Talos ThreatSource is a regular intelligence update from Cisco Talos, highlighting the biggest threats each week and other security news.
Google Releases Monthly Android Security Bulletin for November 2017
Synopsis: .NET is an increasingly important component of the Microsoft ecosystem providing a shared framework. Many Microsoft tools, such as PowerShell, rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform. During the presentation, I will explain how to automate .NET analysis with WinDBG the Microsoft debugger. To illustrate my talk, I will show how to analyse PowerShell scripts with WinDBG and how to automatically unpack a .NET packer family discovered recently. The presentation includes several live demo on WinDBG usage in this specific context.
Synopsis: Email threats have always been a major part of the threat landscape. As the use of exploit kits and other malware distribution techniques have decreased, malicious spam campaigns play an even greater role in the distribution of malware to organizations around the globe. Enter Necurs. Over the past couple of years, Necurs has singlehandedly transformed the email threat landscape and continues to innovate with regards to the distribution of malware downloaders. This talk will take a deep dive on the botnet itself and the ways in which C2 is handled. This includes analysis of some of the major spam campaigns for which it has been responsible. Additionally, we will discuss details of the C2 infrastructure and DGA capabilities we’ve observed over the last several months. We will also cover the modular nature of the Necurs malware itself, and how this multi-faceted threat is capable of generating revenue and damaging organizations without sending a single email.
Description: Google has released its monthly security bulletin for Android. This month's release contains 3 patch levels that address 31 vulnerabilities altogether. The 2017-11-01 patch level addresses 11 vulnerabilities across the Framework, Media framework, and System components. The 2017-11-05 patch level addresses 11 vulnerabilities across Kernel, MediaTek, NVIDIA, and Qualcomm components. The 2017-11-06 patch level addresses 9 additional vulnerabilities related to Key Reinstallation Attacks (KRACK vulnerabilities) in Android. Google has notified all Android partners of these updates and has released over-the-air updates for Nexus and Pixel devices.
Description: The Tor Project has released an updated version of the Tor Browser for macOS and Linux devices. This release comes in response to a bug being identified in Firefox where file:// URLs are mishandled and could result in a user's IP address being leaked. The Tor Project notes that the update is a temporary workaround for the issue while Mozilla addresses the bug upstream in Firefox. Windows users are unaffected.
Description: Siemens has released a software update addressing a remotely exploitable input validation vulnerability affected versions of SIMATIC PCS 7. This vulnerability, assigned CVE-2017-14023, could allow "a remote, authenticated attacker to crash services" on affected devices if specially crafted messages are sent to the DCOM interface. Note that the attacker must be part of the administrators group. Affected versions of SIMATIC PCS 7 include "V8.1 prior to V8.1 SP1 with WinCC V7.3 Upd 13, and V8.2 all versions".
POC || GTFO 0x16 - PASTOR LAPHROAIG RACES THE RUNTIME RELINKER AND OTHER TRUE TALES OF CLEVERNESS AND CRAFT
https://www.alchemistowl.org/pocorgtfo/pocorgtfo16.pdf
Honey AD Accounts
https://jordanpotti.com/2017/11/06/honey-accounts/
The $280M Ethereum bug
https://blog.comae.io/the-280m-ethereums-bug-f28e5de43513
Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack
https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/
Please Stop Naming Vulnerabilities: Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones
https://pleasestopnamingvulnerabilities.com/
Poisoning the Well: Banking Trojan Targets Google Search Results
http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html?f_l=s