cisco's Key to Understanding the Threat Landscape @ Cisco Security Week - Seattle Date: 2016-12-13 - 2016-12-14 Speaker: Earl Carter, Technical Leader Description: Cisco's Talos team specializes in early-warning intelligence and threat analysis necessary for defending networks against the ever-changing threat landscape, by leveraging the work of Talos' large team of threat intelligence experts, researchers, and engineers. In this talk we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies. Reference: http://www.cisco.com/web/offer/usc/securityweek/index.html#~Seattle
============================================================
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Cisco Releases Security Advisory for Authentication Bypass Vulnerability in Meeting Server Client Description: Cisco has released a security advisory for Cisco Meeting Server to address CVE-2016-6445, an authentication bypass vulnerability. CVE-2016-6445 manifests as a flaw in the Extensible Messaging and Presence Protocol (XMPP) service of Cisco Meeting Server and is triggered due to the XMPP service "incorrectly processing a deprecated authentication scheme." This vulnerability "could allow an unauthenticated, remote attacker to masquerade as a legitimate user." Cisco has released a software update to address this vulnerability. Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-msc
Title: VeraCrypt Releases Update Addressing Security Vulnerabilities Identified by QuarksLab Description: VeraCrypt has released an update for its open source, on-the-fly disk encryption software to address security vulnerabilities QuarksLab identified along with other bugs that have been discovered. QuarksLab recently audited VeraCrypt to identify security vulnerabilities and, as a result of the audit, a total of 26 vulnerabilities were discovered. Eight of the vulnerabilities are rated "Critical" while three are rated "Medium" severity. The remaining 15 vulnerabilities are "Low" severity or "Informational" concerns. VeraCrypt 1.19 addresses the vast majority of the vulnerabilities identified by QuarksLab. However, some issues have not yet been fixed due to the "high complexity for the proposed fixes." Workarounds have been identified for those issues. Reference: - https://ostif.org/the-veracrypt-audit-results/ - https://veracrypt.codeplex.com/wikipage?title=Release%20Notes
Title: Researcher Discloses Left Over Factory Debugging Feature (Dubbed "Pork Explosion") in Foxconn-manufactured Phones Description: Security Researcher Jon "jcase" Sawyer has disclosed the presence of a left over factory debugging feature in Foxconn-manufactured Android phones. Dubbed "Pork Explosion" (as a jab at the silly nature of naming vulnerabilities), the left over debugging feature is a backdoor "in the apps bootloader provided by Foxconn." An attacker with physical access to the device could "gain a root shell, with selinux disabled through usb." jcase has reached out to Nextbit and the Android Security team to address this vulnerability and Nextbit has released a fix for their affected phones. Reference: http://bbqand0days.com/Pork-Explosion-Unleashed/
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Digitally Signed Malware Targeting Gaming Companies https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
Remsec driver analysis - Agnitum driver exploitation http://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-agnitum-driver.html
C++/WinRT Available on GitHub https://blogs.msdn.microsoft.com/vcblog/2016/10/13/cwinrt-available-on-github/?
Trump Organization is using horribly insecure email servers http://www.zdnet.com/article/trump-organization-servers-are-running-horribly-outdated-unpatched-and-insecure-software/
US Reps Requesting Further Intel Around Yahoo Surveillance Story https://threatpost.com/us-reps-requesting-further-intel-around-yahoo-surveillance-story/121328/
QuarksLab Audit of VeraCrypt https://ostif.org/the-veracrypt-audit-results/
=========================================================
MOST PREVALENT MALWARE FILES 2016-10-11 - 2016-10-18: COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: bf8a2c313e151bf0dee698b44e0a6a68b61d4df60698d6fa6fd3c6a051be33eb MD5: fb90d7e5157863308721f943b18422ad VirusTotal: https://www.virustotal.com/file/bf8a2c313e151bf0dee698b44e0a6a68b61d4df60698d6fa6fd3c6a051be33eb/analysis/#additional-info Typical Filename: irs_3154733.doc Claimed Product: N/A Detection Name: W32.BF8A2C313E-100.SBX.TG
SHA 256: eec19ff3561e1c6c49d5e6fb84e2b8d5fe03155881c54a684d4f6338426d91b9 MD5: fd28597b65b906a67fa693944021c985 VirusTotal: https://www.virustotal.com/file/eec19ff3561e1c6c49d5e6fb84e2b8d5fe03155881c54a684d4f6338426d91b9/analysis/#additional-info Typical Filename: irs_0477371.doc Claimed Product: N/A Detection Name: W32.EEC19FF356-100.SBX.TG
SHA 256: 5b149517e3a7c9b682379d71e7d07758e1e2f4a2faec829dad34a3a1b0792fe6 MD5: 1c2141c94374c7240d6a985804755a4f VirusTotal: https://www.virustotal.com/file/5b149517e3a7c9b682379d71e7d07758e1e2f4a2faec829dad34a3a1b0792fe6/analysis/#additional-info Typical Filename: TeamViewer.exe Claimed Product: "TeamViewer" Detection Name: W32.5B149517E3-100.SBX.TG
SHA 256: 16cb8ef31aeab061b174950f88a41b80f51f90f8a019d8475e27cb3bf89526ca MD5: 2c8af7d674875be0626312772156d35e VirusTotal: https://www.virustotal.com/file/16cb8ef31aeab061b174950f88a41b80f51f90f8a019d8475e27cb3bf89526ca/analysis/#additional-info Typical Filename: 2016101722120.doc.zip Claimed Product: N/A Detection Name: W32.Auto:16cb8ef31a.in05.Talos
SHA 256: d825f328769066d6737535ebd8c7f10ad21b4c4781db33c5a1adef1ebc891e26 MD5: 0b8bb7a057b346e7679102244aaf1e57 VirusTotal: https://www.virustotal.com/file/d825f328769066d6737535ebd8c7f10ad21b4c4781db33c5a1adef1ebc891e26/analysis/#additional-info Typical Filename: invoice_07737716.doc Claimed Product: N/A Detection Name: W32.D825F32876-95.SBX.TG
============================================================
SPAM STATS FOR 2016-10-11 - 2016-10-18
TOP SPAM SUBJECTS OBSERVED
MOST FREQUENTLY USED ASNs FOR SENDING SPAM