Newsletter compiled by Jon Munshaw.
Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.
Be sure to pay close attention Tuesday for some changes we have coming to Snort.org. We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.
And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.
Event:A World of Threats: When DNS becomes the new weapon for governments at Swiss Cyber Security Days **Location: **Forum Fribourg, Granges-Paccot, Switzerland **Date: **Feb. 12 - 13 **Speakers: **Paul Rascagnères **Synopsis: **In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named “Sea Turtle.” This actor is more advanced and more aggressive than others we’ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims.
Title:Cisco urging users to update Firepower Management Center immediately to fix severe bug
**Description:**Cisco disclosed a high-severity vulnerability in its Firepower Management Center last week that could allow an attacker to bypass the usual authentication steps. The vulnerability — which was assigned a 9.8 severity score out of 10 — exists in the way Firepower handles LDAP authentication responses from an external authentication server. An attacker could exploit this flaw by sending a specially crafted HTTP request to the device. Users are also encouraged to turn off LDAP configuration on their devices. Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues in some of its other products, including Smart Software Manager.
**Snort SIDs:52627 – 52632, 52641 - 52646
** ****Title:Exploitation of Citrix vulnerability spikes after POC released, patches followed
**Description:**Citrix rushed out a patch for its Application Delivery Controller (ADC) and Citrix Gateway products after proof of concept code leaked for a major vulnerability. The company first disclosed CVE-2019-19781 in December, saying a patch was forthcoming. But security researchers have noticed an uptick in exploitation attacks, forcing Citrix to move up its timeline.
**Snort SIDs:**52620
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5 **MD5: **8c80dd97c37525927c1e549cb59bcbf3 **Typical Filename:**eternalblue-2.2.0.exe **Claimed Product: **N/A **Detection Name: **W32.85B936960F.5A5226262.auto.Talos
SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
**MD5:**47b97de62ae8b2b927542aa5d7f3c858
**Typical Filename:**qmreportupload.exe
Claimed Product: qmreportupload **Detection Name: **Win.Trojan.Generic::in10.talos
SHA 256:c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94**** **MD5: **7c38a43d2ed9af80932749f6e80fea6f **Typical Filename: **xme64-520.exe Claimed Product: N/A
**Detection Name:**PUA.Win.File.Coinminer::1201
SHA 256:c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a **Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f **Claimed Product: N/A Detection Name:W32.AgentWDCR:Gen.21gn.1201 **
****SHA 256:d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258 **MD5:**a917d39a8ef125300f2f38ff1d1ab0db **Typical Filename: **FFChromeSetters **Claimed Product: **N/A **Detection Name: **PUA.Osx.Adware.Macsearch::agent.tht.talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.