Newsletter compiled by Jonathan Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
We hope to see everyone this weekend at the Talos Threat Research Summit in San Diego (or throughout the week at Cisco Live). If you’re around, stop by the Talos booth on the Cisco Live floor — who knows, we may have some swag to give out! For those of you who are attending, brush up on the schedule here.
There’s been a lot of talk about a bug in Microsoft RDP that could leave systems open to a “wormable” attack. When Microsoft disclosed the vulnerability last month, there was little guidance on how to defend against an exploit. Now, we have a new method using Cisco Firepower to block any encrypted attacks attempting to use this vulnerability. This means that you’ll be able to protect against attacks that would otherwise go undetected.
This week, we also unveiled our research on Frankenstein, a new campaign that cobbles together several open-source techniques to infect users. While it’s been used with relatively low volume so far, because of its nature, the attackers behind it have the ability to change it on the fly and evolve over time.
Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.
Upcoming public engagements with Talos
Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.
Cyber Security Week in Review
- Security researchers say the EternalBlue exploit was not used in a ransomware attack on the city of Baltimore. Local and state officials in Maryland had demanded answers from the National Security Administration, where the exploit was originally developed.
- Apple unveiled a new sign-on mechanism that will allow users to log in to certain sites using their Apple ID. The company says it will make it more difficult for third-party apps to track and store users’ information.
- Chinese tech company Huawei reached an agreement with Russia to build out the country’s 5G network. Huawei has been locked in a battle with the U.S. recently after the U.S. banned the company’s products.
- The U.S. State Department sent a plan to Congress to establish a new $20.8 million cybersecurity department. The new Bureau of Cyberspace Security and Emerging Technologies (CSET) would “lead U.S. government diplomatic efforts to secure cyberspace and its technologies, reduce the likelihood of cyber conflict, and prevail in strategic cyber competition.”
- A major university in Australia says hackers stole 19 years’ worth of personal information on its students and faculty. Officials with Australian National University say the attack impacted about 200,000 people, including their credit card numbers, names, addresses, dates of birth and more.
- A zero-day vulnerability in Mac Mojave could allow an attacker to bypass security measures and run malicious code. The bug allows malicious users to mimic mouse clicks, bypass security measures, and then run whitelisted apps that have been manipulated to run malicious code.
- Medical testing company LabCorp. says millions of customers had their information leaked as part of a cyberattack at a third-party firm. The company said the American Medical Collection Agency had their information stolen at various times between August 2018 and March 2019.
- Cisco patched two high-severity vulnerabilities in its Industrial Network Director. The bugs could allow an attacker to gain the ability to execute code remotely, or cause a denial-of-service condition.
- The attackers behind the GandCrab ransomware say they are retiring after earning millions of dollars from the attack. The group claims on a forum post they made $2 billion during the malware’s lifecycle.
Notable recent security issues
Title: Attackers exploit bug in popular WordPress vulnerability to inject malicious JavaScript
Description: Attackers are exploiting a recently patched bug in a WordPress plugin that allows them to redirect users to malicious sites. The vulnerability exists in the content management system’s instant chat plugin, which can allow site managers to communicate directly with users. The bug allows attackers to inject malicious JavaScript into these sites, sending them to attacker-controlled websites or displaying malicious pop-ups.
Snort SIDs: 50299
Title: Cisco Firepower protects against encrypted attacks exploiting Microsoft RDP bug
Description: Researchers at Cisco Talos discovered a new way to protect against encrypted attacks exploiting a recently disclosed vulnerability in Microsoft RDP. Microsoft disclosed the bug in May, but did not provide any guidance on how to mitigate attacks. A new method using Cisco Firepower Management Center allows users to protect themselves from attacks that would otherwise go virtually undetected.
Snort SIDs: 50137
Description: Attackers are exploiting a recently patched bug in a WordPress plugin that allows them to redirect users to malicious sites. The vulnerability exists in the content management system’s instant chat plugin, which can allow site managers to communicate directly with users. The bug allows attackers to inject malicious JavaScript into these sites, sending them to attacker-controlled websites or displaying malicious pop-ups.
Snort SIDs: 50299
Title: Cisco Firepower protects against encrypted attacks exploiting Microsoft RDP bug
Description: Researchers at Cisco Talos discovered a new way to protect against encrypted attacks exploiting a recently disclosed vulnerability in Microsoft RDP. Microsoft disclosed the bug in May, but did not provide any guidance on how to mitigate attacks. A new method using Cisco Firepower Management Center allows users to protect themselves from attacks that would otherwise go virtually undetected.
Snort SIDs: 50137
Most prevalent malware files this week
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 144e4b5a6e99d9e89dae2ac2907c313d253878e13db86c6f5c50dae6e17a015a
MD5: 5e3b592b8e093f92ae9f6cfc93b22c58
Typical Filename: pupdate.exe
Claimed Product: Internet Explorer
Detection Name: W32.144E4B5A6E-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 144e4b5a6e99d9e89dae2ac2907c313d253878e13db86c6f5c50dae6e17a015a
MD5: 5e3b592b8e093f92ae9f6cfc93b22c58
Typical Filename: pupdate.exe
Claimed Product: Internet Explorer
Detection Name: W32.144E4B5A6E-95.SBX.TG
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG
Article Link: http://feedproxy.google.com/~r/feedburner/Talos/~3/bIdYDokCZgw/threat-source-june-6-19.html