Threat Source newsletter (May 23)

Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Election security is a touchy — and oftentimes depressing — topic of conversation. So why not let Beer with Talos bring some levity, and more importantly, expertise, to the conversation? The latest episode focuses solely on election security, as Matt Olney runs down what he’s learned recently from spending time with various governments.

On the research end of things, we released a post earlier this week outlining the details of a new campaign called “BlackWater” that we believe could be connected to the MuddyWater APT.

And since we know everyone was waiting on this, yes, there’s coverage for that wormable Microsoft bug everyone was talking about.

There was no Threat Roundup last week, but it’ll be back tomorrow.

Upcoming public engagements with Talos

Location: Industriens Hus, Copenhagen, Denmark
Date: May 29
Speaker: Paul Rascagnères
Synopsis: Paul will give an overview of an espionage campaign targeting the Middle East that we called “DNSpionage.” First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security.

Event: Bsides London
Location: ILEC Conference Centre, London, England
Date: June 5
Speaker: Paul Rascagnères
Synopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker. 

Cyber Security Week in Review

  • The U.S. Department of Homeland Security issued a warning this week against Chinese-manufactured drones. Some of the drones may be collecting their users’ personal data and transferring it back to China.
  • A forum dedicated to hijacking online accounts and carrying out SIM-swapping attacks has been hacked. More than 113,000 users on OGusers had their login information, IP addresses and private messages exposed in an attack.
  • Cisco released patches for many of its devices, fixing a vulnerability in its Secure Boot process. However, the patches will only be released in waves, and some devices could remain vulnerable until November.
  • Some of the most popular Docker containers are open to attacks. Researchers recently discovered that 20 percent of the 1,000 most used containers are impacted by a misconfiguration, including those belonging to Microsoft, Monsanto and the British government.
  • San Francisco recently passed a ban on governmental use of facial recognition technology. The new law is likely to spark debates across the country between privacy advocates and law enforcement agencies.
  • The Trump administration is considering blacklisting Hikvision, a Chinese tech company that manufactures surveillance cameras. The move would prevent the company from purchasing American technology and would create another point of tension between the two countries.
  • Google disclosed that some G Suite users’ passwords have been mistakenly stored in plaintext for nearly 14 years. The company said the passwords stayed in its secure infrastructure, and the problem has been fixed.
  • Ireland opened a GDPR investigation into Google this week, specifically how the company uses personal data for advertising. Regulators say users’ personal information is stored by Google and then sold off to advertisers without their knowledge.
  • One year after the GDPR went into effect, Europe has received an estimated 145,000 privacy complaints.
  • The latest update to Mozilla Firefox fixes 21 security vulnerabilities, two of them rated “critical.” There are also new options for users to block “digital fingerprinting” on all sites.

Notable recent security issues

Title: Coverage available for critical vulnerability in Microsoft Remote Desktop Protocol
Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 79 vulnerabilities, 22 of which are rated “critical," 55 that are considered "important" and one "moderate." This release also includes two critical advisories: one covering Microsoft Live accounts and another addressing updates to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft’s products, including the Scripting Engine, the Microsoft Edge web browser and GDI+.
Snort SIDs: 50014 - 50025

Title: Multiple vulnerabilities in Wacom Update Helper
Description: Adobe disclosed 87 vulnerabilities in a variety of its products as part of its monthly security update. The majority of the bugs exist in Adobe Acrobat and Acrobat Reader. There are also critical arbitrary code execution vulnerabilities in Adobe Flash Player and Reader.
Snort SIDs: 48293, 48294, 49189, 49190, 49684, 49685

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310
MD5: 7054c32d4a21ae2d893a1c1994039050
Typical Filename:
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Advancedmaccleaner::tpd
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

Article Link: